Re: [Samba] Some hint on migration from a set of NT4 domains to an AD domain...
- Date: Thu, 31 Aug 2017 21:26:31 +0200
- From: Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Some hint on migration from a set of NT4 domains to an AD domain...
I've lurked (and posted) on that list by some month, getting many
vaulable informations, but still i've many doubts.
Most of my doubt i think came from the fact that 'AD' (generally) a is
a very complex beast, and if samba in NT4 mode fit very well in a UNIX
environment (and mind ;), samba in AD mode forced me to think in some
''microsoft way'. And i'm not used to.
Active Directory is not a simple beast, but the underlying tech and what
it provides is not simple either. If you want to properly set up ldap,
kerberos, dns in a multi-master replication scenario, it is not easy at
all, and Samba AD make it really simple IMHO...
Nowadays, even for full linux client setup I prefer to have Samba AD and
I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some
set of NT4 domains, built in branch offices when, here in italy,
connectivity was a chime, and so we never minded about ''account
Many users have now accounts on every domain, and password to manage.
Every domain is LDAP-backed, and LDAP provide account and password info
for other services, most notably email (every samba domain have a
compelling email domain). I'm not using winbind (apart for native NTLM
auth, freeradius and squid).
Initially my plan was to move every domain in his AD domain, doing
after that some sort of ''foresting''.
domain trust relationship is not yet fully supported, so AD forest are
not yet for tomorrow.
In this month, i've test-classicupgraded a domain (in a virtual
environment) and start to play, most notably with schema extensions to
keep all the email routing stuff.
But after reading here by some month, and most notably after
a) it is better to have the AD DC role in a machine on their own.
b) all my UID/GID are ''wrong'' (low), better have to be remapped.
yes, get rid of everything below 1000
c) i can still use domains, in an AD forest, but the simpliest things
is to manage different OU in a single domain
yes, even in MS AD scenario where forest are supported, it is
recommended to consolidate your domains.
I'm really thinking of throwing all my 4 domains, simply
moving/importing users using sets of non-overlapping UID/GID, and
moving users from old domains to OU.
if you have windows workstation, the main PITA during migration is the
user profile migration. If you change the user SID, then the user will
get a new shiny clean profile after migration.
So you can chose the domain with the largest number of users and keep
that domain SID and the users SID in the new domain. You should
re-inject password hashes to avoid re-issuing credentials.
For all the other users, they will have new sid, so you'll have to
migrate also their profile. Actually the server side migration part is
the fastest and easiest (Samba team is really doing a great job!). If
you have a large number of user, your real pain will be on desktops and
with business apps.
Clearly, i've to do some more work (eg, prepare set of script to move
files permission/ACL from old to new ACL; rejoin all workstation; ...),
but i hope the result can be better.
Someone have just done such a migration, or something like this?
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 22.214.171.124.55
To unsubscribe from this list go to the following URL and read the