Active Directory BDC/slave role

(Markus Neuberger) #21

A very bad scenario for a windows admin is when users cannot login in the morning because the DC is down and they have nothing to do except of calling in and asking when the problem is solved. This is the reason why admins like a second DC to just have logins working if the first DC fails.
So the little advantage to hotsync in this case is the automatic failover, possible because of the AD structure serving different logon servers.

You are right, it would make much more sense to have a full backup of all services, not only AD DC but it’s a single point of failure affecting all users and windows admins are used to it.

What about combining hotsync with read-only DC or make them work on the same server?

Could the read-only DC be a starting point to an AD migration scenario?

(Davide Principi) #22

Again, please do not talk of “read-only” DC: it’s confusing me :slight_smile: If we go with the Samba wiki sysvol replication method, based on rsync, we need to talk of “master” and “slaves”.

After reading a bit of the Samba-specific “RODC” deployment I understand it is not for us because it can’t do authentication (at the moment).

Apart from that, yes: any DC can be used as starting point to substitute another one. This is another story…

(Rob Bosch) #23

IMO the result of the effort should be to be able to have multiple DC’s in the network and be able to move FSMO roles from the first DC to any other DC. This is not only to have redundant DC functionality, but also a strong point when you have to migrate to other hardware without a HUGE backup/restore effort of your user and devices on your network.

scenario: you have an old server with DC role. You get a new server, also give it DC role by joining the same domain. Then transfer FSMO roles to the new DC. Install all services on the 2nd server that were done by the first server and finally demote the first server as DC. So you can safely remove an old server from the network.

(fpausp) #24

Yes please… :+1:

(Alessio Fattorini) #25

I guess there is a good chance it happens. In this case, do the slaves take over?

That’s an interesting scenario. Is it doable with this feature @davidep?

(Davide Principi) #26

Hopefully, yes :slight_smile:

(Markus Neuberger) #27

The other DCs take over and serve the logins if a DC goes down.

(Davide Principi) #28

I could be wrong, but IIRC it’s up to the client to choose an alternative DC, by querying the DNS.

(Markus Neuberger) #29

That’s technically totally right, my version was very reduced.

(Davide Principi) #30

I’m not a windows sysadmin but if so, I guess it’s really important to configure the clients with more than one DNS otherwise the failover can’t work (if DNS=broken DC)… Can anybody confirm?

(Dominik) #31

If i am right based on my NS7 AD config:
one server is serving DHCP and second one is AD, on DHCP server in DNS Server → Advanced options in “DNS Servers” field i have first server pointed to my AD controller, second for gateway.
If I am right if we put there: IP_of_1AD, IP_of_2AD it should work

(Davide Principi) #32

Yes, if gateway is nethserver itself; not sure otherwise: because it must be configured to resolve AD DNS zones correctly

Yes it can work.

We must take into account also that the DHCP is not Nethserver in other scenarios.

(Dominik) #33

I have got some WiFi routers which have different IP ranges but on them I have pointed at DHCP/DNS config to point at my NS7AD and it worked → I mean AD users could access their shared dirs etc. because Windows machines if they don’t find AD controller they allow user to logon but there is no shared dirs ( i have it configured via GPO ).