I’ve some doubts about what is the purpose of additional DC providers on the same node and how to use them. It seems they can be used only by other cluster apps.
Only one domain controller in the AD domain can be configured with a LAN IP address and serves Authentication, Shares and DNS to Windows clients. Other DCs are bound to the cluster private VPN and are accessible only to cluster applications. (source)
After installing a local AD provider, adding a second DC provider shows these info/warning messages:
File shares and authentication to Windows clients cannot be enabled because they are already configured on another provider of this domain
The new provider will be configured on the VPN IP address 10.5.4.1
But trying to proceed with the configuration ends with a validation error and an unconfigured provider:
Address 127.0.0.1:53 bind failed: [Errno 98] Address already in use
What are the requirements to configure them?
Can additional DC providers for apps be installed on the same node or it is just for other cluster nodes?
Only Nethesis devs/architects can answer this properly or a skilled and proven community dev with an in depth tech knowledge of the code and arch design.
Any cluster node can host one DC at most, no matter its AD domain.
As you see, when you try to start a second instance on the same node, a port conflict occurs:
Address 127.0.0.1:53 bind failed: [Errno 98] Address already in use
Only one DC in the Samba AD domain can be bound to a LAN address and play the role of DC and File Server for Windows clients. This limitation is imposed by the missing SYSVOL replica feature in Samba.
That I understood from the documentation and UI messages but don’t know why I misread what followed,
…interpreting that there was the possibility of some kind of limited dc/fileserver inside the VPN usable only between apps.
Cluster-admin allows the attempt to install multiple DC providers on the same node …even if it fails. But researching a bit shows the team is aware of it:
@davidep do you plan to implement one of the workarounds mentioned in the link by Andy? To my understanding, in a system like ns8, all the information is available to setup the rsync tasks automatically.
I have operated such a setup with two DCs syncing sysvol via rsync, it works without any issues.
No, because it opens the way to a new complex scenario: a multi-site Active Directory domain is difficult to support and too far from the current project goals. NS7 provides a single site AD, and NS8 does the same.
As written in some past thread, the way is still open for a standalone Samba File Server module instead, but as you can read in the last release announcement, it will not be for the next release.
This is unfortunately very true. A 2-way sync, for say 2 ADs, is fairly easy to get working. With 3 the logic becomes complicated, above 4 almost not possible…
To make things more difficult is the fact that MS have changed the underlying file system protocoll several times since the simple NT Domain. At the moment DFS is used.
A one way sync like this may work, but doesn’t provide real “cover” if a DC barfs and the other needs to be promoted… Does the code take this into consideration or not? A plethora of questions opens up.
In other words, providing for a second DC doesn’t really provide for a real failover as a MS DC does.
you get a master-master setup with two fully synced DCs. Failover works automatically, you can take out any of the DCs at any time and everything just continues to work. There might be a small delay until the client notices that one DC is no longer responding, but it is handled transparently and no interaction needed.
This is great for redundancy. You can e.g. easily do maintenance tasks on one server while the network just continues to function with the other DC.
I understand however the concerns regarding multi-site setups and going beyond two DCs. That will increase complexity significantly and is probably beyond scope of nethserver.
