I have a setup like that: Samba PDC + OpenLDAP master <-> WAN/VPN <-> Samba BDCs + OpenLDAP slaves + workstations PDC is a WINS server for all BDCs, and a secondary WINS for workstations. BDC are defined with "domain master = No" in smb.conf. As I see using iptraf, domain joins are always performed over WAN/VPN, which is slow/over internet/connection can break etc.: workstation <-> WAN/VPN <-> PDC and *never* directly to the BDC (which is local): workstation <-> LAN <-> BDC. So when I switch off Samba on the PDC (with master LDAP running), workstations can't join the domain anymore (and they say that domain MYDOMAIN is unavailable). At first I thought that a workstation can join to a domain only to the PDC, and not to the BDC. Then I thought that the point of having a Backup Domain Controller is to have a backup (hence the name) when the PDC fails. So I switched off Samba on PDC, and tried to join one of BDC servers named "backup1" to the domain, with itself as a server: backup1# net rpc join -S backup1 -U Administrator Password: Joined domain MYDOMAIN. So joining a domain to the BDC is possible! But when I try to do it from the workstation (with Samba on PDC off), it fails with "domain not available". No packets are sent towards a BDC, too. When I change a BDC to the PDC "domain master = Yes", workstations join to that "temporary" PDC without problems.
This is pretty much how it is supposed to work. The clients have to resolve the DOMAIN<0x1b> (domain master browser) name in order to locate the PDC. When you shut off the PDC, they cannot join because they cannot find the domain. The BDC's provide failover for logons. This is the best we can do for now. net join actually shouldn't work against a Samba BDC currently. Eventually we'll get better semantics in place, but it will take a lot of work.
In that case, as a workaround, is it possible to add some kind of "static WINS entries" to Windows workstations?