[Samba] Moving PDC

[Donny Brooks]

On 6/7/2011 4:35 PM, Gaiseric Vandal wrote:
> If everything is an LDAP backend that makes it simpler.   installing 
> the new machine as BDC then promoting it should be easy enough.    In 
> my environment, the each DC was also a LDAP server (in a multi-master 
> replication topology.)     You may to make sure that when you switch a 
> machine from PDC to BDC (or vice versa) that you enable/disable ldap 
> read-only in smb.conf.
>
> How do you handle idmapping? In my environment, we use LDAP for the 
> underlying unix accounts as well so this keeps unix uid's and gid's 
> for the  accounts consistent.
>
>
> A windows client generally doesn't care if it uses a PDC or BDC-  it 
> will give preference to a BDC.    But if it already is authenticated 
> to a particular DC I don't think it changing mode will matter.  I 
> don't know if you have to restart samba to change from PDC to BDC (or 
> vice versa)-  that might cause problems for people who were logged in 
> with open files on that server.
>
> Do you have trusts set up with other domains?    I switched which 
> machine was the PDC and also found I had to make the new PDC the WINS 
> server as well.
>
> FC14 has samba 3.5.x.   I am sure there are some config changes 
> between 3.4. and 3.5 that may be gotchas.      Altho so far for me 
> going from 3.4 to 3.5.x doesn't seem to have broken anything (at least 
> anything else-  some things that didn't work under properly 3.4. still 
> don't work for me.)
>
>
> On 06/07/2011 02:57 PM, Donny Brooks wrote:
>> Hi all,
>>
>>      We currently have a Fedora 11 machine (about to be upgraded to 
>> Fedora 15 though) running Samba 3.4.7 as our PDC and multiple BDC 
>> "home servers" running various versions of samba and OS. What I am 
>> needing is a fail proof way to migrate the PDC function off the 
>> current machine and onto another new fresh install. Currently our PDC 
>> is also the home server for one of our groups of employees. I want to 
>> migrate this off onto a separate BDC if possible leaving the PDC 
>> functions to be the only thing that machine does. The last time I 
>> attempted this it did not work correctly but that is only because I 
>> thought I could simply copy the config file over and start up samba. 
>> That was incorrect.
>>
>> What I need is a "fool proof" way to just make it work with minimal 
>> downtime for any of our users. We use OpenLDAP for domain 
>> authentication if that makes any difference. Before I have read that 
>> you demote and promote certain DC's to whatever function but not sure 
>> if that is the best way to do this. We have approximately 9 BDC "home 
>> servers" that are a mix of on our campus and some remote (all on our 
>> network though). I need the best way to not disrupt any of them if 
>> possible.
>>
>> Thanks in advance.
>
Thanks for the reply. Our layout currently is as follows:

1 PDC w/ LDAP (primary) also the "home" server for some users
1 BDC w/ LDAP (backup) no users on this machine
8 BDC w/o LDAP (all point to the primary) and all "home" servers

The idmapping is all done in ldap. Pretty much all user, machine, and 
group accounts are in ldap. We only have the one domain so no other 
trust relationships are setup. Hopefully when I do this I will be able 
to get everyone to log off their workstations before going home and do 
this after hours to reduce the risk of open files.

So basically just make sure the configs jive between versions and I 
should be able to migrate via the promote/demote method correct? Just 
making sure as I do NOT want to make this an all weekend ordeal.