Discussion:
file server or member server?
(too old to reply)
steve
2013-07-01 08:27:27 UTC
Permalink
Hi everyone

What's the difference between a file server and a member server?

I have a 4.0.6 DC which is a file server for sysvol. I also have a 4.0.6
file server for the other folders which go out to the clients.

Do I have a member server? Or is a member server one upon which all
files are served from the DC?

Cheers, Steve
Gaiseric Vandal
2013-07-01 13:59:47 UTC
Permalink
On a very general level , a member server is joined to the domain so
that it can use the domain accounts. A member server is typically
a file server but does not have to be (you could be using it as a web
server, or application server or even a workstation.)


A domain controller can be a file server, although in many cases a
domain controller will only provide authentication and logon
functions. It does need to have file shares to provide access to to
the logon scripts and profile directories used by Windows clients but
that doesn't really make a a file server.


A server that is not a member server or a domain controller is
considered to be a standalone server. These concepts apply to
Windows/Samba domains whether you are running domains based on Samba 3,
Samba 4, Windows 200x or Windows NT.
Post by steve
Hi everyone
What's the difference between a file server and a member server?
I have a 4.0.6 DC which is a file server for sysvol. I also have a 4.0.6
file server for the other folders which go out to the clients.
Do I have a member server? Or is a member server one upon which all
files are served from the DC?
Cheers, Steve
Jonathan Buzzard
2013-07-01 16:04:17 UTC
Permalink
On Mon, 2013-07-01 at 09:59 -0400, Gaiseric Vandal wrote:

[SNIP]
Post by Gaiseric Vandal
A domain controller can be a file server, although in many cases a
domain controller will only provide authentication and logon
functions. It does need to have file shares to provide access to to
the logon scripts and profile directories used by Windows clients but
that doesn't really make a a file server.
The profile directories can be located on a server other than a domain
controller. This is true for both NT4 style PDC/BDC and Active Directory
servers.

If you have a lot of users in your domain this is highly desirable. As
the profile location is a setting in the directory, you can even have
different users profiles on different servers which allows you to shard
the profiles if you have a really large number of users.


JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
steve
2013-07-01 18:18:01 UTC
Permalink
Post by Jonathan Buzzard
[SNIP]
Post by Gaiseric Vandal
A domain controller can be a file server, although in many cases a
domain controller will only provide authentication and logon
functions. It does need to have file shares to provide access to to
the logon scripts and profile directories used by Windows clients but
that doesn't really make a a file server.
The profile directories can be located on a server other than a domain
controller.
Hi
Our profile directories are stored on what I call our file server. Does
that make it a member server?
Gaiseric Vandal
2013-07-01 18:35:38 UTC
Permalink
I don't think it necessarily makes it a member a member server BUT if it
isn't a member server it is going to be pretty useless for serving profiles.

I have not worked with Samba4 myself- I have worked with Samba 3 (and
Windows 200x AD , and NT4) so you may want to review the samba 4
specific docn fir basic config. In samba 3 a quick review of the
smb.conf file (or the output of "testparm -v" will reveal the type of
setup.


Did you inherit these machines from someone else?
Post by steve
Post by Jonathan Buzzard
[SNIP]
Post by Gaiseric Vandal
A domain controller can be a file server, although in many cases a
domain controller will only provide authentication and logon
functions. It does need to have file shares to provide access to to
the logon scripts and profile directories used by Windows clients but
that doesn't really make a a file server.
The profile directories can be located on a server other than a domain
controller.
Hi
Our profile directories are stored on what I call our file server. Does
that make it a member server?
steve
2013-07-01 18:56:37 UTC
Permalink
Post by Gaiseric Vandal
I don't think it necessarily makes it a member a member server BUT if it
isn't a member server it is going to be pretty useless for serving profiles.
Ok, so if a samba 4 box can serve profiles, then it is called a member
server, whether that be the DC or a separate 'file server'???
Post by Gaiseric Vandal
I have not worked with Samba4 myself- I have worked with Samba 3 (and
Windows 200x AD , and NT4) so you may want to review the samba 4
specific docn fir basic config. In samba 3 a quick review of the
smb.conf file (or the output of "testparm -v" will reveal the type of
setup.
Did you inherit these machines from someone else?
Yes. We take stand alone machines and network them by adding a DC and
what we call a file server. What I'd like to know is why some guys here
call what seems to be what we call a file server, a member server. I
feel we're missing out on something.
Jonathan Buzzard
2013-07-01 21:36:28 UTC
Permalink
On 01/07/13 19:56, steve wrote:

[SNIP]
Post by steve
Yes. We take stand alone machines and network them by adding a DC and
what we call a file server. What I'd like to know is why some guys here
call what seems to be what we call a file server, a member server. I
feel we're missing out on something.
In both NT4 style and AD domains you have servers called domain servers
that serve identification information and provide authentication
services. These servers may also do other things such as serve files,
but it is the identification and authentication services that make them
domain servers. Any server providing identification and authentication
services is a domain server regardless of anything else it does.

