On Wed, 19 Jun 2024 19:16:51 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Havany via samba > In chel di` si favelave... > > >> It sounds like you are still using the old, deprecated (by Windows) > >> roaming profiles, instead of Folder redirection. > > ?! Some more clue, Rowland? I use roaming profiles *AND* folder > redirection, usually... ;-)It was just a comment, but from my understanding, you should use one or the other, not both.> > > > So, I think I will use the "classicupgrade" method. I will wait a > > few days to make sure everything works well before making the final > > decision and moving on to the next steps. > > I think i'm late. > > Con consider that if you have the same user/login and password on > both domain (NT and AD), you can safely migrate machine (and users) > from NT to AD and keep user access the old server. You need only some > attention, eg keep enabled SMB1 in Ad to access the old server and > have a WINS server active on the network.From experience, once a client has seen and connected to AD, it will never connect to an NT4-style domain again. Rowland
Peter Milesson
2024-Jun-20 11:11 UTC
[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
On 20.06.2024 9:28, Rowland Penny via samba wrote:> On Wed, 19 Jun 2024 19:16:51 +0200 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > >> Mandi! Havany via samba >> In chel di` si favelave... >> >>>> It sounds like you are still using the old, deprecated (by Windows) >>>> roaming profiles, instead of Folder redirection. >> ?! Some more clue, Rowland? I use roaming profiles *AND* folder >> redirection, usually... ;-) > It was just a comment, but from my understanding, you should use one or > the other, not both. > >> >>> So, I think I will use the "classicupgrade" method. I will wait a >>> few days to make sure everything works well before making the final >>> decision and moving on to the next steps. >> I think i'm late. >> >> Con consider that if you have the same user/login and password on >> both domain (NT and AD), you can safely migrate machine (and users) >> from NT to AD and keep user access the old server. You need only some >> attention, eg keep enabled SMB1 in Ad to access the old server and >> have a WINS server active on the network. > From experience, once a client has seen and connected to AD, it will > never connect to an NT4-style domain again. > > Rowland > >Hi folks, I beg to differ about folder redirection and roaming user profiles. Both of them can be applied simultaneously, but is generally considered a BAD thing. It can be a tricky beast to setup, however. You need to start with a clean user account where everything is stored on the local PC. Then you apply folder redirection, and really make sure that it works (which may not be that easy, particularly on huge profiles). The last step is to implement roaming profiles, but ONLY on AppData. Any other use is pointless. It's ugly as sin, and it may work. I have got a setup where both concepts are applied of historical reasons (started as an NT domain about 20 years ago). It works. In current installations, I do not use roaming profiles, as they have got huge drawbacks. The way to go is to use folder redirection, or user profile disks (hopeless to restore individual files from backups). In folder redirection, I always redirect AppData (Roaming), Desktop, and Documents.? Pictures and Videos depends on the users in question, and what's their main profession. General office users just create lots of bloat in those folders. The rest, including Music and Downloads is also left out of folder direction, as they contain user bloat to 99.99%. The folders remaining on the local PC is the responsibility of the user. If they care about some files, they are told to move those files to a redirected folder. About redirection of AppData (Roaming), there are many different opinions. I prefer to redirect AppData (Roaming) to not loose user settings, if something happens. Reconstructing a user profile with all details can be quite time consuming. If it's not important, just leave that folder out from folder redirection. Just my 5 cents... Peter
Mandi! Rowland Penny via samba In chel di` si favelave...> It was just a comment, but from my understanding, you should use one or > the other, not both.I'm currentlu use *BOTH*, in production; Currently i use roaming profile, with a mix of folder redirection and script to keep profile data as little as possible.> From experience, once a client has seen and connected to AD, it will > never connect to an NT4-style domain again.Forgot to say. Clearly i'm not speaking about the same domain (eg, same SID) but you can safely build up the NEWDOMAIN alonside the OLDDOMAIN, on the same network. I've done, rougly, that: 1) bult up the new domain, with all the services (fileserver , printserver, ...); configure GPO to mount shares from the old domain (SMB1 enabled on client, indeed). 2) for every (group of) client in ODLDOMAIN, i've simply dejoin OLDDOMAIN and join NEWDOMAIN; if NEWDOMAIN\someuser have the same password of OLDDOMAIN\someuser, client can access shares on OLDDOMAIN. Clearly i've done some manual work (profile migration, printers reconfiguration, ...) BUT i've done this 'one client at a time'. Safely. 3) migrated all client to NEWDOMAIN, one weekend i've rsync-hed data from OLDDOMAIN filesrver to NEWDOMAIN fileserver, change policies to mount new shares, shut down OLDOMAIN. Et voil?. --