Jonathan Johnson
2005-Feb-12 22:40 UTC
[Samba] Migrating domain from Samba 3 to Windows 2003
At the risk of being called a turncoat and traitor in Sambaland, I ask, "how do I migrate from a Samba 3 domain to a Windows 2003 Active Directory domain?" A customer has determined that they wish to use the groupware features of Microsoft Exchange. They already have the licenses they need, so there's no point in convincing them that Samba will be cheaper or that some Linux-based solution will work. This of course requires Active Directory (although I would not be surprised if a subscriber to this list proves me wrong), and by extension, migrating their existing Samba 3 domain. Of course, it would be easy to just create a new domain. Since this customer has only 6 machine accounts and 7-10 user accounts, it's not a big deal to recreate them. However, one must remember that creating new users in a new domain means that user profiles will be "lost" since the profile (read: NTUSER.DAT) is tied to the SID of the user. New domain = new SIDs. It's possible but tedious and risky with unpredictable results (due to permissions, again tied to the SID) to migrate user profiles. A domain migration would be much smoother, if possible, especially for an administrator dealing with hundreds or thousands of user and machine accounts. Here is how I imagine doing it. The customer has two new servers (hardware), one of which will be a replacement for the existing Samba box (which handles file storage and sharing), the other of which will be the Windows 2003 AD server. I will make a copy of the existing Samba 3 domain to one new box, and install Windows 2003 in the other new box. These boxes will be at this point disconnected from the production network, leaving it intact and unchanged for now. This lets us make mistakes on the new systems without affecting their production network. Configure the Samba server so it looks like an NT 4 server (how?). Join the Windows 2003 server as a member server to the Samba 3 domain. Run the Active Directory installation wizard to migrate the domain, elevating the Windows 2003 server to an Active Directory server. Take the Samba 3 server offline, rebuild it, joining it to the new W2K3/AD domain as a simple file server. Any reason this won't work? Your experiences? Your wisdom? One final question: Can Exchange 2003 be made to authenticate against a Samba domain? I would expect not, since a Samba domain is mostly an NT4 equivalent and Exchange 2003 requires a domain at least at AD2000 functional level. Maybe AD2003 functional level. ~Jonathan Johnson Sutinen Consulting, Inc. jon@sutinen.com
On Sat, 2005-02-12 at 14:40 -0800, Jonathan Johnson wrote:> At the risk of being called a turncoat and traitor in Sambaland, I ask, > "how do I migrate from a Samba 3 domain to a Windows 2003 Active > Directory domain?" > > A customer has determined that they wish to use the groupware features > of Microsoft Exchange. They already have the licenses they need, so > there's no point in convincing them that Samba will be cheaper or that > some Linux-based solution will work. This of course requires Active > Directory (although I would not be surprised if a subscriber to this > list proves me wrong), and by extension, migrating their existing Samba > 3 domain. > > Of course, it would be easy to just create a new domain. Since this > customer has only 6 machine accounts and 7-10 user accounts, it's not a > big deal to recreate them. However, one must remember that creating new > users in a new domain means that user profiles will be "lost" since the > profile (read: NTUSER.DAT) is tied to the SID of the user. New domain = > new SIDs. It's possible but tedious and risky with unpredictable results > (due to permissions, again tied to the SID) to migrate user profiles. A > domain migration would be much smoother, if possible, especially for an > administrator dealing with hundreds or thousands of user and machine > accounts. > > Here is how I imagine doing it. The customer has two new servers > (hardware), one of which will be a replacement for the existing Samba > box (which handles file storage and sharing), the other of which will be > the Windows 2003 AD server. > > I will make a copy of the existing Samba 3 domain to one new box, and > install Windows 2003 in the other new box. These boxes will be at this > point disconnected from the production network, leaving it intact and > unchanged for now. This lets us make mistakes on the new systems without > affecting their production network. > > Configure the Samba server so it looks like an NT 4 server (how?). > > Join the Windows 2003 server as a member server to the Samba 3 domain. > > Run the Active Directory installation wizard to migrate the domain, > elevating the Windows 2003 server to an Active Directory server. > > Take the Samba 3 server offline, rebuild it, joining it to the new > W2K3/AD domain as a simple file server. > > Any reason this won't work? Your experiences? Your wisdom? > > One final question: Can Exchange 2003 be made to authenticate against a > Samba domain? I would expect not, since a Samba domain is mostly an NT4 > equivalent and Exchange 2003 requires a domain at least at AD2000 > functional level. Maybe AD2003 functional level.Why not just do the easy thing... add 2003 to the samba domain... and just have "local" AD and then it'll "just work". -- greg, greg@gregfolkert.net The technology that is Stronger, better, faster: Linux -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050212/30182c08/attachment.bin