You can then have other servers, such as file servers, print servers,
web servers etc. that are joined to the domain, and thus you can use
your domain credentials to authenticate to these servers, in the case of
an AD domain using the Kerberos ticket you got when you logged onto your
workstation. However crucially they don't provide identification or
authentication services. These servers are called member servers.

With larger domains it makes sense to separate out your file and print
servers from your domain servers, so that the domain servers are
effectively only providing the identification and authentication
services and your file and print services are handed off to dedicated
machines for the task. There is no way a domain server is going to cope
at a large University for example with tens of thousands of users.

This however is very basic Windows domain terminology/knowledge which I
would expect anyone offering advice on Samba to fully understand first.

JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
Gaiseric Vandal
2013-07-01 22:23:53 UTC
Permalink
Good explanation. Better than mine.


I tend to think of the roaming profiles as part of the logon experience,
since they sync with your computer when you logon. Actually, I found
roaming profiles to be more trouble than they were worth so I don't use
them anyway.
Post by Jonathan Buzzard
[SNIP]
Post by steve
Yes. We take stand alone machines and network them by adding a DC and
what we call a file server. What I'd like to know is why some guys here
call what seems to be what we call a file server, a member server. I
feel we're missing out on something.
In both NT4 style and AD domains you have servers called domain
servers that serve identification information and provide
authentication services. These servers may also do other things such
as serve files, but it is the identification and authentication
services that make them domain servers. Any server providing
identification and authentication services is a domain server
regardless of anything else it does.
You can then have other servers, such as file servers, print servers,
web servers etc. that are joined to the domain, and thus you can use
your domain credentials to authenticate to these servers, in the case
of an AD domain using the Kerberos ticket you got when you logged onto
your workstation. However crucially they don't provide identification
or authentication services. These servers are called member servers.
With larger domains it makes sense to separate out your file and print
servers from your domain servers, so that the domain servers are
effectively only providing the identification and authentication
services and your file and print services are handed off to dedicated
machines for the task. There is no way a domain server is going to
cope at a large University for example with tens of thousands of users.
This however is very basic Windows domain terminology/knowledge which
I would expect anyone offering advice on Samba to fully understand first.
JAB.
steve
2013-07-01 22:34:14 UTC
Permalink
On Mon, 2013-07-01 at 22:36 +0100, Jonathan Buzzard wrote:

Thanks for the input. But. . .
Post by Jonathan Buzzard
In both NT4 style and AD domains you have servers called domain servers
. . .now you've introduced yet another term. What's a domain server? I
could make a guess and I'm almost certain it would be correct. But would
I?

Can anyone simply give a plain English definition on any of these in a
samba context:
- file server
- member server
and now
- domain server

I know that language evolves, but having to move the goalposts so often
depending on what post you read is a nightmare for non native English
speakers. It would help enormously over here, if we all stuck to calling
a spade a spade.

Thanks for reading,
Steve
Ricky Nance
2013-07-02 00:55:42 UTC
Permalink
Steve, in simplest terms, a member server is just that, a member of the
domain serving something (print services, file services, etc). A file
server is generally part of either a member server, or it can be part of
the domain server, its simply the part of the server that is handling how
the files are transferred. A domain server would be either a PDC or AD DC,
something that handles authentication, in some environments, you will find
a NT4 style PDC (Primary Domain Controller), in others you will find AD
DC's (Active Directory Domain Controllers), and still yet, there will be
others that are just simple authentication (simple file servers, mainly
used in home networks).

With all that said, you can mix and match somewhat, all DC's (Domain
Controller, AKA domain server) have the capability of serving files (file
server), but a member server MUST be part of the domain as it does not
provide authentication, it only checks with a DC to see what parts of the
file server it can access.

I feel like I am saying what has already been said, so if you could be more
specific about what kind of hierarchy you have, I could give you a more
specific answer. For the most part, if its serving files and in a domain,
but not providing authentication itself, its a 'member server', if its NOT
in a domain, but simply serving files to any and all windows clients, its a
simple file server, if its in a domain and providing the domain with
username/password authentication its a domain server (or domain controller).

Hope that helps,
Ricky
Post by steve
Thanks for the input. But. . .
Post by Jonathan Buzzard
In both NT4 style and AD domains you have servers called domain servers
. . .now you've introduced yet another term. What's a domain server? I
could make a guess and I'm almost certain it would be correct. But would
I?
Can anyone simply give a plain English definition on any of these in a
- file server
- member server
and now
- domain server
I know that language evolves, but having to move the goalposts so often
depending on what post you read is a nightmare for non native English
speakers. It would help enormously over here, if we all stuck to calling
a spade a spade.
Thanks for reading,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
2013-07-02 07:28:09 UTC
Permalink
Post by Ricky Nance
I feel like I am saying what has already been said, so if you could be
more specific about what kind of hierarchy you have, I could give you
a more specific answer. For the most part, if its serving files and in
a domain, but not providing authentication itself, its a 'member
server', if its NOT in a domain, but simply serving files to any and
all windows clients, its a simple file server, if its in a domain and
providing the domain with username/password authentication its a
domain server (or domain controller).
Phew, I think I'm getting there.
OK, I have:
1. a 4.0.6 DC
It serves these files selfishly:
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

2. A 4.0.6 box joined to the domain. It serves profiles, home
directories, stuff that groups can rw to and anything else you can throw
at it e.g.
[users]
path = /home/users
read only = No

[profiles]
path = /home/profiles
read only = No

[shared]
path = /home/shared
read only = No

/home/profiles and /home/shared have ace's set to mimic what we would
otherwise have to set in smb.conf

Do I have this?
1. is a domain controller and a file server.
2. is a member server and a file server.

Another question, why do you say:
'...its a domain server (or domain controller).'
Which _is_ it? If it's the same thing then why does it have two names?

This thread may seem like a waste of space to many, but it's merely the
tip of the iceberg for us. Our main problem is that we are not dealing
with native English speakers. The grammatical and interpretational
problems which this list and the samba documentation in general throw up
are at times insurmountable.

Thank you all for the patience which you afford us.
Michael Wood
2013-07-02 09:02:27 UTC
Permalink
Hi Steve
Post by steve
Post by Ricky Nance
I feel like I am saying what has already been said, so if you could be
more specific about what kind of hierarchy you have, I could give you
a more specific answer. For the most part, if its serving files and in
a domain, but not providing authentication itself, its a 'member
server', if its NOT in a domain, but simply serving files to any and
all windows clients, its a simple file server, if its in a domain and
providing the domain with username/password authentication its a
domain server (or domain controller).
Phew, I think I'm getting there.
1. a 4.0.6 DC
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
2. A 4.0.6 box joined to the domain. It serves profiles, home
directories, stuff that groups can rw to and anything else you can throw
at it e.g.
[users]
path = /home/users
read only = No
[profiles]
path = /home/profiles
read only = No
[shared]
path = /home/shared
read only = No
/home/profiles and /home/shared have ace's set to mimic what we would
otherwise have to set in smb.conf
Do I have this?
1. is a domain controller and a file server.
Yes, I suppose so, although most people would not really call it a file
server, because the files it's serving are just related to the DC
functionality. (Or at least that's how I look at it.) It's not a general
"anything else you can throw at it" file server.
Post by steve
2. is a member server and a file server.
Yes.

And as hinted at in some of the other messages, you could have a standalone
server (i.e. not joined to a domain, and therefore not a member server)
that serves file. This would also be a file server, but (as mentioned) not
a member server.

Also you could have a server (whether joined to the domain or not) that
does not serve files at all, but only printers. This would be a "print
server". Of course a server could also be a "file and print server".
Post by steve
'...its a domain server (or domain controller).'
Which _is_ it? If it's the same thing then why does it have two names?
He's using "or" in the sense of: "You can call it a domain server, or you
can call it a domain controller. It's the same thing."

Personally, I have not come across the term "domain server" and it seems
rather ambiguous to me. I would avoid using it and stick with "domain
controller".

This thread may seem like a waste of space to many, but it's merely the
Post by steve
tip of the iceberg for us. Our main problem is that we are not dealing
with native English speakers. The grammatical and interpretational
problems which this list and the samba documentation in general throw up
are at times insurmountable.
Thank you all for the patience which you afford us.
--
Michael Wood <esiotrot at gmail.com>
steve
2013-07-02 09:37:38 UTC
Permalink
Post by Michael Wood
Hi Steve
Post by Ricky Nance
I feel like I am saying what has already been said, so if
you could be
Post by Ricky Nance
more specific about what kind of hierarchy you have, I could
give you
Post by Ricky Nance
a more specific answer. For the most part, if its serving
files and in
Post by Ricky Nance
a domain, but not providing authentication itself, its a
'member
Post by Ricky Nance
server', if its NOT in a domain, but simply serving files to
any and
Post by Ricky Nance
all windows clients, its a simple file server, if its in a
domain and
Post by Ricky Nance
providing the domain with username/password authentication
its a
Post by Ricky Nance
domain server (or domain controller).
Phew, I think I'm getting there.
1. a 4.0.6 DC
[netlogon]
path
= /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
2. A 4.0.6 box joined to the domain. It serves profiles, home
directories, stuff that groups can rw to and anything else you can throw
at it e.g.
[users]
path = /home/users
read only = No
[profiles]
path = /home/profiles
read only = No
[shared]
path = /home/shared
read only = No
/home/profiles and /home/shared have ace's set to mimic what we would
otherwise have to set in smb.conf
Do I have this?
1. is a domain controller and a file server.
Yes, I suppose so, although most people would not really call it a
file server, because the files it's serving are just related to the DC
functionality. (Or at least that's how I look at it.) It's not a
general "anything else you can throw at it" file server.
2. is a member server and a file server.
Yes.
The two "Yes"'s there are wonderful to read. We're going to pretend that
you didn't add the 'I suppose so'.

