[windows2000] Re: Samba or Win2K Server as Domain Controller?

  • From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
  • To: <windows2000@xxxxxxxxxxxxx>
  • Date: Tue, 22 Oct 2002 07:59:08 -0700

Your digging too deep... The time that it took research and compare =
would have paid for the Windows 2000 OS...  Why is it a big deal if it's =
Microsoft or Linux?  95% of the world uses Microsoft... Perhaps that =
should be where you look.  Schools should be preparing their students =
for the real world, not a fantasy.


-----Original Message-----
From: Scott Ehrlich [mailto:scott@xxxxxxxxxx]
Sent: Tuesday, October 22, 2002 7:50 AM
To: windows2000@xxxxxxxxxxxxx; samba@xxxxxxxxxxxxxxx
Subject: [windows2000] Samba or Win2K Server as Domain Controller?

We are looking at implementing a Windows Domain structure very soon and =
have been asked to evaluate/investigate the differences between using =
as a DC vs a true Win2k DC.   We run TCP/IP and Appletalk on a 100Base-T =


I'm the main Microsoft person in the group and have a lot of Windows=20
experience (9x - XP).

We currently have a primary NT 4 domain controller mainly acting as a =
and software install server.   99% of workstations are in workgroup =

We have a contingent of Mac users (OS 9 and above) who also utilize the =
for printing and software installation.

I know the full capabilities of a Win2K DC, and have just read the Samba =

2.2 FAQ from the samba.org web site, so I am generally familiar with =
I'll get.

Some of the functionality I want include:

- Roaming profiles (Samba FAQ says this can be done)

- Magically add printers to workstations which become domain members =
through a policy or template?)

- Permit an account to be used for registration-only so users can make=20
themselves domain members on their own

- Enable full auditing with Tripwire so I am kept fully up-to-date on=20
changes (machine adds/removals/changes)

- Permit seemless password changes between our UNIX and Windows world

- Permit Mac users seemless access to shared printers and file storage=20
(using Services for Mac on an existing NT 4 server)

- Implement policies to permit patch pushing or service changes to =

Our model will likely end up being having an external machine (Linux =
likely) doing just LDAP.   We may authenticate to it, or we may try to=20
implement Kerberos.  We'll see how much pain is involved in setting and=20
maintaining our own Kerberos server/realm.   Being on the MIT campus, we =

know how Kerberos works ;-)
Thus, we might authenticate to a separate Kerberos server and have the=20
remaining info in a separate LDAP database on its own server.

Now, if we have a dedicated LDAP server with possibly also a Kerberos=20
server (neither will be the Win2K Domain Controller), how will I/we get =
Windows functionality we want knowing the DC uses LDAP plus some=20
proprietary additions to LDAP, and that the DC wants to be a KDC?

It almost looks like the Mac, Linux, and Solaris clients will have no=20
problems, but the Windows world is the obstacle.

Can LDAP and Kerberos be disabled/separated/modified to permit even=20
pass-through authentication to the dedicated server(s), thus permitting =
domain world, the Windows clients think they are talking to a true DC, =
the DC thinks it is the boss, yet it gets its info from external =

Does this make any sense?

Thanks in advance.


To Unsubscribe, set digest or vacation
mode or view archives use the below link.


To Unsubscribe, set digest or vacation
mode or view archives use the below link.


Other related posts: