samba - May 2016 - Upgrading Samba 3 to Samba 4 with Active Directory at many sites

First, background information. We are a large (geographically local)
organization with 50 sites, including our HQ. Each site has a Debian Server
running Samba in NT-Domain Controller mode. Each site is independant of the
next, but are all named <SITE>.example.com. The workstations are
connected,
and working fine in our sites with the single servers.

We had a recent network upgrade that now has every site with a 10.X.Y.Z
address. X is the site code, so each site is in the same 10.0.0.0/8 subnet,
and we can see the networks from each site. Now is the time to setup Active
Directory, right?

My goal is to create a forest, starting at the HQ (HQ.example.com) level,
and working down to each site (SITEA.example.com, SITEB.example.com, etc).
Our goal is to upgrade to Active Directory at each location, so as to not
lose any of the user data (username/passwords, group memberships, etc), and
then merge the AD Domains into a hierarchial forest, with each of the techs
responsible for the domain at their sites. We are hoping that it will also
allow us to have a user's primary DC (I know that term isn't use, but
let's
say it's the site's main one) down, but still authenticate to another
trusted domain controller.

Will Samba 4 allow us to do this? If so, is it simply a process of 1)
Upgrade role to Active Directory Domain Controller, 2) Use Active Directory
Sites and Services to link each of the 50 domains together? Or is there
more to it that we need to work on first?

Just wondering if anyone is able to give some advice with this?
On May 25, 2016 1:28 PM, "Luke Barone" <lukebarone at gmail.com>
wrote:
> First, background information. We are a large (geographically local)
> organization with 50 sites, including our HQ. Each site has a Debian Server
> running Samba in NT-Domain Controller mode. Each site is independant of the
> next, but are all named <SITE>.example.com. The workstations are
> connected, and working fine in our sites with the single servers.
>
> We had a recent network upgrade that now has every site with a 10.X.Y.Z
> address. X is the site code, so each site is in the same 10.0.0.0/8
> subnet, and we can see the networks from each site. Now is the time to
> setup Active Directory, right?
>
> My goal is to create a forest, starting at the HQ (HQ.example.com) level,
> and working down to each site (SITEA.example.com, SITEB.example.com,
> etc). Our goal is to upgrade to Active Directory at each location, so as to
> not lose any of the user data (username/passwords, group memberships, etc),
> and then merge the AD Domains into a hierarchial forest, with each of the
> techs responsible for the domain at their sites. We are hoping that it will
> also allow us to have a user's primary DC (I know that term isn't
use, but
> let's say it's the site's main one) down, but still
authenticate to another
> trusted domain controller.
>
> Will Samba 4 allow us to do this? If so, is it simply a process of 1)
> Upgrade role to Active Directory Domain Controller, 2) Use Active Directory
> Sites and Services to link each of the 50 domains together? Or is there
> more to it that we need to work on first?
>

Hi Luke,

What you want to do is several AD domains, one per geographical site, with
trust relationship between them?

Two things regarding that:
1° Samba 4 as AD is not yet able to perform trust relationships except for
full, bi-directional and transitive relationship. At least it is how I
understood the changelog from 4.3.0 and the following (where I see no
updates regarding trusts since 4.3.0, I could have missed some).
2° Microsoft itself advise to not use trust relationship as they are...
what they are. And of course they advise not to use trust relationship for
purely MS AD domains, as they speak only about MS stuff, not about Samba
stuffs.

According to that (and admitting I was right about 1°) I would avoid trust
relationship, just not using them.

So how would I do?
This means you change domain SID, I believe you can't re-use one because
you have several domains trusting each others, so several domain SIDs.
A - create an AD domain with Samba 4
B - Import everything from old domain to the new AD domain.
C - check all went well
D - prepare AD sites (one per geographical site)
E - add computers into the new AD domain

Now all re-joined machine to the new domain should be able to use your new
AD.

But what about application which use old DNS names SITEA.your.domain.tld or
filesrv.SITEC.your.domain.tld?

I would just recreate them into AD DNS database, to keep compatibility with
application you can't change code (in companies there are always apps with
hardcoded stuffs, for we have something to complain perhaps).

Not changing domain SID (starting from one big domain)
A - create an AD domain with Samba 4 with old SID and
B - Import everything from old domain to the new AD domain. Be careful: you
will have to re-inject all user passwords, including computers' passwords
(for clients, to not re-join them)
C - check all went well -> changing DNS on some client you have a chance it
works: computer's registry contains the right SID, right one files are good
(SID does not change), the machine can log on the domain (if you have well
imported computer's password, there's a slighty chance it works...)
D - prepare AD sites (one per geographical site)

All that on a new domain to not take risk on the working one...

