[Samba] Adding a Windows Server down the road
jon at sutinen.com
Tue Apr 19 18:46:02 GMT 2005
One more thing I forgot to mention when using ADMT: it helps if your
client workstations' DNS server is set to be the one that's
authoritative for the new domain. Things might work OK thru
WINS/NetBIOS name resolution, but I've had to do the DNS thing, too.
Sutinen Consulting, Inc.
On Tue, 19 Apr 2005, Andrew Debnar wrote:
> Thanks I also tested and this worked great. Now I get to do Linux.
> -----Original Message-----
> From: Jonathan Johnson [mailto:jon at sutinen.com]
> Sent: Thursday, April 14, 2005 3:19 AM
> To: jht at samba.org
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Adding a Windows Server down the road
> John H Terpstra wrote:
> >On Wednesday 13 April 2005 11:46, Josh Kelley wrote:
> >>Andrew Bartlett wrote:
> >>>What's wrong with running the windows server as a domain member. There
> >>>is no way to import users (well, their passwords are the tricky part)
> >>>from Samba into AD that I know of.
> >>Microsoft provides the Active Directory Migration Tool (ADMT). As one
> >>of its features, it's supposed to let you import users from a NT 4
> >>domain. Since a Samba server runs an NT 4 domain, any chance that ADMT
> >>would work?
> >>I'm guessing no, for the same reason that a Samba PDC can't take an NT 4
> >>BDC, but I thought that I'd mention it as a possibility and see if
> >>anyone knew if it would work.
> >Why don't you do a test installation of ADS and try it. Please let me know
> >what happens. I'd appreciate your help in documenting this process to spare
> >others from having to ask.
> >- John T.
> Been there, done that, and can say YES, it works. I had to do this when
> a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus
> required migration to a Windows 2003 Active Directory domain. There are
> a few gotchas to be aware of:
> 1. Administrator password must be THE SAME on the Samba server, the 2003
> ADS, and the local Administrator account on the workstations. This is
> not documented. (Perhaps this goes without saying, but there needs to be
> an account called "Administrator" in your Samba domain, with full
> administrative (root) rights to that domain.)
> 2. In the Advanced/DNS section of the TCP/IP settings on your Windows
> workstations, make sure "DNS suffix for this connection" field is blank.
> This is not documented.
> 3. Because you are migrating from Samba, user passwords cannot be
> migrated. You'll have to reset everyone's passwords. (If you were
> migrating from NT4 to ADS, you could migrate passwords as well.)
> 4. I don't know how well this works with roaming profiles; I've only
> used this with local profiles.
> 5. Disable the Windows Firewall on all workstations. Otherwise,
> workstations won't be migrated to the new domain. This is not documented.
> 6. When migrating machines, always test first (using ADMT's test mode)
> and satisfy all errors before committing the migration. Note that the
> test will always fail, because the machine will not have been actually
> migrated. You'll need to interpret the errors to know whether the
> failure was due to a problem, or simply due to the fact that it was just
> a test.
> There are some significant benefits of using the ADMT, besides just
> migrating user accounts.
> 1. You can also migrate workstations remotely. You can specify that SIDs
> be simply added instead of replaced, giving you the option of joining a
> workstation back to the old domain if something goes awry. The
> workstations will be joined to the new domain.
> 2. Not only are user accounts migrated from the old domain to the new
> domain, but ACLs on the workstations are migrated as well. Like SIDs,
> ACLs can be added instead of replaced.
> 3. Locally stored user profiles on workstations are migrated as well,
> presenting almost no disruption to the user. Saved passwords will be
> lost, just as when you administratively reset the password in Windows ADS.
> 4. The ADMT lets you test all operations before actually performing the
> migration. You can migrate accounts and workstations individually or in
> batches. User accounts can be safely migrated all at once (since no
> changes are made on the original domain); I recommend migrating only one
> or two workstations as a test before committing them all.
> I'm fairly impressed with the Active Directory Migration Tool. It sure
> made my job easier, both times I used it (once migrating from NT4 to ADS
> 2003; second time from Samba 3 to ADS 2003). The three gotchas that I
> labeled "not documented" are things that tripped me up, but (thankfully)
> I was able to resolve.
> ADMT can be found on the Windows 2003 CD.
> ~Jonathan Johnson
> Sutinen Consulting, Inc.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba