[Samba] Re: How to migrate a complex NT4 network

McKeever Chris tech-mail at prupref.com
Thu Nov 27 23:19:36 GMT 2003

On Thu, 27 Nov 2003 20:59 , Raphaël Berghmans <rberghmans at arafox.com> sent:

>On Thu, 2003-11-27 at 20:49, John H Terpstra wrote:
>> On Thu, 27 Nov 2003, [ISO-8859-1] Raphaël Berghmans wrote:
>> > On Thu, 2003-11-27 at 19:55, John H Terpstra wrote:
>> > > On Thu, 27 Nov 2003, [ISO-8859-1] Raphaël Berghmans wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > >
>> > > > We have on a central site a NT4 PDC and a NT4 BDC and on 6 secondary
>> > > > sites we have a BDC on each site (the authentication for the
>> > > > workstations on those remotes sites occurs on the local BDC and not on
>> > > > PDC).
>> > > >
>> > > > Which could be the best way to migrate this environment to a
>> > > > SAMBA-3.0.0/LDAP environment. But we cannot intervene on each 1600
>> > > > workstations. Then the migration has to be the most transparently as
>> > > > possible for the users.
>> > >
>> > > Your configuration is typical of many. The samba-3 migration facility (net
>> > > rpc vampire) should work fine. You should be able to run it against the
>> > > local BDC - though I have not tested that.
>> >
>> > Indeed the SAM migration is very simple with vampire. But Samba cannot
>> > made realtime synchronization with a NT4 PDC and how to manage the
>> > modifications. Made a vampire each time a modification has been done on
>> > the PDC is a little bit tricky (with 1600 users, 500 groups and 1700
>> > machines).
>> We have documented the fact that Samba-3 can not be a BDC to an NT4 PDC.
>> Sorry. If yu want to use Samba as a BDC then your PDC must be Samba also.
>I know it's well documented but if I migrate my NT4 PDC to a samba PDC,
>I still have some NT4 BDC's and then there is always a synchronization
>problem :)
>Then the only ways to do that are :
>First way : Manage a new samba domain and migrate manualy each
>Second way : Migrate the NT4 PDC to Samba and stop all NT4 BDC's (all
>the authentications and profiles managment will be done on the PDC). And
>migrate the BDC one by one. (Physicaly It's not possible on the same
>time to migrate the PDC and all the BDC's)

I just did something like this (to 2.2.8a/LDAP) .. I needed to have both networks set-up simultaneuosly and swap servers one by one as 
time/resources permitted

The trick was, don't make the samba PDC a domain master until A) you need to; B) you are done with NT

Some of what I will discuss may not be pertinent to 3.0, but I am sure you can get the idea.

I made the Samba PDC, and imported all the users over.  I did not grab the NT PDC SID (looking back in retrospect I wish I did, but I was 
young and naive).  One by one I rolled out the REMOTE SAMBA machines.  Those were all set to local mater = yes.  When I needed to 
connect a Windows XP to the new Samba domain, I changed the samba PDC to domain master = yes, and the shutdown the NT PDC.  Added 
the machine to the network, changed the Samba PDC back to Domain Master = NO and turned the NT PDC back on.  Now this is where I wish I 
had migrated the NT PDC SID.  Then I think I could have just made the LDAP machine accounts, and been done with it.

So bottom line, I had both existing at the same time.  Granted, I needed to add users to both places, but things could be worse.  creating 
scripts for managing them simultaneous wasnt too bad, and made the conversion that much easier.  My user level is about 1/4 of yours, so I 
dont know how that will correlate.

Feel free to ask any questions....

Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com

---- Prudential Preferred Properties   www.prupref.com  

More information about the samba-technical mailing list