Hoping this helps, cheers,

mathias




2016-05-30 16:03 GMT+02:00 Luke Barone <lukebarone at gmail.com>:
> Just wondering if anyone is able to give some advice with this?
> On May 25, 2016 1:28 PM, "Luke Barone" <lukebarone at
gmail.com> wrote:
>
> > First, background information. We are a large (geographically local)
> > organization with 50 sites, including our HQ. Each site has a Debian
> Server
> > running Samba in NT-Domain Controller mode. Each site is independant
of
> the
> > next, but are all named <SITE>.example.com. The workstations are
> > connected, and working fine in our sites with the single servers.
> >
> > We had a recent network upgrade that now has every site with a
10.X.Y.Z
> > address. X is the site code, so each site is in the same 10.0.0.0/8
> > subnet, and we can see the networks from each site. Now is the time to
> > setup Active Directory, right?
> >
> > My goal is to create a forest, starting at the HQ (HQ.example.com)
> level,
> > and working down to each site (SITEA.example.com, SITEB.example.com,
> > etc). Our goal is to upgrade to Active Directory at each location, so
as
> to
> > not lose any of the user data (username/passwords, group memberships,
> etc),
> > and then merge the AD Domains into a hierarchial forest, with each of
the
> > techs responsible for the domain at their sites. We are hoping that it
> will
> > also allow us to have a user's primary DC (I know that term
isn't use,
> but
> > let's say it's the site's main one) down, but still
authenticate to
> another
> > trusted domain controller.
> >
> > Will Samba 4 allow us to do this? If so, is it simply a process of 1)
> > Upgrade role to Active Directory Domain Controller, 2) Use Active
> Directory
> > Sites and Services to link each of the 50 domains together? Or is
there
> > more to it that we need to work on first?
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Final question regarding this... Do I just join each "site" Samba
server as
a Samba Client to provide file sharing? Or will I need two Samba DCs at
each site (one for authenticating, one for file sharing)? I just want to
try to get it right for when I do my testing.

On Mon, May 30, 2016 at 9:43 AM, mathias dufresne <infractory at
gmail.com>
wrote:
> Regarding speeding auth using local DC that's the whole point of AD
Sites,
> have a look on them, declare one or CIDR network addresses for them, you
> get your speed up auth stuffs.
>
> Cheers
> Le 30 mai 2016 18:10, "Luke Barone" <lukebarone at
gmail.com> a écrit :
>
>>
>> On Mon, May 30, 2016 at 9:01 AM, mathias dufresne <infractory at
gmail.com>
>> wrote:
>>
>>> So how would I do?
>>> This means you change domain SID, I believe you can't re-use
one because
>>> you have several domains trusting each others, so several domain
SIDs.
>>> A - create an AD domain with Samba 4
>>> B - Import everything from old domain to the new AD domain.
>>> C - check all went well
>>> D - prepare AD sites (one per geographical site)
>>> E - add computers into the new AD domain
>>
>>
>>
>> So, with the current versions of Samba, I should not need to create
Trust
>> Relationships, as it's not possible in Samba right now anyways,
correct?
>>
>> Thinking about this a little more, I'm wondering if it's even
required,
>> if we are all going to be on a big LAN in the end anyways... I was
hoping
>> though for fast authentication when users are at a different site, and
>> speed after logging in can be slower if needed.
>>
>> I'll be getting some Raspberry Pis to duplicate our current setup,
then
>> put them in the setup we are working towards, and test it out. As for
>> connecting the AD servers together, is it enough to just
"add" the server
>> to the domain, or will each server be its own entity still,
pulling/pushing
>> updates to a master server at the head office?
>>
>

The Samba wiki suggest that you don't use a domain controller for file
serving.  My experience says that it can be done, but there are a number of
hacks that need to be used in order to get the desired results.  So, if you
have the resources, I would strongly suggest one DC and a separate file
server per site.

Mike E.

On Tue, Jul 5, 2016, 6:28 PM Luke Barone <lukebarone at gmail.com> wrote:
> Final question regarding this... Do I just join each "site" Samba
server as
> a Samba Client to provide file sharing? Or will I need two Samba DCs at
> each site (one for authenticating, one for file sharing)? I just want to
> try to get it right for when I do my testing.
>
> On Mon, May 30, 2016 at 9:43 AM, mathias dufresne <infractory at
gmail.com>
> wrote:
>
> > Regarding speeding auth using local DC that's the whole point of
AD
> Sites,
> > have a look on them, declare one or CIDR network addresses for them,
you
> > get your speed up auth stuffs.
> >
> > Cheers
> > Le 30 mai 2016 18:10, "Luke Barone" <lukebarone at
gmail.com> a écrit :
> >
> >>
> >> On Mon, May 30, 2016 at 9:01 AM, mathias dufresne <infractory
at gmail.com
> >
> >> wrote:
> >>
> >>> So how would I do?
> >>> This means you change domain SID, I believe you can't
re-use one
> because
> >>> you have several domains trusting each others, so several
domain SIDs.
> >>> A - create an AD domain with Samba 4
> >>> B - Import everything from old domain to the new AD domain.
> >>> C - check all went well
> >>> D - prepare AD sites (one per geographical site)
> >>> E - add computers into the new AD domain
> >>
> >>
> >>
> >> So, with the current versions of Samba, I should not need to
create
> Trust
> >> Relationships, as it's not possible in Samba right now
anyways, correct?
> >>
> >> Thinking about this a little more, I'm wondering if it's
even required,
> >> if we are all going to be on a big LAN in the end anyways... I was
> hoping
> >> though for fast authentication when users are at a different site,
and
> >> speed after logging in can be slower if needed.
> >>
> >> I'll be getting some Raspberry Pis to duplicate our current
setup, then
> >> put them in the setup we are working towards, and test it out. As
for
> >> connecting the AD servers together, is it enough to just
"add" the
> server
> >> to the domain, or will each server be its own entity still,
> pulling/pushing
> >> updates to a master server at the head office?
> >>
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>