[Samba] Adding a Windows Server down the road

Jonathan Johnson jon at sutinen.com
Tue Apr 19 18:46:02 GMT 2005

One more thing I forgot to mention when using ADMT: it helps if your
client workstations' DNS server is set to be the one that's
authoritative for the new domain. Things might work OK thru
WINS/NetBIOS name resolution, but I've had to do the DNS thing, too.

--Jon Johnson
Sutinen Consulting, Inc.

On Tue, 19 Apr 2005, Andrew Debnar wrote:

> John,
> 	Thanks I also tested and this worked great. Now I get to do Linux.
> Thanks,
> Andrew
> -----Original Message-----
> From: Jonathan Johnson [mailto:jon at sutinen.com] 
> Sent: Thursday, April 14, 2005 3:19 AM
> To: jht at samba.org
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Adding a Windows Server down the road
> John H Terpstra wrote:
> >On Wednesday 13 April 2005 11:46, Josh Kelley wrote:
> >  
> >
> >>Andrew Bartlett wrote:
> >>    
> >>
> >>>What's wrong with running the windows server as a domain member.  There
> >>>is no way to import users (well, their passwords are the tricky part)
> >>>      
> >>>
> >>>from Samba into AD that I know of.
> >>
> >>Microsoft provides the Active Directory Migration Tool (ADMT).  As one
> >>of its features, it's supposed to let you import users from a NT 4
> >>domain.  Since a Samba server runs an NT 4 domain, any chance that ADMT
> >>would work?
> >>
> >>I'm guessing no, for the same reason that a Samba PDC can't take an NT 4
> >>BDC, but I thought that I'd mention it as a possibility and see if
> >>anyone knew if it would work.
> >>    
> >>
> >
> >Why don't you do a test installation of ADS and try it. Please let me know 
> >what happens. I'd appreciate your help in documenting this process to spare
> >others from having to ask.
> >
> >- John T.
> >  
> >
> Been there, done that, and can say YES, it works. I had to do this when 
> a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus 
> required migration to a Windows 2003 Active Directory domain. There are 
> a few gotchas to be aware of:
> 1. Administrator password must be THE SAME on the Samba server, the 2003 
> ADS, and the local Administrator account on the workstations. This is 
> not documented. (Perhaps this goes without saying, but there needs to be 
> an account called "Administrator" in your Samba domain, with full 
> administrative (root) rights to that domain.)
> 2. In the Advanced/DNS section of the TCP/IP settings on your Windows 
> workstations, make sure "DNS suffix for this connection" field is blank. 
> This is not documented.
> 3. Because you are migrating from Samba, user passwords cannot be 
> migrated. You'll have to reset everyone's passwords. (If you were 
> migrating from NT4 to ADS, you could migrate passwords as well.)
> 4. I don't know how well this works with roaming profiles; I've only 
> used this with local profiles.
> 5. Disable the Windows Firewall on all workstations. Otherwise, 
> workstations won't be migrated to the new domain. This is not documented.
> 6. When migrating machines, always test first (using ADMT's test mode) 
> and satisfy all errors before committing the migration. Note that the 
> test will always fail, because the machine will not have been actually 
> migrated. You'll need to interpret the errors to know whether the 
> failure was due to a problem, or simply due to the fact that it was just 
> a test.
> There are some significant benefits of using the ADMT, besides just 
> migrating user accounts.
> 1. You can also migrate workstations remotely. You can specify that SIDs 
> be simply added instead of replaced, giving you the option of joining a 
> workstation back to the old domain if something goes awry. The 
> workstations will be joined to the new domain.
> 2. Not only are user accounts migrated from the old domain to the new 
> domain, but ACLs on the workstations are migrated as well. Like SIDs, 
> ACLs can be added instead of replaced.
> 3. Locally stored user profiles on workstations are migrated as well, 
> presenting almost no disruption to the user. Saved passwords will be 
> lost, just as when you administratively reset the password in Windows ADS.
> 4. The ADMT lets you test all operations before actually performing the 
> migration. You can migrate accounts and workstations individually or in 
> batches. User accounts can be safely migrated all at once (since no 
> changes are made on the original domain); I recommend migrating only one 
> or two workstations as a test before committing them all.
> I'm fairly impressed with the Active Directory Migration Tool. It sure 
> made my job easier, both times I used it (once migrating from NT4 to ADS 
> 2003; second time from Samba 3 to ADS 2003). The three gotchas that I 
> labeled "not documented" are things that tripped me up, but (thankfully) 
> I was able to resolve.
> ADMT can be found on the Windows 2003 CD.
> ~Jonathan Johnson
> Sutinen Consulting, Inc.
> www.sutinen.com
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list