Discussion:
[Samba] Secondary domain controller and promotion
(too old to reply)
Brian Candler
2014-06-17 09:00:03 UTC
Permalink
I see the instructions about setting up a secondary domain controller at
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC but I am unclear
on several points. I'm familiar with Kerberos/LDAP/DNS but not Windows
administration.

(1) This document talks about adding Samba as a slave to "an existing
Active Directory domain" (presumably running Windows).

Is it the same to process to add a second Samba machine to an existing
Samba 4 domain?

(2) Is there any sort of 'master-slave' relationship between the
original DC and the one you added later? Or is it a full multi-master
setup? (except for Sysvol replication that is)

If the original is 'master' then how would you go about promoting the
second one in the event the first one fails?

(3) If the original server needs to be removed permanently, how do you
"unjoin" it from the domain, e.g. so that the new master doesn't attempt
to replicate to it any more

(4) Is it possible to migrate a Windows 2003 domain to Samba 4 by:
- adding Samba 4 to the existing Windows domain
- making it the master
- copying sysvol
- retiring the Windows server?

Thanks,

Brian.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
2014-06-17 19:10:01 UTC
Permalink
Hello Brian,
Post by Brian Candler
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC
(1) This document talks about adding Samba as a slave to "an existing
Active Directory domain" (presumably running Windows).
It's not saying that it will be a slave. AD DC are multi-master. Byside
the FSME roles, each DC is eqal.
Post by Brian Candler
Is it the same to process to add a second Samba machine to an existing
Samba 4 domain?
No.

DC:
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Joining_the_existing_domain_as_a_DC
# samba-tool domain join .....


Member Servers:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Joining_a_Member_Server_to_the_domain
# net [rpc|ads] join -U administrator
Post by Brian Candler
(2) Is there any sort of 'master-slave' relationship between the
original DC and the one you added later? Or is it a full multi-master
setup? (except for Sysvol replication that is)
See above.
Post by Brian Candler
If the original is 'master' then how would you go about promoting the
second one in the event the first one fails?
The clients find the DCs via DNS entries. See:
http://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/

Your AD will continue working, even if the DC is temporary offline. The
only "limitations" will occour, if this DC contains one or more of the 5
FSMO roles. See:
https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles

Just an example about what happens if a DC with a FSMO role is down
(almost nothing, in most cases :-)): Lets say it was the DC with the RID
master role, that is down: Each DC has a pool of (500, if I'm right)
RIDs he can use, e. g. when a new user is created. If the RID master is
down, then if the pool of your second DC is empty, you can't create new
users or join machines on this DC any more. If you have more DCs, than
you have to create the next users on a different DCs, because each DC
has a separate RID pool. And when all pools on all DCs are used, then
you can't create new stuff in your domain, that uses RIDs, until the RID
master comes back, to let the others as him for new ranges for their RID
pool.
Post by Brian Candler
(3) If the original server needs to be removed permanently, how do you
"unjoin" it from the domain, e.g. so that the new master doesn't attempt
to replicate to it any more
If the machine is still alive to demote itself, you have luck:
https://wiki.samba.org/index.php/Demote_a_Samba_DC

BUT: If the machine is completely broken, you have a huge problem! The
demote of foreign machines is not implemented in samba-tool yet. And
demoting via the Windows way IS BROKEN:
https://bugzilla.samba.org/show_bug.cgi?id=10595
So currently no way to remove this machine.
Post by Brian Candler
- adding Samba 4 to the existing Windows domain
- making it the master
- copying sysvol
- retiring the Windows server?
Almost:
- adding a Samba DC to the existing domain
- copy sysvol
- demote the windows server



Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Brian Candler
2014-06-17 21:20:03 UTC
Permalink
Post by Marc Muehlfeld
AD DC are multi-master.
Thank you for your extremely helpful reply.

I have two test Samba4 AD VMs configured now and can see multi-master
replication working.
Post by Marc Muehlfeld
Byside
the FSME roles, each DC is eqal.
(For list reference: that's FSMO)
Post by Marc Muehlfeld
Post by Brian Candler
Is it the same to process to add a second Samba machine to an existing
Samba 4 domain?
No.
https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Joining_the_existing_domain_as_a_DC
# samba-tool domain join .....
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Joining_a_Member_Server_to_the_domain
# net [rpc|ads] join -U administrator
Ah, maybe I wasn't clear. What I meant was "add another Samba machine to
be a replica Active Directory server to an existing Samba Active
Directory domain".

Is the process the same whether the the initial Active Directory server
is Windows AD or Samba AD?

I have now successfully added a second Samba AD following
"Join_a_domain_as_a_DC", so I guess that answers my question :-)

<< snip lots of useful stuff >>
Post by Marc Muehlfeld
Post by Brian Candler
- adding Samba 4 to the existing Windows domain
- making it the master
- copying sysvol
- retiring the Windows server?
- adding a Samba DC to the existing domain
- copy sysvol
... migrate all FSMO roles to Samba ...
Post by Marc Muehlfeld
- demote the windows server
Cool. And I'm presuming that "demote the windows server" would be done
using the ADUC tool, and Samba would pick up that change automatically?

Cheers,

Brian.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
2014-06-18 05:40:02 UTC
Permalink
Post by Brian Candler
Post by Marc Muehlfeld
Byside
the FSME roles, each DC is eqal.
(For list reference: that's FSMO)
Ups. Typo. :-)
Post by Brian Candler
Post by Marc Muehlfeld
Post by Brian Candler
- adding Samba 4 to the existing Windows domain
- making it the master
- copying sysvol
- retiring the Windows server?
- adding a Samba DC to the existing domain
- copy sysvol
... migrate all FSMO roles to Samba ...
Post by Marc Muehlfeld
- demote the windows server
Cool. And I'm presuming that "demote the windows server" would be done
using the ADUC tool, and Samba would pick up that change automatically?
It should. I'm not sure if demoting via ADUC is completely broken or a
Windows DC can demote itself. I haven't tried it with a Windows Server
yet. But if you can give feedback, it would be great and I can add a
note to the Wiki.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...