Web lists-archives.com

Re: [Samba] Some hint on migration from a set of NT4 domains to an AD domain...




Hi Marco,

I've lurked (and posted) on that list by some month, getting many
vaulable informations, but still i've many doubts.

Most of my doubt i think came from the fact that 'AD' (generally) a is
a very complex beast, and if samba in NT4 mode fit very well in a UNIX
environment (and mind ;), samba in AD mode forced me to think in some
''microsoft way'. And i'm not used to.

Active Directory is not a simple beast, but the underlying tech and what it provides is not simple either. If you want to properly set up ldap, kerberos, dns in a multi-master replication scenario, it is not easy at all, and Samba AD make it really simple IMHO...

Nowadays, even for full linux client setup I prefer to have Samba AD and SMB connectivity.

I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some
set of NT4 domains, built in branch offices when, here in italy,
connectivity was a chime, and so we never minded about ''account
management''.
Many users have now accounts on every domain, and password to manage.


Every domain is LDAP-backed, and LDAP provide account and password info
for other services, most notably email (every samba domain have a
compelling email domain). I'm not using winbind (apart for native NTLM
auth, freeradius and squid).


Initially my plan was to move every domain in his AD domain, doing
after that some sort of ''foresting''.

domain trust relationship is not yet fully supported, so AD forest are not yet for tomorrow.

In this month, i've test-classicupgraded a domain (in a virtual
environment) and start to play, most notably with schema extensions to
keep all the email routing stuff.


But after reading here by some month, and most notably after
understanding that:

 a) it is better to have the AD DC role in a machine on their own.

yes definitely

 b) all my UID/GID are ''wrong'' (low), better have to be remapped.

yes, get rid of everything below 1000

 c) i can still use domains, in an AD forest, but the simpliest things
    is to manage different OU in a single domain

yes, even in MS AD scenario where forest are supported, it is recommended to consolidate your domains.

I'm really thinking of throwing all my 4 domains, simply
moving/importing users using sets of non-overlapping UID/GID, and
moving users from old domains to OU.

if you have windows workstation, the main PITA during migration is the user profile migration. If you change the user SID, then the user will get a new shiny clean profile after migration.

So you can chose the domain with the largest number of users and keep that domain SID and the users SID in the new domain. You should re-inject password hashes to avoid re-issuing credentials.

For all the other users, they will have new sid, so you'll have to migrate also their profile. Actually the server side migration part is the fastest and easiest (Samba team is really doing a great job!). If you have a large number of user, your real pain will be on desktops and with business apps.

Cheers,

Denis


Clearly, i've to do some more work (eg, prepare set of script to move
files permission/ACL from old to new ACL; rejoin all workstation; ...),
but i hope the result can be better.


Someone have just done such a migration, or something like this?


Thanks.


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba