David Boreham wrote:
Paxton, Darren wrote:
> Unfortunately, our current strategy is to have Active Directory as
> the single Directory for user management so as to make our Service
> Desk more efficient. We also have a policy of removing all single
> points of failure from within our enterprise, therefore I was looking
> at having two windows sync agreements from two Fedora Master servers
> to two different members of the same Active Directory.
You can configure this setup, but I don't think it'll quite work.
Bad things such as loops between the AD replication and
FDS replication can occur. Ulf Weltman did some investigation
on this a while back. You might be able to find his comments
in the list archive.
This is the configuration I debugged: In a configuration with two DS in
MMR (M1 and M2) and two AD in the same domain (AD1 and AD2), M1 is
configured to sync with AD1 and M2 to sync with AD2, and password sync
on AD1 pointing to M1 and on AD2 pointing to M2, we have a ring
configuration with good availability.
From what I hear it went into use with a couple of limitations:
Dual winsync paths results in LDAP ADD collision on AD
Dual winsync paths results in LDAP DEL collision on DS