DC Demotion Question
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
-
@tiagom said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
That's one dependency. But you depend on LDAP as well. What if LDAP goes down?
AD needs LDAP, LDAP needs AD. It's an "and" not an "or".
Maybe im missing something but..
I have the service and AD(/DC). The service uses a ldap query's against AD.
If the service goes down well then we never get to authenticate. If AD goes down the service will still try to authenticate but fail.
Oh, you are hitting AD directly, not talking to an LDAP server? Commonly for non-AD enabled services people use federation for AD to sync to LDAP and then they hit LDAP directly. Like with FreeIPA.
-
@scottalanmiller There's the disconnect.
Yup hitting AD directly.
I see interesting, i haven't been in that scenario. Is that the only way to do it, or just the most common?
-
@tiagom said in DC Demotion Question:
@scottalanmiller There's the disconnect.
Yup hitting AD directly.
I see interesting, i haven't been in that scenario. Is that the only way to do it, or just the most common?
Definitely not the only way, but I think it is more common. Many systems, like Linux boxes, talk to LDAP natively and it works really smoothly.
-
Cool, the services that i deal with all (luckily) talk to LDAP natively.
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
In theory, and maybe someone will show me the exception, you should never have Samba4 mixed in with Windows AD DCs, it makes no sense. If you are okay with the limitations and management of Samba4 then you would use it across the board. If you are unwilling to accept those limitations then you would have Windows AD DCs across the board. You'd never mix and match as you take all of the limitations of Samba if you use any Samba, and you take on the cost of WIndows if you use any Windows. So it is always all one or all the other even though they you could mix them.
-
@BRRABill said in DC Demotion Question:
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
So in your example you would do either....
- Replace Windows with Samba4 and stop paying for Windows entirely or...
- Put in two Samba4 servers for redundancy for free.
-
Well there needs to be an open source AD replication product.
Where's my EASY BUTTON.
-
@BRRABill said in DC Demotion Question:
Well there needs to be an open source AD replication product.
Where's my EASY BUTTON.
There is... Samba4. It just doesn't make any sense to only use it once. If you are willing to have it at all, why would you even consider keeping Windows?
-
@scottalanmiller said
There is... Samba4. It just doesn't make any sense to only use it once. If you are willing to have it at all, why would you even consider keeping Windows?
Would I have all the same users and security and stuff as I currently do?
Need to keep Windows servers for the immediate time being.
-
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
-
@BRRABill said in DC Demotion Question:
Need to keep Windows servers for the immediate time being.
Why?
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Is there some sort of migration tool?
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Yes! As long as you've not moved your forest past 2008R2.
-
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Yes! As long as you've not moved your forest past 2008R2.
Does being on 2003 count?
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
Seriously, it's a full AD server, it's not an alternative, it's a drop in replacement of AD 2008R2.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Yes! As long as you've not moved your forest past 2008R2.
Does being on 2003 count?
Yup, Samba4 would be a three step upgrade in base AD functionality level for you.
