Hello, in my lan I have an ad dc samba and a file server that is ad dc too (Version 4.11.6-Ubuntu). I know this configuration is not recommended and I want to demote the ad dc file server to a simple domain member. What is the correct procedure to follow? I have googled a bit but coudn't find any suitable instructions. Thank you in advance -- Andrea Ballarati
On Fri, 2021-08-20 at 12:52 +0200, Andrea Ballarati via samba wrote:> Hello, > in my lan I have an ad dc samba and a file server that is ad dc too > (Version 4.11.6-Ubuntu). > I know this configuration is not recommended and I want to demote the > ad > dc file server to a simple domain member. > What is the correct procedure to follow? I have googled a bit but > coudn't find any suitable instructions.Samba doesn't really have a demote codepath. You essentially start from scratch again. Yes, I know we have tools that 'demote', but it won't get you a well-working domain member server. In particular any idmapping won't be preserved, as the systems are incompatible. Sorry! -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On Fri, 2021-08-20 at 12:52 +0200, Andrea Ballarati via samba wrote:> Hello, > in my lan I have an ad dc samba and a file server that is ad dc too > (Version 4.11.6-Ubuntu). > I know this configuration is not recommended and I want to demote the > ad > dc file server to a simple domain member. > What is the correct procedure to follow? I have googled a bit but > coudn't find any suitable instructions. >Your only hope is that you have added rfc2307 attributes to AD, otherwise demoting the DC (which is easy) and setting it up as a Unix domain member (which again is easy) will lead to your users & groups being given new ID numbers. This will lead to all your data being orphaned. This is one of the reasons why it is not recommended to use a DC as a fileserver. I would suggest you retain the second DC (this is another Samba recommendation) and set up a new Unix domain member and use this as a fileserver. Rowland