On Wed, 14 Dec 2016 10:50:22 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-12-12 um 15:37 schrieb Stefan G. Weichinger via samba: > > > I just moved all the configs etc over to another VM, and started > > over, looks better now. No clue ... thanks anyway :-) > > I am sure that all of you wait thrilled for the next news from my > migration(s) ;-) > > Yesterday we did tests with 2 Win7-Test-VMs and the migrated > Debian-ADS-PDC. Looks good to me. > > We were able to login with old and new users, access shares on the > pdc, join a new client, and even deploy the first GPOs to the > clients. RSAT access works so far ... feels good to me. > > As you may assume new questions arised: > > * kinit: Do I have to run that after every reboot of the PDC? I don't > plan to do that all the time but we have to *know* what to do in case. > In my tests I had the impression that this wasn't kept up by itself.No you don't and please stop calling it a PDC, your old domain controller was a PDC, your new one is just a DC. All AD DCs are equal except for the FSMO roles and these can be on any DC.> > * we had to change the IP of the Test-PDC after classicupgrade, I then > noticed some loglines around samba_dnsupdate trying to contact the DNS > under the old IP. How can I fix that? yesterday I reran classicupgrade > as we hadn't done any new work yet, but that is no solution for > production ;-)There is a wiki page for this: https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DC> > * I have to move over the test-config to another VM then for > production, this also means changing the IP and maybe the > linux-hostname. Is that a problem, should that be avoided?Whilst I have never done this, changing the hostname should be fairly easy, do the classicupgrade on the machine that has the hostname you require and then change to the 'netbios name' in smb.conf to reflect the new hostname.> > * What is the recommended way to pull backups of the PDC? Just tar up > /var/lib/samba ? Run some export script or so?The best way of doing backups is not to do them ;-) Add a second DC and replication will do it for you. There is a script that comes with Samba, but it is a bit basic, you will find a better one here: https://github.com/thctlo/samba4/tree/master/backup-script> > * and what is the recommended way of actually swapping PDC from NT4 > to ADS? > > turn down all clients, and NT4-PDC, then turn up ADS-PDC, and client > after client?If you have done it correctly, your windows clients shouldn't really notice the difference, but there is a gotcha, it appears that once your windows clients connect an AD domain, they will never go back to the NT4-style domain.> > Thanks a lot, I am looking forward to actually rolling this out in > january ... > >Hope everything goes all right for you. Rowland
Am 2016-12-14 um 12:25 schrieb Rowland Penny via samba:>> * kinit: Do I have to run that after every reboot of the PDC? I don't >> plan to do that all the time but we have to *know* what to do in case. >> In my tests I had the impression that this wasn't kept up by itself. > > No you don't and please stop calling it a PDC, your old domain > controller was a PDC, your new one is just a DC. All AD DCs are equal > except for the FSMO roles and these can be on any DC.OK, understood, sorry ;-) ad klist: after a boot there is no ticket listed with "klist". Does that get created after a few minutes or ... ?>> * we had to change the IP of the Test-PDC after classicupgrade, I then >> noticed some loglines around samba_dnsupdate trying to contact the DNS >> under the old IP. How can I fix that? yesterday I reran classicupgrade >> as we hadn't done any new work yet, but that is no solution for >> production ;-) > > There is a wiki page for this: > https://wiki.samba.org/index.php/Change_IP_address_of_an_Samba_AD_DCthanks for the pointer.>> * I have to move over the test-config to another VM then for >> production, this also means changing the IP and maybe the >> linux-hostname. Is that a problem, should that be avoided? > > Whilst I have never done this, changing the hostname should be fairly > easy, do the classicupgrade on the machine that has the hostname you > require and then change to the 'netbios name' in smb.conf to reflect > the new hostname.changing the name is nice to have, not explicitly needed here. More a cosmetic issue. I will try that.>> * What is the recommended way to pull backups of the PDC? Just tar up >> /var/lib/samba ? Run some export script or so? > > The best way of doing backups is not to do them ;-) > Add a second DC and replication will do it for you. There is a script > that comes with Samba, but it is a bit basic, you will find a better > one here: > > https://github.com/thctlo/samba4/tree/master/backup-scriptlooks good, thanks!>> * and what is the recommended way of actually swapping PDC from NT4 >> to ADS? >> >> turn down all clients, and NT4-PDC, then turn up ADS-PDC, and client >> after client? > > If you have done it correctly, your windows clients shouldn't really > notice the difference, but there is a gotcha, it appears that once your > windows clients connect an AD domain, they will never go back to the > NT4-style domain.yes, that is exactly why I am asking! :-) I will look for ways of checking on the client if it has contacted the new DC already. We (the admin there and I) just discussed things and assumed turning off all PCs would be a more definitive way of "switching over". I assume there is no ultimate test for the successful migration, just test stuff like logging in, joining systems, using the whole domain?>> Thanks a lot, I am looking forward to actually rolling this out in >> january ... > > Hope everything goes all right for you.yesterday's tests made me more confident already, I will do one site at first and another after success at the first one (2 separate companies, not one domain) Stefan
On Wed, 14 Dec 2016 18:53:04 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-12-14 um 12:25 schrieb Rowland Penny via samba: > > >> * kinit: Do I have to run that after every reboot of the PDC? I > >> don't plan to do that all the time but we have to *know* what to > >> do in case. In my tests I had the impression that this wasn't kept > >> up by itself. > > > > No you don't and please stop calling it a PDC, your old domain > > controller was a PDC, your new one is just a DC. All AD DCs are > > equal except for the FSMO roles and these can be on any DC. > > OK, understood, sorry ;-)No problem, I only mentioned it because it can lead to confusion when asking questions if you call a DC a PDC ;-)> > ad klist: after a boot there is no ticket listed with "klist". > Does that get created after a few minutes or ... ? >The machine ticket cache is in memory, but users tickets will be created in /tmp Rowland