[Samba] Samba migration to AD

Fabio Fantoni fabio.fantoni at m2r.biz
Wed Nov 8 14:51:55 UTC 2023 

Il 28/08/2023 13:38, Fabio Fantoni ha scritto:
> Hi, I did some tests in latest years to migrate domains with samba AD 
> domain controllers to windows AD domain controller.
>
> Near all tests was adding windows 2008R2 before but all failed, tried 
> to follow some different howtos (major part is near the same) but 
> windows always fails to complete the first synchronization and even if 
> I enabled and synced SYSVOL manually the issue on windows persist and 
> also trying to force remove of samba DC and add other windows DC I've 
> never been able to get a consistent one (of windows DC).
>
> small note, before there is to create two attributes 
> msDS-SDReferenceDomain in the "cn=configuration" (not all howto tell 
> them), in this for example that is also a script to do easy (is 
> possible to do also manually with "ADSI edit" from windows tools like 
> what I did):
>
> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html 
>
>
> now that next samba version (4.19) add more functionality about domain 
> feature level I also tried to increase it for try adding directly 
> windows 2012r2 and windows 2019 servers, but I had 2 errors for now, 
> one reported and fixed and one report just now (however this is quite 
> normal with new version still in "rc" and a newly added feature, FL 
> 2016 is also partial). I think issues samba side can be solved,it's 
> just a matter of time, what which unfortunately are more difficult are 
> the windows ones.
>
> Has anyone had success migrating from samba to windows and know how to 
> troubleshoot the windows DCs issue? I have not been able to find a 
> solution from online research and I have tried in many ways, now I 
> just have to try with higher domain feature level on more recent 
> windows servers
>
> thanks for any reply and sorry for my bad english
>
hi, some updates:

with samba 4.19 I increased FL successfull to 2012r2 and after added 
windows 2019 standard domain controller

basically it works, dfs-r gives an error but seems it's normal (as not 
implemented in samba) and I added the automatic synchronization sysvol 
from dc samba every 10 min

dns have errors event 4013 and 4014, I tried to solve them but I didn't 
succeed, anyway the DNS server seems to work, it also synchronizes from 
record changes on DC Samba (after a certain amount of time)

in practice better than previous attempts with windows 2008r2 and 2012r2 
but I can't get a fully functional windows dc without errors

yesterday I tried to migrate roles from samba dc to the new dc windows 
2019 (before I did a backup of DCs), demoted samba and added another 
windows 2019 domain controller

unfortunately even in the second one it continues to give dns errors and 
give also other active directory and additional operation errors and I 
was unable to resolve it despite several searches and tests so I 
restored the backup

I removed the DNS records of the Samba DC manually after the demote 
(since it hadn't removed them) and it hadn't added the DNS records of 
the second Windows DC either after the addition (added with ipconfig 
/registerdns)

I also tried to reset/fix dfsr (after samba dc demote) but failed

I tried to look for scripts and tools that check the DNS servers and 
their records in depth but I found only common and superficial checks, 
read of event checks, scripts that fail because they are based on 
language output (and my windows servers are not in English). regarding 
existing records I was able to achieve more with manual checking and 
editing.

Is normal that on demote don't remove dns entries of the samba dc 
removed and should be done manually?

The dns event errors should they not exist or be able to resolve in a 
normal situation? (this to people that added windows domain controllers 
to samba-only AD successfully and fully working)

out of curiosity, is there any news for dfs-r? I last saw this updated 3 
years ago: https://github.com/scabrero/samba/tree/dfs-r


-- 
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com

More information about the samba mailing list