samba - Mar 2014 - Running an NT4 PDC and an ADC side by side

Dear List,

I'm planning to migrate an existing Samba 3.4.7 NT4-domain
(our.site.com) to a Samba 4.1.6 AD-domain (ad.our.site.com) on another
machine. Our site currently has about 30 clients and 50 user accounts.
My plan is to setup the ADC on the other machine and to migrate the
user accounts using the Samba4 classicupgrade tool. I would then newly
setup groups, permissions, etc. on the new ADC. After an extensive
test phase I would then join one client machine after the other to the
new AD-domain.
My main question before I start is: Is it possible to safely run an
NT4 PDC for our.site.com and an ADC for ad.our.site.com in parallel on
the same subnet (both on different machines) or are there problems to
be expected?

Thanks for your kind support and best regards
Andreas

Hello Andreas,

Am 20.03.2014 10:01, schrieb samba.20.andwin at
spamgourmet.com:
> I'm planning to migrate an existing Samba 3.4.7 NT4-domain
> (our.site.com) to a Samba 4.1.6 AD-domain (ad.our.site.com) on another
> machine. Our site currently has about 30 clients and 50 user accounts.
> My plan is to setup the ADC on the other machine and to migrate the
> user accounts using the Samba4 classicupgrade tool. I would then newly
> setup groups, permissions, etc. on the new ADC. After an extensive
> test phase I would then join one client machine after the other to the
> new AD-domain.
> My main question before I start is: Is it possible to safely run an
> NT4 PDC for our.site.com and an ADC for ad.our.site.com in parallel on
> the same subnet (both on different machines) or are there problems to
> be expected?
You can do this. But you can't have a trust between. So when users can't
simply access resources on the other domain. And maybe users won't reach 
servers, if you have different DNS search domains and not all records in 
both DNS zones.

But why you want to have it side by side and not simply migrate? Do you 
have many other tools authenticating against your openLDAP backend or 
storing additional stuff in there other applications use?



Regards,
Marc

On Thu, 2014-03-20 at 10:01 +0100, samba.20.andwin at spamgourmet.com
wrote:
> Dear List,
> 
> I'm planning to migrate an existing Samba 3.4.7 NT4-domain
> (our.site.com) to a Samba 4.1.6 AD-domain (ad.our.site.com) on another
> machine. Our site currently has about 30 clients and 50 user accounts.
> My plan is to setup the ADC on the other machine and to migrate the
> user accounts using the Samba4 classicupgrade tool. I would then newly
> setup groups, permissions, etc. on the new ADC. After an extensive
> test phase I would then join one client machine after the other to the
> new AD-domain.
> My main question before I start is: Is it possible to safely run an
> NT4 PDC for our.site.com and an ADC for ad.our.site.com in parallel on
> the same subnet (both on different machines) or are there problems to
> be expected?
You can't run them on the same subnet, they will fight over the
ownership of the netbios domain name. 

Run them isolated.

We would like to make it easier to bring password changes (only) between
the two domains, but that isn't trivial right now.  (A script looking at
the last change time is what I imagine).  The best suggestion is to
re-run the upgrade once you are happy with your tests, with current
data, and to then do any improvements once the simple transition is
over. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba