samba - Oct 2011 - NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbacked PDC and MS Exchange 5.5 still

Looking to make some changes to an old but working LAN, that has about 10
samba servers serving printers and network shares and a NT 4 PDC server with
Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
systems are members of the nt 4 domain also.  Samba servers are ldapbacked.
We use the ldap component directly to login to the Linux servers.

I'd like to be able to support windows 7 clients as domain members, right
now the clients are all XP.  The plan I'm considering is building a new
domain with the latest version of samba 3.x stable series for my RHEL6
servers, join my new windows clients to that domain and create a trust
relationship to the NT 4 domain.  The existing samba servers can be joined
to the new domain so that only the email server will be in the old domain.
The idea behind the trust
relationship is so that entering email for my users can be just a click and
won't have to login again.  We'd want to keep the ldap backend
capability
too.

Keeping the exchange is really a stop gap till we can move that function to
the cloud.

Have others done similar upgrades successfully?  Does this sound reasonable?

Is the trust relationship overkill and likely to cause problems? (tell users
to cache the outlook login and be done)

Thanks
	Derek

Derek Werthmuller
Director of Technology Innovation and Services
Center for Technology in Government
518.442.3892
www.ctg.albany.edu <www.ctg.albany.edu>

If you are getting rid of the exchange server it seems a lot of work to 
do the trusts thing.  Having outlook remember your password isn't a 
major problem.  Except of course then people are pretty likely to have 
forgotten  their e-mail password if they ever use another PC.


I have found Samba trusts to be fairly painful.  I had a Samba 3.0.x PDC 
(LDAP backend) which I tried having a trust with a Windows 2003 
domain.    In order for trusts to work, the Samba machine uses Idmap to 
create a range of unix uid's and gid's for the trusted Windows users.
With Samba 3.0.x, these idmap entries were created but would stop 
working after the cache period expired.    I don't know why.  When I 
moved to Samba 3.4.x, the expiration issue went away but then idmap 
entries were not automatically.   We didn't have many people in the 
Windows 2003 domain so I can manually create idmap entries as needed.

My gut feeling is that any changes you make to support Windows 7 
machines will break compatibility with legacy machines  (e.g. NT4) or 
the domain trusts-  altho installing the latest NT4 SP pack (6a?) may help.

Could you make migrate the PDC role from your NT server to a samba 3.4.x 
or 3.5.x server?   I don't think Exchange 5.5 has to be on the domain 
controller.

At my work we have a Samba domain for most of the users and computers.  
We also have a separate untrusted  Win 2008 domain just to support our 
Exchange 2007 server.    It would be nice if we could consolidate to a 
single domain (or at least a single Active Directory tree) but for the 
moment people have to maintain separate e-mail accounts.

FYI-  I had a look at the latest version of Zimbra- it looks like a 
pretty nice product for a small business, if you decide not to go with 
the hosting route.    I do like Exchange 2007 but it can be a big 
challenge to set up and maintain, and you really have to have a 
background with Active Directory and Exchange.    Not what I would use 
for a really small site.





On 10/28/2011 10:34 AM, Derek Werthmuller wrote:
> Looking to make some changes to an old but working LAN, that has about 10
> samba servers serving printers and network shares and a NT 4 PDC server
with
> Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
> systems are members of the nt 4 domain also.  Samba servers are ldapbacked.
> We use the ldap component directly to login to the Linux servers.
>
> I'd like to be able to support windows 7 clients as domain members,
right
> now the clients are all XP.  The plan I'm considering is building a new
> domain with the latest version of samba 3.x stable series for my RHEL6
> servers, join my new windows clients to that domain and create a trust
> relationship to the NT 4 domain.  The existing samba servers can be joined
> to the new domain so that only the email server will be in the old domain.
> The idea behind the trust
> relationship is so that entering email for my users can be just a click and
> won't have to login again.  We'd want to keep the ldap backend
capability
> too.
>
> Keeping the exchange is really a stop gap till we can move that function to
> the cloud.
>
> Have others done similar upgrades successfully?  Does this sound
reasonable?
>
> Is the trust relationship overkill and likely to cause problems? (tell
users
> to cache the outlook login and be done)
>
> Thanks
> 	Derek
>
> Derek Werthmuller
> Director of Technology Innovation and Services
> Center for Technology in Government
> 518.442.3892
> www.ctg.albany.edu<www.ctg.albany.edu>
>
>
>
>
>
>
>

On Fri, Oct 28, 2011 at 10:34 AM, Derek Werthmuller
<dwerthmu at ctg.albany.edu> wrote:
> Looking to make some changes to an old but working LAN, that has about 10
> samba servers serving printers and network shares and a NT 4 PDC server
with
> Exchange 5.5 on it. ?The samba servers are members of the nt4 domain, XP
> systems are members of the nt 4 domain also.
>
> I'd like to be able to support windows 7 clients as domain members,
right
> now the clients are all XP.
>
> Keeping the exchange is really a stop gap till we can move that function to
> the cloud.
>
> Have others done similar upgrades successfully? ?Does this sound
reasonable?
I have a client in a similar situation. NT4 PDC w/Exchange 5.5 and
Samba member servers. Main problem is that they're running an old
custom Outlook/Exchange workflow app which locks them in until it can
be replaced.

As you're aware newer then XP cannot join an NT4 domain but can join a
Samba domain - and they will eventually need some new desktops. So my
thoughts have been running along the lines of demoting the NT4 PDC and
having a Samba server take over those duties. Problem's are the NT4
PDC is not a supported task, and even if a registry hack can
accomplish it (according to an old post by Minasi it should) but the
effect on Exchange after this is apparently unknown. Also a test
attempt to vampire the PDC did not work due to capitalization problems
(if the vampire script did a lower case conversion this might have
been a big start).

All services except for PDC, WINS and Exchange have been moved from
the NT4 box. Outside email is handled by Google Apps. DNS, NTP, file
and print services, etc. all handled by Linux servers, firewall is
OpenBSD/PF. Also to protect from failure of the old hardware the PDC
has been virtrualized and running under VirtualBox where regular
snapshots can be taken.

The virtualization of the NT4 PDC also provides an opportunity to
experiment with copies/snapshots so I hope to tackle this a bit more
in depth when time permits. Of course any clues, hints, experience to
be shared in this area are very welcome. I will gladly provide
anything I find out that may be useful.

Chris