samba - Oct 2011 - NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still

>>I have a client in a similar situation. NT4 PDC w/Exchange 5.5 and Samba
member servers. Main problem is that >>they're running an old custom
Outlook/Exchange workflow app which locks them in until it can be replaced.

Similar situation - though we've been able to replicate it fairly easily in
google apps.
>>As you're aware newer then XP cannot join an NT4 domain but can join
a
Samba domain - and they will eventually >>need some new desktops. So my
thoughts have been running along the lines of demoting the NT4 PDC and
having a >>Samba server take over those duties. Problem's are the NT4
PDC is
not a supported task, and even if a registry >>hack can accomplish it
(according to an old post by Minasi it should) but the effect on Exchange
after this is >>apparently unknown. Also a test attempt to vampire the PDC
did not work due to capitalization problems (if the >>vampire script did a
lower case conversion this might have been a big start).

I did consider this, though the issue is what do I do with the existing NT4
PDC - I can demote this to BDC but from the samba docs samba PDC and Windows
BDC is not supported.  And I don't think it can demote the PDC to server
role.
I'm also trying to be very careful not to make substantial changes to the
exchange host - I need that working for a short while longer.

Thanks
	Derek


-----Original Message-----
From: Chris Smith [mailto:smb_77 at chrissmith.org] 
Sent: Friday, October 28, 2011 12:07 PM
To: Derek Werthmuller
Cc: samba at lists.samba.org
Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x
ldapbacked PDC and MS Exchange 5.5 still

On Fri, Oct 28, 2011 at 10:34 AM, Derek Werthmuller
<dwerthmu at ctg.albany.edu> wrote:
> Looking to make some changes to an old but working LAN, that has about 
> 10 samba servers serving printers and network shares and a NT 4 PDC 
> server with Exchange 5.5 on it. ?The samba servers are members of the 
> nt4 domain, XP systems are members of the nt 4 domain also.
>
> I'd like to be able to support windows 7 clients as domain members, 
> right now the clients are all XP.
>
> Keeping the exchange is really a stop gap till we can move that 
> function to the cloud.
>
> Have others done similar upgrades successfully? ?Does this sound
reasonable?



All services except for PDC, WINS and Exchange have been moved from the NT4
box. Outside email is handled by Google Apps. DNS, NTP, file and print
services, etc. all handled by Linux servers, firewall is OpenBSD/PF. Also to
protect from failure of the old hardware the PDC has been virtrualized and
running under VirtualBox where regular snapshots can be taken.

The virtualization of the NT4 PDC also provides an opportunity to experiment
with copies/snapshots so I hope to tackle this a bit more in depth when time
permits. Of course any clues, hints, experience to be shared in this area
are very welcome. I will gladly provide anything I find out that may be
useful.

Chris

Thanks for the advice - Good to know not to go down the trust relationship
path.  A seperate domain does sound like a good path.  Leave the existing
nt/exchange setup as just an email platform.  Users are likely to need to
login again once we move that email/calendar/contacts funtion to the cloud
anyway.

Gives a nice clean migration path - here is your new win7 pc and your new
login for it.

Though I've also considered not making the new win7 domain members anyway.
They are all going laptops and staff are somewhat mobile to highly mobile.
When the domain is not avilable because of poor network link quality or no
network at all laptop performance suffers.  I know this to be the case with
XP, I have no indication that its
any different with Win7.  

Thanks
	Derek

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Gaiseric Vandal
Sent: Friday, October 28, 2011 11:05 AM
To: samba at lists.samba.org
Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x
ldapbacked PDC and MS Exchange 5.5 still

If you are getting rid of the exchange server it seems a lot of work to do
the trusts thing.  Having outlook remember your password isn't a major
problem.  Except of course then people are pretty likely to have forgotten
their e-mail password if they ever use another PC.


I have found Samba trusts to be fairly painful.  I had a Samba 3.0.x PDC
(LDAP backend) which I tried having a trust with a Windows 2003 
domain.    In order for trusts to work, the Samba machine uses Idmap to 
create a range of unix uid's and gid's for the trusted Windows users.
With Samba 3.0.x, these idmap entries were created but would stop 
working after the cache period expired.    I don't know why.  When I 
moved to Samba 3.4.x, the expiration issue went away but then idmap 
entries were not automatically.   We didn't have many people in the 
Windows 2003 domain so I can manually create idmap entries as needed.

My gut feeling is that any changes you make to support Windows 7 machines
will break compatibility with legacy machines  (e.g. NT4) or the domain
trusts-  altho installing the latest NT4 SP pack (6a?) may help.

