Migrating S4 DC

Gémes Géza geza at kzsdabas.hu
Sat Dec 31 05:17:18 MST 2011


Some sidenotes/answers inline:
> Hi all,
> Thanks for the insights so far.
> As far as I understand things:
> 1) I can use the built-in replication - but what about GPOs? Will they
> propogate to the backup DC as well?
GPOs have an in directory and a file part (in the SYSVOL share). The in
directory part is replicated via DRS replication. The file part is not
(until FRS gets implemented)
> 2) Files (profiles and shared files) will have to be done manually, as will
> the permissions. A hassle, but nothing unmanageable
> 3) S3 isn't ideal for an AD set up since the configuration of the file
> permissions will have to be done from smb.conf - I'd prefer to do it all
> from the Windows management tools (I know, I know...)
The file permissions are perfectly manageable via the explorer
properties sheets.
The share permissions also can be managed from mmc with a little work.
> Andrew: If I understand you correctly, if I want to retain the correct file
> permissions without having to reapply them (because of the migration from
> posix:eadb to built-in file attributes) I should do the following:
> a) Set up the appropriate shares in the new file server
> b) Copy the files from share to share using Windows - this will preserve
> the file permissions (esp. for user profiles), thus saving me from having
> to reconfigure the permissions again.
> c) Re-map the users' home and profile shares on the AD side of things.
> Is there anything else that I should be considering but am not?
> Cheers, and happy holidays!
> On Fri, Dec 30, 2011 at 4:34 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>>  On Thu, 2011-12-29 at 20:34 -0800, Matthieu Patou wrote:
>>> On 28/12/2011 20:41, titantoppler at gmail.com wrote:
>>>> Hi list,
>>>> Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
>>>> Everything has been good so far, but I've been looking at virtualizing
>> the
>>>> set up for portability's sake. This is especially so because all my
>> eggs
>>>> are in one basket - this particular machine is running as a file
>> server, a
>>>> domain controller, a DNS server and a VPN server. I want to separate
>> their
>>>> roles into different virtual machines.
>>>> So what I want to do is to re-install S4 on my DC, after first putting
>>>> XenServer on it.
>>>> Problems:
>>>> 1) It's the only DC right now, so I need to set up another DC before I
>> can
>>>> safely bring the existing S4 installation down. How good/reliable is
>> the
>>>> replication feature in S4?
>>> Quite good, I mean a couple of production sites use a multi DC setup
>>> without too much bad news.
>>>> 2) My users are using roaming profiles, stored on the DC. Will this be
>>>> replicated, or do I have to manually do it?
>>> Not replicated you have to do it on you own, pay attention to the fact
>>> that the UID/GID of the users are not necessarily the same across all
>>> the DC as S4 for the moment allocate UID when needed.
>>>> 3) My users have mapped drives that they use to access their files
>> from;
>>>> these are also put on the S4 DC. Is there any way that I can
>> transparently
>>>> shift it over to another server?
>>> Not in Samba 4 for the moment, one way to do it is to use DFS with
>>> domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
>>> only support DFS referral for sysvol and netlogon shares.
>>>> 4) Extra difficulty - due to a design decision early on, I used
>> ReiserFS,
>>>> which did not support extended attributes properly. I ended up having
>> to
>>>> use the "posix:eadb" option in my smb.conf to store the permissions.
>>>> Assuming I now have an ext4 data partition, how can I "restore" the
>>>> permissions?
>>> It's not a definite guide, the way I would search is to to use
>>> samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
>>> the current DC, then change your smb.conf to remove the posix:eadb
>>> option and use samba-tool ntacl set sddl_of_the_file <file>
>>>> 5) After splitting the roles, does the file server VM need to run S4,
>> or
>>>> will S3 do? How should I go about the configuration (esp. the
>> permissions
>>>> portion)?
>>> Well depending your needs you might want to keep the fileserver stuff in
>>> the S4 DC, if not then S3 will work as a domain member for the UID/GID
>>> you'll have to handle it manually.
>> For all of these tasks, it may work best to use a windows file copy tool
>> preserving permissions to move the files.  That way, moving s4 -> s3, or
>> s4 -> s4 will keep permissions, ownerships etc correct without major
>> fuss.
>> Andrew Bartlett
>> --
>> Andrew Bartlett                                http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org


More information about the samba-technical mailing list