Hi, We have an older Samba3 NT4 domain, which uses a TDB backend. We have a variety of different versions of Windows clients. We need to migrate to a Samba 4 AD domain. I have successfully tested the classic upgrade on a new server in an isolated network, but I had to work through some issues along the way. My understanding is that if the clients communicate with the new AD DC, they will never be able to go back to the NT4 domain. Is this correct? I am concerned about getting into an all or nothing situation with no return path. Is there a way to: 1)convert the data on the new server using the classic upgrade 2) mount the Samba file systems via NFS on the new AD DC so that both servers have access to the file systems 3) enable the new server and keep the existing Samba NT4 PDC active simultaneously 4) migrate the client PCs gradually instead of all at once Any advice is greatly appreciated. Thanks. -- Regards, K. R. Foley
On 24/08/2020 03:59, K. R. Foley via samba wrote:> Hi, > > We have an older Samba3 NT4 domain, which uses a TDB backend. We have > a variety of different versions of Windows clients. We need to migrate > to a Samba 4 AD domain. I have successfully tested the classic upgrade > on a new server in an isolated network, but I had to work through some > issues along the way. My understanding is that if the clients > communicate with the new AD DC, they will never be able to go back to > the NT4 domain. Is this correct? I am concerned about getting into an > all or nothing situation with no return path. > > Is there a way to: > > 1)convert the data on the new server using the classic upgrade > > 2) mount the Samba file systems via NFS on the new AD DC so that both > servers have access to the file systems > > 3) enable the new server and keep the existing Samba NT4 PDC active > simultaneously > > 4) migrate the client PCs gradually instead of all at once > > Any advice is greatly appreciated. Thanks. >Your problem would be that you would have two domains using the same SID, this would confuse the clients and if your clients contact the AD DC, they will ignore the PDC. You could try using different IP ranges for each domain, but even then, I think you will have problems unless you can physically separate the networks. If you cannot migrate the clients all at once, then ensure they can only see one domain, do not allow them to see the AD domain until they are disconnected from the PDC. Rowland
On 2020-08-24 02:21, Rowland penny via samba wrote:> On 24/08/2020 03:59, K. R. Foley via samba wrote: >> Hi, >> >> We have an older Samba3 NT4 domain, which uses a TDB backend. We have >> a variety of different versions of Windows clients. We need to migrate >> to a Samba 4 AD domain. I have successfully tested the classic upgrade >> on a new server in an isolated network, but I had to work through some >> issues along the way. My understanding is that if the clients >> communicate with the new AD DC, they will never be able to go back to >> the NT4 domain. Is this correct? I am concerned about getting into an >> all or nothing situation with no return path. >> >> Is there a way to: >> >> 1)convert the data on the new server using the classic upgrade >> >> 2) mount the Samba file systems via NFS on the new AD DC so that both >> servers have access to the file systems >> >> 3) enable the new server and keep the existing Samba NT4 PDC active >> simultaneously >> >> 4) migrate the client PCs gradually instead of all at once >> >> Any advice is greatly appreciated. Thanks. >> > Your problem would be that you would have two domains using the same > SID, this would confuse the clients and if your clients contact the AD > DC, they will ignore the PDC. > > You could try using different IP ranges for each domain, but even > then, I think you will have problems unless you can physically > separate the networks. > > If you cannot migrate the clients all at once, then ensure they can > only see one domain, do not allow them to see the AD domain until they > are disconnected from the PDC. > > RowlandThanks for your response and clarification. Regarding the statement "they will ignore the PDC" above, is there really no way to undo that? kr