[Samba] NT4 Migration Question

John H Terpstra jht at samba.org
Fri Mar 5 21:52:54 GMT 2004


On Fri, 5 Mar 2004, L. Mark Stone wrote:

> Hi John!
>
> On Fri, 2004-03-05 at 13:14, John H Terpstra wrote:
> > On Fri, 5 Mar 2004, L. Mark Stone wrote:
> >
> > > A client has an existing NT4 domain with several NT4 servers. Two of the
> > > NT4 Servers function as a PDC and a BDC.
> > >
> > > We are installing Samba-3 on SuSE 9.0 Pro as a PDC with an LDAP backend,
> > > and decommissioning the NT4 PDC at the same time. So far, so good. We
> > > can also rebuild the old PDC hardware as a Samba-3 on SuSE 9.0 Pro BDC.
> > >
> > > Unfortunately however, the NT4 BDC cannot be removed from the network
> > > for another six months, as it hosts a vertical application key to the
> > > business and used every day by some 100 users at the client.  In
> > > addition, the configuration of this BDC is quite complex; reinstalling
> > > the OS and the vertical application would be a challenge and, given the
> > > various customizations to the vertical application, not likely to
> > > succeed.
> > >
> > > Two questions then:
> > >
> > > 1. What are the implications of leaving this existing NT4 BDC in place
> > > with a new Linux-Samba-3 PDC (and possibly a new Linux-Samba BDC)?
> >
> > The NT BDC will soon fall out of date with your Samba PDC (assuming you
> > migrated the NT4 PDC to Samba-3).
> >
> > Samba-3 does not support the NT4 domain SAM replication protocols. You
> > will soon have a broken network - unless you can deomte the NT4 BDC to a
> > Stand-Alone server (which will stop it from performing domain control
> > functions such as network logon handling and SAM replication).
>
> Yup, we know that SAM replication isn't there between NT4 and Samba.
>
> The other option we've uncovered is to dcpromo the NT4 server to a PDC,
> migrate the accounts to the Samba server (which will also think its the
> PDC), and then shut off LMAnnounce on the NT4 server via a registry
> entry. (we would decommission the other NT4 DC.)  We may also try
> disabling the NT4's Server service as well.
>
> The critical application relies on Exchange 5.5, which also runs on this
> NT4 server.  We have been told that Exchange may fail if it wakes up
> after a reboot and finds it is no longer living on a DC. So, turning off
> LMAnnounce (we believe) will result in the NT4 box thinking it is still
> a PDC, but no clients on the network will ever talk to it, so it will
> just be a lonely PDC. And if Exchange needs PDC services, those will
> still be available locally. The domain user accounts used by Exchange
> are not person-specific, so they will never change and we need not worry
> about maintaining perfect correlation between Samba and this NT4 box. We
> just need to make sure the NT4 box can't ever perform DC services on the
> domain.

Exchange 5.5 can be made to work with a Samba PDC. You will need to search
the Samba mailing list archives to find clear instructions someone once
posted on how to affect this.

Do not mess with the NT4 registry or the Server service - this will
potentially cripple your BDC server. Fortunately, a DBC will not change
the SAM database, rather an NT4 BDC creates on the BDC a SAM delta file.
The BDC depends on the PDC SAM replication service to synchronize that
delta file to the PDC where it can be applied to the PDC SAM. The PDC SAM
replication service then pushes that change back to the BDCs. This means
that if Samba-3 is your PDC and you use an NT4 BDC you can lose machine
security account password changes. This can result in breakdown in network
security.

The Samba-Team official line on NT4 PDC / Samba-3 BDC, or Samba-3 PDC and
NT4 BDC, is that this can not work.

You could isolate your BDC from the rest of the network, then promote it
to a PDC. That will make Exchange happy and should keep your application
happy, but it also disconnects the NT4 system from communication with the
rest of the network.

If the NT4 server must have network connectivity (interoperability) it
should be demoted from being a BDC to a Stand-Alone server, then rejoin it
to the Samba-3 domain. When you have done this, you will need to make
registry changes so that Exchange can find the Samba-3 DCs.

The main concern is not the domain control protocols - but rather how what
services the application you have referred to needs.

> > > 2. Has anyone used UPromote, which claims to do be able to demote an NT4
> > > BDC to a member server without reinstalling the OS? (See
> > > http://utools.com/UPromote.asp for more info.)
> >
> > That's a neat tool. It looks like it will permit you to demote the BDC to
> > a Stand-Alone server, but be careful! You may find that the vertical
> > application requires support for certain protocols that may not be
> > supported by a Samba domain controller.
>
> The app's domain needs are limited to moving files around between this
> box and three others via mapped drives. The box should still be able to
> browse the network, so I think we are probably OK. The trick bits for
> the app are the ways it moves and processes files through Exchange.

Are you sure that the application does not use any RPC calls to the
domain?

>
> >
> > You could test this by using Norton Ghost to clone the BDC, then demote
> > the BDC using the UPromote tool, then test the application in a Samba
> > domain. At least this will provide a conclusive answer.
>
> I too like to have rollback options!  If we did the dcpromo trick above,
> and it didn't work, we could always put the other NT4 DC (now the BDC)
> back online, run dcpromo again to make the problem NT4 box a BDC, and
> try your Ghost/UPromote trick (also reversible).
>
> What do you think of the "isolated PDC" strategy above?

See comments above.

- John T.

>
> Thanks!
> Mark
>
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list