Re: [Samba] Demote a samba DC and rejoin as member
- Date: Mon, 15 Jan 2018 12:37:02 +0100
- From: Denis Cardon via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Demote a samba DC and rejoin as member
Yes, when switching, it is much safer to clean up your /var/lib/samba.
Be sure to recreate the /var/lib/samba/private folder after cleanup,
that folder is not recreated automatically most of the time.
There is nothing very complicated in what you wanted to do. Just be
sure to double check the replication before demoting, be sure to
demote to remove all the old DNS entries pointing to your old server,
check your DNS config on servers and desktops.
I do that regularly, kind of business as usual, but the other way
around, from MS-AD to Samba AD... By the way Samba-AD is much more
easy to maintain if you are familiar with AD and at easy with command
line / scripting. Unless you have a business/corporate requirement
expressly needing a MS-AD, I'd say it would be better to stick with
thanks for your help.
For the reasons to do that: until now, I had the impression it was the
other way round, MS-AD looked easier to maintain, at least as long as
everything works... Part of the problem may be that I am bound to use
the samba packages shipped with Debian stable, which is 4.5.12 at the
moment. I already encountered several points which were already fixed in
newer versions, but I would have to wait for Debian 10 to get these.
But I am more familiar with Linux and the command line, so I am
considering your words and staying with samba. What is absolutely
required is to have domain members running Windows 10 and Server 2016,
and I am unsure whether this works with this rather old version of samba.
As far as packaging is concerned, you are right in saying that distro
version are too outdated for production Samba-AD. For file servers it
might be OK depending on your requirements, but for AD it is better to
mostly follow new version. Samba-AD is a fast moving target with a lot
of improvement/bug fixes at each version. Currently you can go with
You can check LPH van Belle packages or the one we bakes at my office
. You should also be sure to use Bind DLZ for DNS (Samba internal DNS
does not do caching currently, so it forwards all the queries which are
not pointing to its own zones).
By the way, one thing that you started to do your migration process,
splitting AD server and fileserver, is a good thing to do in any cases.
Winbind process behaves differently on AD and fileserver, and it is much
better for maintenance to split those two roles. And from a
cyber-security point of view, it is advised, be it MS or Samba, to put
as few stuff as possible on AD since it is a very critical machine from
a security stand point.
Once Samba-AD is properly setup, it does run smoothly. We've got
hundreds of them humming happily at clients. And you can have win10 and
win2k16 member servers without problems. There are cases where MS-AD is
the only options, mainly if you need 2k12 schema support (currently
being implemented) or 2k12 security features like FAST or silos, or a
tight SIEM integration (logging framework needs to be improved),
inter-domain trusts, or third party software requirements.
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 126.96.36.199.55
To unsubscribe from this list go to the following URL and read the