Hi Darin, Le 05/06/2024 ? 17:34, Darin via samba a ?crit?:> > > Hello Havany, > I am just going to jump into this discussion. >Welcome!>> We try 2 scenarios : - A "Big bang" migration to an new domain made from scratch : but we need to migrate all users, computers, laptops, filers without loosing profiles, files server access... In a short time (1-2 weeks maximum) - A "classicupgrade" migration, but it need several steps to improve security. And at the same time, and we are afraid to import "silently" many misconfiguration from our old NT4 Domain that could have an impact in the future. > > I would strongly avoid your "Big Bang" approach. What your describing is > going to most certainly backfire. It sounds like a fail forward vs fail > backward. When something goes wrong you need to be able to go back to a > working configuration. So I suppose the best option is to do a slow > migration with the ability to quickly do and undo changes.- Classisupgrade is destructive for the NT4 Domain, but we can keep data of the old NT4 Domain and we can rollback to this with ours Ansible playbooks. We will loose all change between migration and rollback and we will improve a possible long downtime. - With "Big Bang" approach we are able to keep our old NT4 Domain if we need to rollback to it. But in this case the problem is the access to the filers. I think that we can't have a file server that allow access at the same time to an NT4 Domain and a Samba 4 AD Domain (I will search information about that). The second problem for this approach is that we need to write a (maybe complex) logon script to be able to keep user local profile when a computer is moved to the new Domain.> >> around 400 Windows computers and 1500 active users. > > Your deployment is not small or trivial. I would be very careful doing > anything as you could create a significant IT trainwreck. > > To help you I need some more information. Are you migrating from a > Windows Server environment? If so, what version.All is on FreeBSD iocage and ZFS filesystem. Actual situation (NT4) : * 1 PDC and 1 BDC * 7 Files servers members * 1 CUPS server member * LDAP backend What we want : * 2-3 DC samba4 AD * all files servers and cups server members of the new domain * crontab synchronization of users and groups from the ldap with LSC (successfully tested) * our password manager system change the user's password at the same time on the ldap and samba4 (tested too)> I think a 2008_R2 > domain level should not be much of an issue. From a security aspect you > can do a few things like only using SMB3 and strong encryption.Given everything that has been said previously, I will wait before moving to FL 2012_R2 at least until Samba 4.20 is released on FreeBSD (currently only 4.19 is available), regardless of the migration method we choose. I will replay the classicupgrade today after adapting my Ansible playbooks accordingly.> > https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC > > Darin >Regards,
On Thu, 6 Jun 2024 13:33:04 +0200 Havany via samba <samba at lists.samba.org> wrote:> - Classisupgrade is destructive for the NT4 Domain, but we can keep > data of the old NT4 Domain and we can rollback to this with ours > Ansible playbooks. We will loose all change between migration and > rollback and we will improve a possible long downtime. > > - With "Big Bang" approach we are able to keep our old NT4 Domain if > we need to rollback to it. But in this case the problem is the access > to the filers. I think that we can't have a file server that allow > access at the same time to an NT4 Domain and a Samba 4 AD Domain (I > will search information about that). The second problem for this > approach is that we need to write a (maybe complex) logon script to > be able to keep user local profile when a computer is moved to the > new Domain.There is one big problem with either of those scenarios, once your Windows clients see an AD DC, they will never reconnect to your old NT4-style PDC. It sounds like you are still using the old, deprecated (by Windows) roaming profiles, instead of Folder redirection. Rowland
Christian Naumer
2024-Jun-06 13:58 UTC
[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
Am 06.06.24 um 13:33 schrieb Havany via samba:> The second problem for this approach is that we need to write a (maybe > complex) logon script to be able to keep user local profile when a > computer is moved to the new Domain.The SID of the old domain will be imbedded in the profile. To change this there are some commercial tools out there. And maybe some people have got it to work with scripts of their own. But this is not a simple logon script as you need to dig deep into the registry of the profile. Just a warning. We did a classicupgrade and it did work without problems but we where only ~120 Users. Regards Christian