On 1/17/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I inherited a Windows server that is acting as an AD domain controller. It is > a terrible > POS and is constantly having problems.
I've found a lot of Windows servers are that way. I suspect that reflects the quality of both Windows itself and your typical Windows system operator. > My question was originally "Can I have a Samba server over there act as a PDC > for > them using the same Windows Domain". Well, strictly speaking, you never asked *that*. :) The answer to *that* is a firm "no". You cannot have two Primary Domain Controllers in the same NTLM domain. You *did* ask if you could have a single NTLM domain, with your home-office Samba as the PDC, and the remote-office Samba act as a BDC. The short answer to that is "yes". For the full treatment, see the Samba HOWTO: http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html As I've said, I've never really done anything much with LDAP, so I've never done most of the stuff that talks about. But heck, I can at least RTFHOWTO, which is apparently more then most people around here do. ;-) In the case of a single NTLM domain, with a single Samba PDC at the home office, and a Samba BDC at the remote site, regular user authentication traffic at the remote site should use the BDC at that site. Password changes and account modifications (including machine trust account auto-updates) will have to go to the PDC (over the WAN), though. > That question came about because it was brought to my attention that there > will be > traveling between here and there quite often, and re-configuring their > laptops for a > different windows domain is a PITA. As I mentioned, it should -- *in theory* -- be possible to have two NTLM domains -- one for each site. Each site's NTLM domain would have the Samba PDC for that domain at that site. You can optionally have a BDC for either NTLM domain at either site as well. Tie both NTLM domains into a single LDAP domain using different LDAP contexts in Samba. Establish NTLM trust relationships between the two NTLM domains. In that case, most of the traffic for a site stays at that site. The site's domain's PDC is local, so no cross-WAN traffic to update to the PDC for the site's domain. LDAP would still have to replicate over the WAN, but I assume you consider that acceptable. No need to disjoin/rejoin laptops. A member of one NTLM domain can use authentication data from any trusted NTLM domain. If you have a BDC for the other site's domain at each site, then a visitor's authentication traffic would stay local. The only time a visitor's NTLM domain traffic would cross the WAN is for a password change or other account update. Without BDCs, all visitor NTLM domain traffic would cross the WAN, but maybe that's not common enough for you to worry about. Again, this is all in theory. Check it first. :-) -- Ben "Google Local doesn't know where 'theory' is. Darn." Scott _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss