Moving from beta/test environment to production

Andrew Bartlett abartlet at
Tue Dec 18 01:31:25 MST 2012

On Tue, 2012-12-18 at 09:18 +0100, Dieter Modig wrote:
> Hi! 
> Now that samba4 is officially here we're tried a clean install and the installation is very nice! Smooth and helpful all the way. Good job! 
> The next step for us (considering our broken GPOs) would be to somehow move over to a new nice production environment with a moderate amount of work and we wanted your opinion on how to get there. There seems to be two ways to reach the finish line on this; 
> 1. Set up a newly installed fresh machine as member server and move master functionality to that one and then kill off the beta/test-machine or 
> 2. Export/backup the database (users and computers only) and then treat everything like disaster recovery on to a new installation with the same domain name and then rebuild the GPOs (they can be fairly easily exported/imported) 
> What would you guys recommend at this stage and is it at all possible without messing everyting up more? Secret option number 3 would be to do a complete overhaul and rebuild the entire domain from scratch but that just doesn't sound like much fun :) 
> We actually have _not_ tried to upgrade our rc4 to the official version but since none of the upgrades have fixed the GPO problem so far we're not holding our breath on that one. 

GPOs should be fixed in the final release, we got that working in rc5
(from memory).  Some of the issues/failures were actually pretty simple
but devastating in how they broke GPOs. 

Upgrading (keep a backup) your rc4 to the official version, and setting
'acl:search=false' is probably the most practical option at this point. 

(This option is required because an domain prior to the 4.0.0 release
has some incorrect ACLs, and if we honour those for reads, some things
break.  A tool to fix those will be available soon, but in the meantime
we just allow all users to read all non-confidential attributes). 

I don't suggest trying to set up a second server, and transfer roles,
because that process has shown itself to be less reliable than just
upgrading in place.  It certainly should work, but I think in-place will
just be better for you.

You should probably have a good backup, and perhaps a second server
anyway.  See the source4/scripting/bin/samba_backup script. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list