Hi again all,
Managed to get myself to a pretty good place with my configuration, but would appreciate another pointer from yourselves.
Currently I have the system up and running with two servers (master1 and master2) in a 2-way multi-master replication mode.
Master1 also has a Windows Synchronisation Agreement with adserver1, which is also working, however it is working in a two-way mode, propagating changes made on the Fedora Directory back to Active Directory.
Unfortunately, our current strategy is to have Active Directory as the single Directory for user management so as to make our Service Desk more efficient. We also have a policy of removing all single points of failure from within our enterprise, therefore I was looking at having two windows sync agreements from two Fedora Master servers to two different members of the same Active Directory.
The two Fedora Servers would also obviously need to be in sync (hence the multi-master setup) but probably with a number of read-only consumer servers dotted around the globe.
The question, therefore, is what would be the best way in terms of replication design, to achieve this objective?
Basically, I want to achieve the following:
AD2 -> FD2 <-> FD1 <- AD1 / | |\ / | | \ V V V V FD3 FD4 FD5 FD6
Thanks in advance for any assistance you can provde.
Cheers
Darren
This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
Paxton, Darren wrote:
Unfortunately, our current strategy is to have Active Directory as the single Directory for user management so as to make our Service Desk more efficient. We also have a policy of removing all single points of failure from within our enterprise, therefore I was looking at having two windows sync agreements from two Fedora Master servers to two different members of the same Active Directory.
You can configure this setup, but I don't think it'll quite work. Bad things such as loops between the AD replication and FDS replication can occur. Ulf Weltman did some investigation on this a while back. You might be able to find his comments in the list archive.
David Boreham wrote:
Paxton, Darren wrote:
Unfortunately, our current strategy is to have Active Directory as the single Directory for user management so as to make our Service Desk more efficient. We also have a policy of removing all single points of failure from within our enterprise, therefore I was looking at having two windows sync agreements from two Fedora Master servers to two different members of the same Active Directory.
You can configure this setup, but I don't think it'll quite work. Bad things such as loops between the AD replication and FDS replication can occur. Ulf Weltman did some investigation on this a while back. You might be able to find his comments in the list archive.
This is the configuration I debugged: In a configuration with two DS in MMR (M1 and M2) and two AD in the same domain (AD1 and AD2), M1 is configured to sync with AD1 and M2 to sync with AD2, and password sync on AD1 pointing to M1 and on AD2 pointing to M2, we have a ring configuration with good availability.
From what I hear it went into use with a couple of limitations: Dual winsync paths results in LDAP ADD collision on AD (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182515) Dual winsync paths results in LDAP DEL collision on DS (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184155)
I can not give an authoritative answer, but if your active directory is 2003 server your active directory itself is multimaster ( no more PDC and SDC ). It seems theorically possible to install active directory sync on both nodes but leave it running only on one domain controller. Something like this:
AD2 <-> AD1 | LoadBalancer | FD2 <->FD1
Here are some maybes. The configuration of the winsync agreements might have issues communicating with a proxy or load balanced LDAP server. Also I do not know of any HA product that would be able to fail winsync on a windows server.
On 3/19/07, Paxton, Darren darren.paxton@mercer.com wrote:
Hi again all,
Managed to get myself to a pretty good place with my configuration, but would appreciate another pointer from yourselves.
Currently I have the system up and running with two servers (master1 and master2) in a 2-way multi-master replication mode.
Master1 also has a Windows Synchronisation Agreement with adserver1, which is also working, however it is working in a two-way mode, propagating changes made on the Fedora Directory back to Active Directory.
Unfortunately, our current strategy is to have Active Directory as the single Directory for user management so as to make our Service Desk more efficient. We also have a policy of removing all single points of failure from within our enterprise, therefore I was looking at having two windows sync agreements from two Fedora Master servers to two different members of the same Active Directory.
The two Fedora Servers would also obviously need to be in sync (hence the multi-master setup) but probably with a number of read-only consumer servers dotted around the globe.
The question, therefore, is what would be the best way in terms of replication design, to achieve this objective?
Basically, I want to achieve the following:
AD2 -> FD2 <-> FD1 <- AD1 / | |\ / | | \ V V V V FD3 FD4 FD5 FD6
Thanks in advance for any assistance you can provde.
Cheers
Darren
This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Eddie C wrote:
I can not give an authoritative answer, but if your active directory is 2003 server your active directory itself is multimaster ( no more PDC and SDC ). It seems theorically possible to install active directory sync on both nodes but leave it running only on one domain controller. Something like this:
AD2 <-> AD1 | LoadBalancer | FD2 <->FD1
This is a cool idea, but it may not work because FDS uses the AD sync control to perform incremental inbound updates. It's quite likely that the two AD servers would have different states for the sync cookie. You could work around this by initiating a full sync when failing over between ADs.
On Mon, 2007-03-19 at 08:11 -0600, David Boreham wrote:
Eddie C wrote: > I can not give an authoritative answer, but if your active directory > is 2003 server your active directory itself is multimaster ( no more > PDC and SDC ). It seems theorically possible to install active
directory sync on both nodes but leave it running only on one domain
> controller. Something like this: > > > AD2 <-> AD1 > | > LoadBalancer > | > FD2 <->FD1 > This is a cool idea, but it may not work because FDS uses the AD sync control to perform incremental inbound updates. It's quite likely that the two AD servers would have different states for the sync cookie. You could work around this by initiating a full sync when failing over between ADs.
THanks for the comments so far, it appears that if I can mitigate the risk, then I can just leave a single agreement in place between FDS and AD.
The other question though, regarding one-way from AD to FDS - anyone got any thoughts on that?
Cheers
Darren This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
Paxton, Darren wrote:
The other question though, regarding one-way from AD to FDS - anyone got any thoughts on that?
The sync code wasn't designed to allow this. However there are a couple of things you could consider : 1. configure FDS access control to disallow modifications on attributes that are sync'ed to AD. If there are no pretinent modifications then nothing will get sync'ed to AD. 2. Hack the code to turn off the FDS->AD (outbound) change propagation.
389-users@lists.fedoraproject.org
-
David Boreham -
Edward Capriolo -
Paxton, Darren -
Ulf Weltman