DC Demotion Question
-
Varies on the service. But some of them can have engineers or our manufacturing floor at a stand still.
-
@tiagom said in DC Demotion Question:
Varies on the service. But some of them can have engineers or our manufacturing floor at a stand still.
Can't you replicate those services on other servers and leave AD singular?
-
Why isn't there an open source product that can replicate AD? That would solve all our problems!
-
The services authenticate against AD using LDAP.
-
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
-
@tiagom said in DC Demotion Question:
The services authenticate against AD using LDAP.
So you have double dependencies, if either AD or LDAP fails everything goes down?
-
I happened to have spare licenses already in house, so it was the "simplest" solution.
-
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
-
@tiagom said in DC Demotion Question:
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
That's one dependency. But you depend on LDAP as well. What if LDAP goes down?
AD needs LDAP, LDAP needs AD. It's an "and" not an "or".
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
-
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
That's one dependency. But you depend on LDAP as well. What if LDAP goes down?
AD needs LDAP, LDAP needs AD. It's an "and" not an "or".
Maybe im missing something but..
I have the service and AD(/DC). The service uses a ldap query's against AD.
If the service goes down well then we never get to authenticate. If AD goes down the service will still try to authenticate but fail.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
-
@tiagom said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
It is single dependency as i understand it. If AD goes down i cant use a LDAP query again it.
That's one dependency. But you depend on LDAP as well. What if LDAP goes down?
AD needs LDAP, LDAP needs AD. It's an "and" not an "or".
Maybe im missing something but..
I have the service and AD(/DC). The service uses a ldap query's against AD.
If the service goes down well then we never get to authenticate. If AD goes down the service will still try to authenticate but fail.
Oh, you are hitting AD directly, not talking to an LDAP server? Commonly for non-AD enabled services people use federation for AD to sync to LDAP and then they hit LDAP directly. Like with FreeIPA.
-
@scottalanmiller There's the disconnect.
Yup hitting AD directly.
I see interesting, i haven't been in that scenario. Is that the only way to do it, or just the most common?
-
@tiagom said in DC Demotion Question:
@scottalanmiller There's the disconnect.
Yup hitting AD directly.
I see interesting, i haven't been in that scenario. Is that the only way to do it, or just the most common?
Definitely not the only way, but I think it is more common. Many systems, like Linux boxes, talk to LDAP natively and it works really smoothly.
-
Cool, the services that i deal with all (luckily) talk to LDAP natively.
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Why isn't there an open source product that can replicate AD? That would solve all our problems!
There is. Samba4 functions as AD completely. LDAP will replicate it, like FreeIPA.
Could one of those provide redundancy for AD in a 1 server scenario?
Save some licensing costs?
Samba4 can, but doesn't do the LDAP portion that he needs.
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
In theory, and maybe someone will show me the exception, you should never have Samba4 mixed in with Windows AD DCs, it makes no sense. If you are okay with the limitations and management of Samba4 then you would use it across the board. If you are unwilling to accept those limitations then you would have Windows AD DCs across the board. You'd never mix and match as you take all of the limitations of Samba if you use any Samba, and you take on the cost of WIndows if you use any Windows. So it is always all one or all the other even though they you could mix them.
-
@BRRABill said in DC Demotion Question:
In my scenario, thinking about going down to one AD ... could Samba work here for redundancy if the AD server goes down while I am away?
So in your example you would do either....
- Replace Windows with Samba4 and stop paying for Windows entirely or...
- Put in two Samba4 servers for redundancy for free.
-
Well there needs to be an open source AD replication product.
Where's my EASY BUTTON.