[Samba] Decommissioning old PDC

Andrew Bartlett abartlet at samba.org
Wed Jun 26 16:30:07 MDT 2013

On Tue, 2013-06-25 at 18:36 -0700, Loren M. Lang wrote:
> I'm trying to decommission our PDC which is running on some older
> hardware and migrate it's functionality to one of our two currently
> operating BDCs for the domain. The three servers have nearly identical
> configurations with only differences in file and printer shares and a
> couple attributes like "wins support" and "domain master". They all have
> identical netlogon shares with identical content as well. One of the two
> BDCs is currently operating as the WINS server, not the PDC. I've
> already moved the primary LDAP server to the BDC with the WINS server
> and the current PDC is using that as it's master LDAP server with it's
> own, internal LDAP server as a backup.
> My understanding is that, next, I have to demote the PDC to a BDC by
> setting it's "domain master" and "preferred master" attributes to No and
> then restart it. After it's running as a BDC, I can then promote the BDC
> with WINS server and master LDAP server to a PDC by setting "domain
> master" and "preferred master" to Yes and restart it. I should then make
> sure that the DOMAIN#1b and DOMAIN#1d are pointing to the new server to
> verify it's operating correctly. Should this correctly migrate the PDC?

Yes.  When Samba is a classic domain controller (ie as implemented in
Samba 3.x) these smb.conf options are all that controls PDC and BDC
semantics.  Because leave it to the LDAP backend to handle the DB, we
don't actually have almost any code differences for 'PDC' or 'BDC',
except for handling those #1b and #1c names.

> Eventually, I would like to demote the former PDC to a mere domain
> member serving files that it still has on it. To do this, I need to set
> "domain logons" to No and remove the ldapsam from "passdb backend". I
> also remember setting the SID for each DC using "net rpc getsid". Do I
> need to undo that or reset the machines SID to a randomly generated one
> now that it's no longer a DC? Anything else I need to do?

This will be trickier.  I think the best would be to rejoin as a member
server, and then continue to use nss_ldap, but also idmap_nss.  That
should keep the file ownerships consistent.  Or keep it configured as a
BDC but don't run nmbd (locate it by DNS names).  

I've not tested this, so be careful, but the key idea is to keep the SID
-> UID/GID and of course username -> SID mappings so everything still
works right. 


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list