Migrating S4 DC

titantoppler at gmail.com titantoppler at gmail.com
Sat Dec 31 00:04:47 MST 2011

Hi all,

Thanks for the insights so far.

As far as I understand things:
1) I can use the built-in replication - but what about GPOs? Will they
propogate to the backup DC as well?
2) Files (profiles and shared files) will have to be done manually, as will
the permissions. A hassle, but nothing unmanageable
3) S3 isn't ideal for an AD set up since the configuration of the file
permissions will have to be done from smb.conf - I'd prefer to do it all
from the Windows management tools (I know, I know...)

Andrew: If I understand you correctly, if I want to retain the correct file
permissions without having to reapply them (because of the migration from
posix:eadb to built-in file attributes) I should do the following:
a) Set up the appropriate shares in the new file server
b) Copy the files from share to share using Windows - this will preserve
the file permissions (esp. for user profiles), thus saving me from having
to reconfigure the permissions again.
c) Re-map the users' home and profile shares on the AD side of things.

Is there anything else that I should be considering but am not?

Cheers, and happy holidays!

On Fri, Dec 30, 2011 at 4:34 PM, Andrew Bartlett <abartlet at samba.org> wrote:

>  On Thu, 2011-12-29 at 20:34 -0800, Matthieu Patou wrote:
> > On 28/12/2011 20:41, titantoppler at gmail.com wrote:
> > > Hi list,
> > >
> > > Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
> > > Everything has been good so far, but I've been looking at virtualizing
> the
> > > set up for portability's sake. This is especially so because all my
> eggs
> > > are in one basket - this particular machine is running as a file
> server, a
> > > domain controller, a DNS server and a VPN server. I want to separate
> their
> > > roles into different virtual machines.
> > >
> > > So what I want to do is to re-install S4 on my DC, after first putting
> > > XenServer on it.
> > >
> > > Problems:
> > > 1) It's the only DC right now, so I need to set up another DC before I
> can
> > > safely bring the existing S4 installation down. How good/reliable is
> the
> > > replication feature in S4?
> > Quite good, I mean a couple of production sites use a multi DC setup
> > without too much bad news.
> > > 2) My users are using roaming profiles, stored on the DC. Will this be
> > > replicated, or do I have to manually do it?
> > Not replicated you have to do it on you own, pay attention to the fact
> > that the UID/GID of the users are not necessarily the same across all
> > the DC as S4 for the moment allocate UID when needed.
> > > 3) My users have mapped drives that they use to access their files
> from;
> > > these are also put on the S4 DC. Is there any way that I can
> transparently
> > > shift it over to another server?
> > Not in Samba 4 for the moment, one way to do it is to use DFS with
> > domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
> > only support DFS referral for sysvol and netlogon shares.
> > > 4) Extra difficulty - due to a design decision early on, I used
> ReiserFS,
> > > which did not support extended attributes properly. I ended up having
> to
> > > use the "posix:eadb" option in my smb.conf to store the permissions.
> > > Assuming I now have an ext4 data partition, how can I "restore" the
> > > permissions?
> > It's not a definite guide, the way I would search is to to use
> > samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
> > the current DC, then change your smb.conf to remove the posix:eadb
> > option and use samba-tool ntacl set sddl_of_the_file <file>
> > > 5) After splitting the roles, does the file server VM need to run S4,
> or
> > > will S3 do? How should I go about the configuration (esp. the
> permissions
> > > portion)?
> > Well depending your needs you might want to keep the fileserver stuff in
> > the S4 DC, if not then S3 will work as a domain member for the UID/GID
> > you'll have to handle it manually.
> For all of these tasks, it may work best to use a windows file copy tool
> preserving permissions to move the files.  That way, moving s4 -> s3, or
> s4 -> s4 will keep permissions, ownerships etc correct without major
> fuss.
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list