Could you make migrate the PDC role from your NT server to a samba 3.4.x 
or 3.5.x server?   I don't think Exchange 5.5 has to be on the domain 
controller.

At my work we have a Samba domain for most of the users and computers.  
We also have a separate untrusted  Win 2008 domain just to support our 
Exchange 2007 server.    It would be nice if we could consolidate to a 
single domain (or at least a single Active Directory tree) but for the
moment people have to maintain separate e-mail accounts.

FYI-  I had a look at the latest version of Zimbra- it looks like a pretty
nice product for a small business, if you decide not to go with 
the hosting route.    I do like Exchange 2007 but it can be a big 
challenge to set up and maintain, and you really have to have a 
background with Active Directory and Exchange.    Not what I would use 
for a really small site.





On 10/28/2011 10:34 AM, Derek Werthmuller wrote:
> Looking to make some changes to an old but working LAN, that has about 10
> samba servers serving printers and network shares and a NT 4 PDC server
with
> Exchange 5.5 on it.  The samba servers are members of the nt4 domain, XP
> systems are members of the nt 4 domain also.  Samba servers are
ldapbacked.
> We use the ldap component directly to login to the Linux servers.
>
> I'd like to be able to support windows 7 clients as domain members,
right
> now the clients are all XP.  The plan I'm considering is building a new
> domain with the latest version of samba 3.x stable series for my RHEL6
> servers, join my new windows clients to that domain and create a trust
> relationship to the NT 4 domain.  The existing samba servers can be joined
> to the new domain so that only the email server will be in the old domain.
> The idea behind the trust
> relationship is so that entering email for my users can be just a click
and
> won't have to login again.  We'd want to keep the ldap backend
capability
> too.
>
> Keeping the exchange is really a stop gap till we can move that function
to
> the cloud.
>
> Have others done similar upgrades successfully?  Does this sound
reasonable?
>
> Is the trust relationship overkill and likely to cause problems? (tell
users
> to cache the outlook login and be done)
>
> Thanks
> 	Derek
>
> Derek Werthmuller
> Director of Technology Innovation and Services
> Center for Technology in Government
> 518.442.3892
> www.ctg.albany.edu<www.ctg.albany.edu>
>
>
>
>
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Fri, Oct 28, 2011 at 1:51 PM, Derek Werthmuller
<dwerthmu at ctg.albany.edu> wrote:
> I did consider this, though the issue is what do I do with the existing NT4
> PDC - I can demote this to BDC but from the samba docs samba PDC and
Windows
> BDC is not supported. ?And I don't think it can demote the PDC to
server
> role.
There is no supported NT4 PDC demotion scenario. But via registry hack
I think you can demote to server and then become a member server. And
Exchange 5.5 can run on member server.
> I'm also trying to be very careful not to make substantial changes to
the
> exchange host - I need that working for a short while longer.
That's one reason for dealing with the VM's. I'll be able to test
these changes in a separate virtual environment. Just would be nice to
know if anyone has actually done this and, if doable, what the caveats
and gotchas were.

On Fri, 2011-10-28 at 13:51 -0400, Derek Werthmuller
wrote:
> >>I have a client in a similar situation. NT4 PDC w/Exchange 5.5 and
Samba
> member servers. Main problem is that >>they're running an old
custom
> Outlook/Exchange workflow app which locks them in until it can be replaced.
> 
> Similar situation - though we've been able to replicate it fairly
easily in
> google apps.
> 
> >>As you're aware newer then XP cannot join an NT4 domain but can
join a
> Samba domain - and they will eventually >>need some new desktops. So
my
> thoughts have been running along the lines of demoting the NT4 PDC and
> having a >>Samba server take over those duties. Problem's are the
NT4 PDC is
> not a supported task, and even if a registry >>hack can accomplish it
> (according to an old post by Minasi it should) but the effect on Exchange
> after this is >>apparently unknown. Also a test attempt to vampire
the PDC
> did not work due to capitalization problems (if the >>vampire script
did a
> lower case conversion this might have been a big start).
> 
> I did consider this, though the issue is what do I do with the existing NT4
> PDC - I can demote this to BDC but from the samba docs samba PDC and
Windows
> BDC is not supported.  And I don't think it can demote the PDC to
server
> role.
> I'm also trying to be very careful not to make substantial changes to
the
> exchange host - I need that working for a short while longer.
I would love to suggest a Samba solution, but why not join an additional
Windows DC in Window 2000 'mixed mode', so your desktops can join that?
The NT4 server should I think remain a BDC to that domain (after
demotion back to a BDC). 

(Samba4 can't support NT4 BDCs)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org