samba - Feb 2019 - Convert from NT style Domain to AD on Ubuntu 18.04

I have a small installation which includes 2 servers one is the PDC 
which handles logins and stores profiles.and also handles email and some 
minor Apache stuff.

There is also a member server which handles most of the file sharing.

These servers have been in service since around 2006 running Ubuntu but 
are on their third motherboards, third set of drives and their 6th LTS 
version of Ubuntu.

I know I need to convert to AD but I am afraid of really screwing 
something up plus I've run some disappointing tests on other servers.

I'd appreciate any comments on how best to approach this. I do have a 
test installation which does not currently run Samba but could probably 
be set up to run an NT style Domain to test the conversion. I also have 
a second site which needs to be converted, it has a PDC and two member 
servers.

My current thinking is to clean up the existing servers as much as 
possible then run the Samba utility to do the switch on the PDC and then 
run it on the Member server, hopefully at the end of this I would have 
two AD Domain controllers.

My questions are:

  * Do I actually need to run the utility on the Member Server of simply
    edit smb.conf to change the security and backend settings?
  * How well does the utility work?
  * How long will it take?
  * What should I be on the look out for?
  * What advise would you give me?



-- 

*Robert Steinmetz*

*Principal*

*Steinmetz & Associates*

Am 27.02.19 um 02:33 schrieb Robert Steinmetz via samba:
> 
> My questions are:
> 
>  * Do I actually need to run the utility on the Member Server of simply
>    edit smb.conf to change the security and backend settings?
You only need to run the utility on the PDC.
>  * How well does the utility work?
For us it worked. There were some errors on the first runs which you
then need to correct but the conversion then worked. We did extensive
test runs (in a VM)
>  * How long will it take?
Depends on how much you want to test. We did extensive test runs (in a
VM). But our setup was ~120 users 4 Samba servers and about 5 other
member server (mail, http, etc). Rowland I think recomends to setup a
new AD if the installation is small and it is feasible to create new
profiles for the users and rejoin all the machines.
The script will run in a view minutes. At least for your installation
with ~120 users it did.

>  * What should I be on the look out for?
The script will tell some errors (groups and users with the same name
are not allowed anymore).
You should check your uid ranges.
How are you handling login scripts
Do you want to use GPOs -> what are you using now?
>  * What advise would you give me?
Test, test, test. We tested in a view VMs and then We started the
conversion in a fresh VM 1 or two days before the planed  downtime. We
stopped all password changes at that time. So our AD was up and running
closed of from the rest of the network and at the scheduled downtime we
just had to rejoin the member servers adapt the configs of the mail
server, webapps etc.
Worked very well. But we were careful to test everything before the
actual upgrade.

If you have more specific questions just ask. The list is very helpful.

And read this:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

and the parts about member servers on the wiki.



Regards

Christian

> 
> 
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

On Tue, 26 Feb 2019 20:33:58 -0500
Robert Steinmetz via samba <samba at lists.samba.org> wrote:
> I have a small installation which includes 2 servers one is the PDC 
> which handles logins and stores profiles.and also handles email and
> some minor Apache stuff.
Define small, it might just be easier to start again.

The main problem with classicupgrading a NT4-style domain is the ID
numbers, these are usually the Windows RID's and these start at
500.
Unfortunately Unix now starts normal user & group ID's at 1000, so
there is nowhere for local Unix users & groups. This might not be a
problem on distro's where root is used, but what if something goes
wrong with Samba on a distro like Ubuntu.
> 
> There is also a member server which handles most of the file sharing.
> 
> These servers have been in service since around 2006 running Ubuntu
> but are on their third motherboards, third set of drives and their
> 6th LTS version of Ubuntu.
This sounds a bit like the road sweepers brush, totally original, only
had 4 new shafts and 3 heads ;-)
 
> 
> I know I need to convert to AD but I am afraid of really screwing 
> something up plus I've run some disappointing tests on other servers.
What went wrong ?
> 
> I'd appreciate any comments on how best to approach this. I do have a 
> test installation which does not currently run Samba but could
> probably be set up to run an NT style Domain to test the conversion.
> I also have a second site which needs to be converted, it has a PDC
> and two member servers.
> 
> My current thinking is to clean up the existing servers as much as 
> possible then run the Samba utility to do the switch on the PDC and
> then run it on the Member server, hopefully at the end of this I
> would have two AD Domain controllers.
You only run the classicupgrade once and you can do this on the PDC, or
on a different computer you have copied the required data to.
> 
> My questions are:
> 
>   * Do I actually need to run the utility on the Member Server of
> simply edit smb.conf to change the security and backend settings?
>   * How well does the utility work?
>   * How long will it take?
>   * What should I be on the look out for?
>   * What advise would you give me?
Read these wiki pages:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Ask any further questions.

Rowland