samba - May 2014 - Test successful migrate Samba3 to Samba4: keep existing servers and add a new AD DC

Hi everyone,

I did a test migration from Samba3 to Samba4. So far everything works 
fine. Great work! Thanks to Samba team.
I want to share my experience with you and look for your comments.
My existing servers:
  1. Samba 3.4.5(compiled) server: domain logon + file sharing + printer 
sharing ( 300 users + 200 win7)
  2. 5 samba3 file servers(using the same ldap backend, so uid and gid 
are consistent on all servers)
  3. Openldap server: for samba3 backend and other applications
  4. DHCP and DNS servers.
  5. no Kerberos and winbind in the whole environment. *Any comments here?*

My objective is to keep existing servers with minor changes to implement 
samba4 AD DC.
I have to keep my old ldap server to authenticate other applications,
  so the challenge is the synchronization between the old ldap and the 
new AD DC.
  I plan to add some extra scripts to my existing ldap management system.

In the test network:
I copied over all existing servers(all VMs),
  and create a new AD DC server(CentOS 6.2 32bit) in the same subnet, 
compile Samba 4.1.17 from the tar file.
I only copied schannel_store.tdb and secrets.tdb in the private folder 
and smb.conf from samba3 to AD DC in folder /samba3db,
and then do the migration with this command on AD DC:
/usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/samba3db 
--use-xattrs=yes --realm=NT4domain.local /samba3db/smb.conf
My first try failed. So I added "sizelimit unlimited" to ldap 
configraton, and I have to remove "guest" account from the ldap
database.
After the migration is finished:
  1.  stop nmbd service on samba3 server,
  2.  add a forwarder to DNS to point to the new AD DC for the domain 
"NT4domain.local",
  3.  modify DHCP service to not publish WIN server, so windows clients 
do not know the samba3 controller. *Any comments here?
* 4.  start samba service on the new AD DC. My XP and Win7 do not notice 
the switch over, just work!. The mapped drives to samba3 are still OK.
  5.  join a window8R2 to the AD DC, and take a look at the users and 
groups, looks good.
  6. on AD DC server, wbinfo can show me uid and gid are migrated.
So far I haven't tested any GPO stuff, because I don't have it in
samba3.

Some notes:
1. logon process is faster in AD DC
2. when join a machine to AD DC, I have to use the full domain name 
"NT4domain.local",
     after, I can use the short name "NT4domain" to logon. I think
this
is normal, because "NT4domain.local" is the DNS domain,
3. small changes on the logon script: I get lost about "Home" share,
so
I treat it as a mapped drive(still on samba3).
4. smb.conf is much much simple on the AD DC, I don't modify anything. 
because I don't share anything through the AD DC.
5. I have to keep users and groups synchronized by myself between the 
new AD DC and the old ldap.
     Not a big deal, I manage my old ldap account with scripts, so I can 
do the same on AD DC with its samba-tool.
    I can not have user to change password, this is the only drawback, 
because I cannot capture the passwords.


Your inputs are welcome.

Allen