4.2. Dissection and Discussion The example you are building in this chapter is of a network design that works, but this does not make it a design that is recommended. As a general rule, there should be at least one Backup Domain Controller (BDC) per 150 Windows network clients. The principle behind this recommendation is that correct operation of MS Windows clients requires rapid network response to all SMB/CIFS requests. The same rule says that if there are more than 50 clients per domain controller, they are too busy to service requests. Let's put such rules aside and recognize that network load affects the integrity of domain controller responsiveness. This network will have 500 clients serviced by one central domain controller. This is not a good omen for user satisfaction. You, of course, address this very soon (see Chapter 5, "Making Happy Users"). 4.2.1. Technical Issues Stan has talked you into a horrible compromise, but it is addressed. Just make certain that the performance of this network is well validated before going live. Design decisions made in this design include the following: A single PDC is being implemented. This limitation is based on the choice not to use LDAP. Many network administrators fear using LDAP because of the perceived complexity of implementation and management of an LDAP-based backend for all user identity management as well as to store network access credentials. Because of the refusal to use an LDAP (ldapsam) passdb backend at this time, the only choice that makes sense with 500 users is to use the tdbsam passwd backend. This type of backend is not receptive to replication to BDCs. If the tdbsam passdb.tdb file is replicated to BDCs using rsync, there are two potential problems: (1) data that is in memory but not yet written to disk will not be replicated, and (2) domain member machines periodically change the secret machine password. When this happens, there is no mechanism to return the changed password to the PDC. All domain user, group, and machine accounts are managed on the PDC. This makes for a simple mode of operation but has to be balanced with network performance and integrity of operations considerations. A single central WINS server is being used. The PDC is also the WINS server. Any attempt to operate a routed network without a WINS server while using NetBIOS over TCP/IP protocols does not work unless on each client the name resolution entries for the PDC are added to the LMHOSTS. This file is normally located on the Windows XP Professional client in the C:\WINDOWS\SYSTEM32\ETC\DRIVERS directory. At this time the Samba WINS database cannot be replicated. That is why a single WINS server is being implemented. This should work without a problem. BDCs make use of winbindd to provide access to domain security credentials for file system access and object storage. Configuration of Windows XP Professional clients is achieved using DHCP. Each subnet has its own DHCP server. Backup DHCP serving is provided by one alternate DHCP server. This necessitates enabling of the DHCP Relay agent on all routers. The DHCP Relay agent must be programmed to pass DHCP Requests from the network directed at the backup DHCP server. All network users are granted the ability to print to any printer that is networkattached. All printers are available from each server. Print jobs that are spooled to a printer that is not on the local network segment are automatically routed to the print spooler that is in control of that printer. The specific details of how this might be done are demonstrated for one example only. The network address and subnetmask chosen provide 1022 usable IP addresses in each subnet. If in the future more addresses are required, it would make sense to add further subnets rather than change addressing.
4.2.2. Political Issues This case gets close to the real world. You and I know the right way to implement domain control. Politically, we have to navigate a minefield. In this case, the need is to get the PDC rolled out in compliance with expectations and also to be ready to save the day by having the real solution ready before it is needed. That real solution is presented in Chapter 5, "Making Happy Users". |
