[Samba] How to migrate Active Directory from one Samba4 server to another

Mon Sep 3 07:39:25 MDT 2012

-------- Original-Nachricht --------
> Datum: Thu, 16 Aug 2012 13:29:42 +0200
> Von: X-Dimension at gmx.net
> An: samba at lists.samba.org
> Betreff: Re: [Samba] How to migrate Active Directory from one Samba4 server to another

> > -------- Original-Nachricht --------
> > > Datum: Mon, 13 Aug 2012 17:47:35 +1000
> > > Von: Andrew Bartlett <abartlet at samba.org>
> > > An: X-Dimension at gmx.net
> > > CC: samba at lists.samba.org
> > > Betreff: Re: [Samba] How to migrate Active Directory from one Samba4
> > server to another
> > 
> > > On Sat, 2012-08-11 at 22:03 +0200, X-Dimension at gmx.net wrote:
> > > > Hello!
> > > > 
> > > > We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain
> > controller
> > > in a small production environment and because the Resara development
> has
> > > ended we want to switch to a plain Samba4 beta based Ubuntu
> > 12.04/Zentyal
> > > Server.
> > > > I have installed and configured the new server with the same
> > domain-name
> > > and the same hostname like the old server. 
> > > > How can i export the Active Directory from the old server and import
> > it
> > > to the new Samba4 server? 
> > > 
> > > Something like this (unstested):
> > > 
> > > Use a different hostname, then run 'samba-tool domain join' to join it
> > > to the first domain.  Then you can use the
> > > source4/scripting/bin/renamedc script to rename it back to the name of
> > > the first DC, after running 'samba-tool domain demote' on it. 
> > > 
> > > You may need to seize FSMO roles from one DC to the other with
> > > 'samba-tool domain fsmo'.
> > > 
> > > > Do i need to rejoin the clients to the domain, after this?
> > > 
> > > No.
> > > 
> > > Additional complications may include DNS configuration.  You may need
> to
> > > use --dns-backend=none on the join command. 
> > > 
> > > This is just a series of hints to get you started.  Hopefully you can
> > > work it out from here. 
> > > 
> > > Andrew Bartlett
> > > 
> > > -- 
> > > Andrew Bartlett                               
> > http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team           http://samba.org
> > > 
> > > 
> > Thank you Andrew, this was very helpful!
> > Joining the new Samba4 Server to the old one replicates the Active
> > Directory without a problem! After shutting down the old server,
> renaming the new
> > server and restore smb.conf and krb5.conf i can access the new server
> with
> > RSAT now. :-)
> > 
> > What does not work is the dns-backend! :-(
> > After the AD replication the DNS snap-in from RSAT does not work
> anymore.
> > The join option "--dns-backend=none" is not available here
> > (Samba4.0.0beta2 Zentyal package) 
> > Is there another way to get DNS working after the replication from the
> old
> > server? 
> > 
> > I have also another question: What does the "renamedc" script do? 
> > When i start it, it always tells me that there are opened transactions
> and
> > so it can't run.
> > Because of this i simple change the hostname in /etc/hostname/ and
> > /etc/hosts and run hostname -F /etc/hostname. After a restart all looks
> good so
> > far. (but i haven't tested it very much)
> > 
> > THX
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> I've tried now also Samba4.0.0beta6 and when i join this server with the
> --dns-backend=NONE option to the old samba4alpha PDC i have no working DNS
> service on the new Samba server. Bind9 won't start because it can't find
> sam.ldb. This file is created on provisioning the Samba server the first time,
> but while our old Resara Server uses plain Bind without the
> Samba-LDAP-backend sam.ldb is not created when joining the new server to the existing
> domain.
> Is there a way setup the DNS-part after the replication, so that it uses
> the internal LDAP of Samba4? I don't need to get the DNS entries of the old
> server to the new server, but i need a working DNS-Samba/LDAP Backend to
> create Zones and entries with RSAT.
> 
> Thx for help!
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I'm now a big step ahead and i get the BIND_DLZ backend working.

Here is what i've done:

1. Join the new Samba4.0.0beta8 server "PDC2" to the old Samba4.0.0alpha server "PDC" with:

samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan --dns-backend=none

2. Copy the file based Bind9 configuration from /etc/bind of "PDC" to "PDC2"   

3. Disconnect "PDC" from the network

4. run samba_upgradedns on "PDC2" to get BIND_DLZ to work

5. Configure Bind9 to use Samba4/BIND_DLZ

What works:
A. I can browse with Microsoft RSAT through the Active Directory and can edit or create users and so on
B. I can create and modify DNS-entries from the DNS-Tool of MS RSAT

C. I can join a computer to "PDC2" when logging on with "administrator at mydomain"

What does not work:
A. I can't join a computer to "PDC2" when using only "administrator" instead of "administrator at mydomain"
B. After joining a computer successfully to the domain, user login don't work! I get always "Wrong username or password" message :(

What goes wrong here?

Some other things:
1. The "fsmo" option as described by Andrew is not known when i'm using "samba-tool domain fsmo" here.

2. When running the "renamedc" script to rename the new server "PDC2" back to "PDC" i get an error because the new name "PDC" already exist in the Actify Directory. So the skript won't rename it.      

Thanks for any ideas that helps to get the Samba4 to Samba4 migration to work! :)  