Anne Cross wrote: > We have two AD servers, and we're working on having four 389 Masters > geographically distributed, multi-mastered between them, etc, etc, > etc. The goal here is to stop having network hiccups take things out. > > The AD servers talk to each other nigh-on instantaneously. Likewise > for the 389 servers. Is it safe to set up sync agreements to *both* > AD servers, in case one goes down? No. See https://bugzilla.redhat.com/show_bug.cgi?id=182515 and https://bugzilla.redhat.com/show_bug.cgi?id=184155 > Likewise, is it safe to set up an agreement to a single AD server on > multiple masters, in case we lose one master? You might run into the same issues as specified in the bugs above. > > And for further fun, do I need to install PassSync on both AD > servers? Our windows admin wants to set it up on the password server, > and the documentation on RedHat's site doesn't say it specifically > needs to be on the AD box, but I'm wondering what happens if the > password changes circumvent the password server (an admin manually > changes someone's password on the AD server, for example.) You must install PassSync on each and every domain controller. That's the only way PassSync can intercept the clear text password when someone changes his/her password. > > -- juniper (this is moderately hairy, but once it's worked out, I > will never need to touch it again, I hope) > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20091020/b22d8ddd/attachment.bin
