samba - Dec 2017 - Eventually transitioning to Windows Server 2016

Hi,

I am preparing to get our Data Center from a Samba 3.5 NT4 domain to AD.
All users, file ownerships, etc. have to remain of course. I am planning to
use Samba 4.7.x, but I was wondering if it is possible to eventually
transition to Windows Server 2016 as the only DC hosts.

The way I understand it is that this is not possible right now, because
Samba doesn't support that schema version (among other things). Thus I
couldn't join WS 2016 DCs and take out the Samba DC. So unless Samba is
updated, once I have AD with Samba-only DC I can't get to WS 2016 with my
domain, right?

The other way would be to go to WS 2016 straight away. I've heard
there's
this ADMT tool that can get you from a NT4-style domain to a modern AD
domain. But assuming I do that and have WS2016 DCs, can Samba 4.7.x at
least join as a member to act as a file server?

Also, a kind of unrelated question: Are the passwords from the NT4 domain
somehow rehashed to whatever AD uses? I've heard NT4 uses DES and that's
considered rather insecure these days, but I can't think of how Samba would
be able to change the hash method without knowing the passwords in plain
text.

Thanks,
Fabian

On Sat, 16 Dec 2017 14:09:44 +0100
Fabian Fritz via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I am preparing to get our Data Center from a Samba 3.5 NT4 domain to
> AD. All users, file ownerships, etc. have to remain of course. I am
> planning to use Samba 4.7.x, but I was wondering if it is possible to
> eventually transition to Windows Server 2016 as the only DC hosts.
> 
> The way I understand it is that this is not possible right now,
> because Samba doesn't support that schema version (among other
> things). Thus I couldn't join WS 2016 DCs and take out the Samba DC.
> So unless Samba is updated, once I have AD with Samba-only DC I can't
> get to WS 2016 with my domain, right?
> 
> The other way would be to go to WS 2016 straight away. I've heard
> there's this ADMT tool that can get you from a NT4-style domain to a
> modern AD domain. But assuming I do that and have WS2016 DCs, can
> Samba 4.7.x at least join as a member to act as a file server?
> 
> Also, a kind of unrelated question: Are the passwords from the NT4
> domain somehow rehashed to whatever AD uses? I've heard NT4 uses DES
> and that's considered rather insecure these days, but I can't think
> of how Samba would be able to change the hash method without knowing
> the passwords in plain text.
> 
> Thanks,
> Fabian
You can use the Samba 'classicupgrade' tool to migrate your NT4-style
domain to a Samba AD domain, but, at the moment, you will only get a
2008R2 domain. The work to update 2012 is nearing completion and will
possibly be in Samba 4.8.0. The work to upgrade to 2016 hasn't even
started yet, but from what I have read, it shouldn't take as much work
as the 2012 upgrade has taken.

From my understanding 'ADMT' will only run on a windows server, so I
don't think this is going to work. What you should be able to do is
upgrade to a Samba AD DC, join a windows 2008 DC, transfer all the FSMO
roles to the windows DC, demote the Samba AD DC, then upgrade the
windows DC to the domain function level you require and then start
paying for cals.

Probably easier to set up a new domain ;-)

Rowland

Am 16.12.2017 um 15:45 schrieb Rowland Penny via samba:
> You can use the Samba 'classicupgrade' tool to migrate your
NT4-style
> domain to a Samba AD domain, but, at the moment, you will only get a
> 2008R2 domain. The work to update 2012 is nearing completion and will
> possibly be in Samba 4.8.0. The work to upgrade to 2016 hasn't even
> started yet, but from what I have read, it shouldn't take as much work
> as the 2012 upgrade has taken.
>
> From my understanding 'ADMT' will only run on a windows server, so
I
> don't think this is going to work. What you should be able to do is
> upgrade to a Samba AD DC, join a windows 2008 DC, transfer all the FSMO
> roles to the windows DC, demote the Samba AD DC, then upgrade the
> windows DC to the domain function level you require and then start
> paying for cals.
>
> Probably easier to set up a new domain ;-)
>
> Rowland
Just a question for clarification, since I will be going the same way
some time next year:

Are we just talking about domain function levels (Windows Server 2016
should run as a DC on the 2008R2 level just fine), or is it really not
possible to join a Server 2016 to a domain with a samba DC?

The way you describe doesn't really make sense to me - either you would
first set up a Windows Server 2008R2 as DC, transfer the FSMO roles and
demote the samba DC, but then you can't "upgrade the windows DC to the
domain function level you require" since Server 2008R2 obviously won't
support any newer function level. You would have to install yet another
Server 2016 DC or upgrade the DC to Server 2016 first. Or do you mean
"set up a Server 2016 as a DC using the 2008R2 level, transfer the FSMO
roles, demote the samba DC and then upgrade the function level"?

Thanks,
Andreas