[Samba] [SOLVED] replace Windows 2003 dc

Sérgio Henrique sermac at gmail.com
Mon Feb 25 09:26:30 MST 2013 

Solved.

I have sucessfully migrated a windows 2008R2 domain to samba4 and then
create a new samba domain as a replica.

A lot of steps i had to introduce.


1- Working on DNS
add samba dc to forest and domain dns _ldap values
change DNS SOA to samba4 and add samba4 as NS

2- Working on fsmo
run script fixfsmo.vbs
samba-tool transfer all roles
run adsedit and change samba dc fsMORoleOwner to samba dc

working on Global Catalog
remove windows domain as GC
reboot

working on DC removal
force windows dcpromo removal

working on DNS to remove old values
delete old dns windows dc values, kerberos, NS ... etc

working on cleaning old DC values from AD
run adsedit
bind credencials to samba dc
remove old DC
remove old Default-First-Site-Name DC reference

remove dns and AD roles left on windows DC


Join samba4 replica

and thats it.

windows DC replicate do samba4 dc2 and new samba4 added as a replica dc4

root at dc4:~# /opt/samba/bin/samba-tool drs showrepl
Default-First-Site-Name\DC4
DSA Options: 0x00000001
DSA object GUID: c5581b86-4ce8-44bc-a55e-3b89db29f553
DSA invocationId: b76275bb-267b-4b79-a4ae-7deba1a13709

==== INBOUND NEIGHBORS ====

CN=Configuration,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Feb 25 17:22:48 2013 CET

DC=DomainDnsZones,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Feb 25 17:22:48 2013 CET

CN=Schema,CN=Configuration,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Feb 25 17:22:48 2013 CET

DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ Mon Feb 25 17:22:49 2013 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Feb 25 17:22:49 2013 CET

DC=ForestDnsZones,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
                0 consecutive failure(s).
                Last success @ Mon Feb 25 17:22:48 2013 CET

==== OUTBOUND NEIGHBORS ====

CN=Configuration,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

DC=ForestDnsZones,DC=lisboa,DC=local
        Default-First-Site-Name\DC2 via RPC
                DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: d7dde7b1-46eb-4d8f-869b-b84922b6588c
        Enabled        : TRUE
        Server DNS name : DC2.lisboa.local
        Server DN name  : CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lisboa,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!











On Mon, Feb 25, 2013 at 1:56 PM, Sérgio Henrique <sermac at gmail.com> wrote:

> Well i am guessing that the problem may be on the fsMORoleOwner..
> http://support.microsoft.com/kb/949257 ...
>
>
>
> On Mon, Feb 25, 2013 at 11:37 AM, Sérgio Henrique <sermac at gmail.com>wrote:
>
>> Hi Peter,
>>
>> I am using 2008R2 domain, i get always the following message:
>> http://tinypic.com/r/a1e8y/6
>>
>> Thank you in advanced
>>
>>
>> On Mon, Feb 25, 2013 at 11:14 AM, Peter Beck <peter at datentraeger.li>wrote:
>>
>>> Sérgio Henrique <sermac at gmail.com> quatschte am Mon, Feb 25, 2013 at
>>> 10:27:17AM +0000:
>>> > Hi Peter,
>>> >
>>> > I am unable to demote windows DC, i get always error when demoting
>>> windows
>>> > AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things.
>>> >
>>> > Raise forest level, keep at 2003, add samba to nameservers,etc...
>>>
>>> Hi Sérgio,
>>>
>>> do you get this message: http://tinypic.com/view.php?pic=140itd4&s=6 ?
>>> This message is also shown in my test environment each time I run
>>> dcpromo to demote the Windows server. As far as I have seen it's no
>>> issue, if the replication is up to date.
>>>
>>> I had issues if the operation levels were lower than 2003 and Samba was
>>> already joined to the domain. Then the only change that was possible for
>>> me was to raise to Windows 2000 native, but not 2003 anymore.
>>>
>>> What I am doing after joining Samba to the domain:
>>>
>>> * check the operation levels (before joining)
>>> * check all the SRV records (usually added automatically)
>>> * create a reverse zone if not already there
>>> * add ns record for samba to all zones
>>> * drink some coffee to ensure everything gets replicated
>>> * check everything again, drink some more coffee
>>> * again ;-)
>>> * disable GC on the win server, running dcpromo
>>>
>>> but I am still testing the whole migration, no long term experience,
>>> most of the time I reset my virtual machine and try again to ensure it
>>> still works...
>>>
>>> > What i can see is that if i create a new samba4 as primary root domain
>>> and
>>> > then add windows AD i have no problems.
>>> >
>>> > But my objective is to migrate current windows domain to samba4 and not
>>> > the opposite.
>>>
>>> I am sure that is working very good, but the problem is, our customers
>>> usually already have a working Windows environment (I think a lot of us
>>> have
>>> exactly this problem) and we need to takeover these domains....and do
>>> not want
>>> to create everything from scratch ;-)
>>>
>>> Regards
>>> Peter
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>> Cumprimentos,
>>     Sérgio Machado
>>
>
>
>
> --
> Cumprimentos,
>     Sérgio Machado
>



-- 
Cumprimentos,
    Sérgio Machado

More information about the samba mailing list