Slave Server as RODC


#1

Is normal that a salve server with samba4/role set to RODC as indicate in docs.software-univention.de/windows-4.0.html prevent the samba replication (home folders) and the user from login to that server if the never login before setting the role to RODC?


#2

It shouldn’t prevent user logins. What do you exactly mean by saying that it prevents home folder replication?


#3

I will try explain it better.

Scenario1:
Master DC and Slave DC (network 192.168.100.X and 192.168.200.x)
User xpto1 loggon on windows computer (network 100.X). the folder /home/xpto1 is created in both servers (via samba drs i guess)
User xpto2 loggon on windows computer (network 200.X). the folder /home/xpto2 is created in both servers (via samba drs i guess)

Scenario2:
Master DC and Slave DC with role RODC (network 192.168.100.X and 192.168.200.x)
Change slave role to RODC, running joining scripts again
User xpto1 loggon on windows computer (network 100.X). the folder still exists in both servers
User xpto2 loggon on windows computer (network 200.X). the folder still exists in both servers
Create user xpto3 in Master DC.
User xpto3 loggon on windows computer (network 200.X). The folder is created in the master DC and not replicated/created in slave server, the user is logged in master dc and not in the slave that is the near domain controller.

Maybe i’m wrong but i’m assuming that the user can’t login in the slave server because the folder doesn’t exist…


#4

Home directories aren’t synchronized between UCS servers, no matter the setup. The usual way to share home directories across multiple servers is to use NFS mounts from a central server to the other ones.

Note that home directories aren’t created when the user is created either. Instead they’re created on a server the first time a user logs in on that server. This is done via a Linux PAM module called pam_mkhomedir.so. Such a login can be e.g. an SSH login, IMAP or access to the server via Windows networking ( = Samba).


#5

In that case, what is the best way to save the windows settings to that user?

If the user logon to server1, the user folder with windows directory will be created… but then when logon to another server a brand new home folder and windows folder will be created too… if i don’t understand wrong what you said, in that case what is the correct approach so users have their keep their settings?


#6

There is a tool for converting a user profile to another domain called User Profile Wizard. I’ve used it in the past for converting local profiles to domain profiles, but it should be able to convert domain profiles from one domain to another if I remember correctly. You’ll have to run it on each Windows client and for each user account on said client.


#7

You should also consider using only one server for your user’s home directories, e.g. by configuring the file server used for the user’s home directory. You could also consider using roaming profiles; that way you could have a centralized backup that actually includes all Windows users’s profile directories.


#8

The question is,

The servers are in diferent geo locations, so the objective is have a slave server in the remote location that should be the “main” domain controller and fileserver for users of that location.

I understad that the user1 is in local2, should be logged on in slave server (local2) instead of main server (local1) or i’m wrong?


#9

Have you actually checked the values of the “Windows home path” setting for each of the users you’re experimenting with?


#10

I check and i put it the ip of local2 but the problem i reported is with RODC the user “never” login in the slave server, and therefore never create the home folder…

I check this after have everything working and then i create a new user that will be in local2 so i put the windows home folder path to local2 server ip address, and then the problem begin, because the home folder hasn’t created, only was created in server from local1


#11

I think I don’t fully understand the situation. :slight_smile:

  1. User logons should be possible against a rodc slave - if this isn’t the case, it’s a bug.
  2. If you have two geo locations and want users from place a to login at server a and users from place b to login at server b this is a typical site configuration. So you can simply achieve this by creating two new sites and place the servers underneath. Unfortunately we don’t have documentation for this - please have a look at wiki.samba.org/index.php/Active_Directory_Sites
  3. Do you really need a rodc slave?

#12

Hy

What i want is exactly that, but with some esteroids :smiley:

I only want have one domain.
I don’t want user from local B must have his files in local A, the sites are connect via VPN, but i don’t want they always depend on that.
I want have in local B a slave server (or RODC) in the case that the logon server in local A fails, users from local A can logged on, in inverse order, i want users in local b can login even if server from local B is down.

Yes i’m ware that if the server in the local B is down, the users don’t have their files, because of that problem, i do the backups over the VPN on the night.

Maybe the sites situation you refer should do the trick… but i don’t see that in univention docs… so i’m searching and try what i can to do what i pretend… don’t even know if i’m do it the right way or if is that possible.

If i use the site model, if server from site B is down, the users from that site can still log on using site A?

Thanks.


#13

Yes, this would be done in a failover situation, right.