This introduces another question for which I suppose I should start
another thread but there may be some relevance here.

I think we're making the wrong decision given 2 boxes to make the
domain. We're using the more powerful box with the bigger disk as the DC
but it sits there with hardly any load all the time. The member server
hits smbd hard all day. top gives high %CPU and %MEM a lot of the time,
especially when we're doing photos. It doesn't seem to slow things down
much and the other thing we see is that when everyone logs on at the
same time, it's slow. The latter is the DC but it still doesn't show
much activity. Could that be because it's reading the profile for
windows and the home folder for Linux?

Are there any guidelines for this sort of stuff?
Cheers,
Steve
Nick Boyce
2013-07-04 00:57:33 UTC
Permalink
I'll have a go .... :)

My 2p:

A Windows domain is an authentication-and-authorisation space, defined
by a database of all usernames known within that space, together with
their passwords, group memberships and much more related stuff. The
username database (held as a set of files of course) is managed by one
or more servers dedicated to the task of processing logon attempts,
verifying passwords, authorising filesystem access requests, etc.
This type of server is known as a domain controller (or domain server
if you like).

The domain will also contain, in general, many workstations used by
the end-users, and a number of servers holding files, services and
other objects available for the use of the users. The files and
services have permission settings which define which users can access
them and in which ways. The permission settings reference the
usernames defined in the username database.

Any machine (workstation or server) needing to make use of the
username database must be "joined to the domain" (which means
exchanging keys, so that secure communication can occur); we call such
machines "members of the domain" .... member servers, member
workstations. In a medium to large organisation there are usually
quite a few member servers dedicated to file serving, some to web
serving, some to print serving, and a few to more esoteric tasks (SQL,
DNS, DHCP, WINS [does that still exist ?], etc. etc.).

You could refer to these servers as fileservers, webservers,
printservers, SQLservers, DNS servers, etc. .... you see the pattern
here ? :-)

You /can/ combine some of these server roles (including domain
controller) in one physical server, but you must be careful about
performance, especially in geographically dispersed networks. Note
that all access requests must ultimately effectively be processed and
approved by the domain controllers, which can make them pretty busy
machines - so that job is often done by dedicated servers.

There may also be other Windows servers owned by the organisation,
which are not members or controllers of the domain - these servers are
known as stand-alone servers, and their users will not share the same
username & password database as is used within the domain.

Steve> Are there any guidelines for this sort of stuff?

Yes. In the Microsoft world, typically the sysadmins all go on [gulp]
"MCSE" (Microsoft Certified System Engineer) training programmes,
where all this stuff is taught in some detail - including how to
estimate performance requirements from expected user population &
required data flows, and thus how to arrive at an effective network
and domain design. Usually you discover that you need an unbelievable
number of servers, and that the cost of server licenses and "client
access licenses" (an iniquitous concept) is likely to bankrupt your
employer ;-) .... After your boss has had a heart attack, you think
about Samba ....

I don't know whether or not there are FOSS-world courses which teach
the same (CIFS/SMB/AD) concepts.

You can also find any number of $50 text books on the subject
("Windows Active Directory") in any decent bookstore.
e.g. http://shop.oreilly.com/product/0636920028932.do
Active Directory Cookbook, 4th Edition
Solutions for Administrators & Developers
(but they will usually be focused on Microsoft products).

BTW: if you don't already know about it, you really should also try to
learn as much of the stuff on this website as you possibly can :
http://ubiqx.org/cifs/
It's more about the protocols, rather than domain design - but still
important for a sysadmin (and it's by one of the Samba team).


[I hope this helped ... maybe you already know all this stuff, and I
didn't understand your question .. it was fun trying anyway :)]

Good luck.

Nick

Jonathan Buzzard
2013-07-03 15:24:09 UTC
Permalink
On Tue, 2013-07-02 at 09:28 +0200, steve wrote:

[SNIP]
Post by steve
Do I have this?
1. is a domain controller and a file server.
2. is a member server and a file server.
Yes, that is what you have.
Post by steve
'...its a domain server (or domain controller).'
Which _is_ it? If it's the same thing then why does it have two names?
It's English, every word has multiple meanings and the same thing can be
described with multiple words. It is what makes English one of the most
expressive languages there is.


JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
Continue reading on narkive:
Loading...