samba - Mar 2002 - [OT?] Call to the community about one Windows NT domain migration

Hi all,

An enterprise planed to migrate its fully MS Windows NT domain to a pure
SAMBA one. I would like to gain some experience of those one who allready
worked on a same architecture.

This company is spawn in many geographic parts : One primary site hosting
one PDC and a BDC (with WINS services) , many other site hosting a BDC (with
WINS replicator) and sometimes some "members servers". The main goal
of this
arch is beinng able to continue to work when the WAN is down
(Authentification,etc,).
The company implement only one DOMAIN on all the WAN, LAN.
Workstations are : Win98, Win NT 4, Win 2000 Pro, and some XP Pro.
One geographic site is running a Windows NT 4 TSE Server with 30 TERMS. This
TSE site is running on one server acting as a BDC of the Domain.
Now the company plan two steps :

- First, they must open 8 new geographic sites in the next months. They want
those sites being install only with SAMBA, they don't want to pay for new
Windows NT Server licences on those sites.
- They want the integration of SAMBA being the most transparent possible for
users and administrators. It doesn't sounds like they want "FULL
TRANSPARENCY".
- In the near future, they want to replace all existing Windows NT servers
with SAMBA.

So, I allready know that integrating SAMBA as a BDC in one Windows NT domain
is not possible (replication of SAM database for authentification when WAN
is down).

Does someone have some experience with arch like this one. What suggest
community ? "Stand By" could be a respons !

We study some solutions :

- One is replacing the PDC by a SAMBA PDC. The problem is : BDC on existing
geographic site must for now stay in Windows NT 4.0. We can't plan a FULL
migration in one step. So, the problem is, how NT BDC could access to SAM
replication with a SAMBA PDC.
- Second introducing a "MS Password Filter extension" (on NT PDC and
BDC)
develop by us to introduce in an LDAP server in live user's and password.
Problem : password filter doesn't managed "delete" and
"add" actions of
users. Add is not a problem : if account in the LDAP doesn't exist we can
create one on fly, but delete can't be perform on fly.
- Third, migrate only Windows NT PDC 4.0 to Windows 2000 PDC "mixed"
model
to provide interconnection with SAMBA by ADSI. (We have no experience with
this schem). Does it is realistic ? We always need a PDC,BDC schems. Does it
work ?

Thanks in advance for advice and comments.

Thierry DELHAISE