[Samba] Samba4 as BDC on a Win2003 AD_PDC

Karel Lang AFD lang at afd.cz
Thu Oct 9 07:28:19 MDT 2014

Hi Daniel,
i'm quite new to Samba list and particulary to Samba4 too, so take my 
word with a grain of solt.

I think that maybe the terminology you use is not quite accurate, or clear.
Because (IMHO) you can not have server acting as PDC (primary domain 
controller) in AD (active directory) as far as i understand it.

You can have either one off it, but not both.

What you talk about, that you have atm., (i think) is 'classic' NTv4 
domain that consists of one PDC and as much as needed BDC servers.
Only the PDC can make change in authentication backend - usually some 
LDAP server.

With this being said -in your case - Samba4 can act as PDC or BDC in 
NTv4 domain - but as you say, you have it as BDC then it can't make 
changes (please now someone correct me if i'm wrong about this - not 
sure 100%)

If you want to switch off the windows server and retain, or keep NTv4 
classic domain with one PDC -> more BDC structure then (IMHO) you need 
to switch off Windows server and just make the SAmba4 PDC (change 
smb.conf)- and make sure the SAmba4 server is looking into LDAP database 
where the former Windoes server was storing the user data.

If the Windows server wwas storing data in it's own database, i guess 
that you would need to export data first to 3rd party database first 
(openldap, 389 directory server ... etc) and then again switch off 
windows server, point Samba 4 to LDAP and make changes ins smb.conf 
making it PDC.

I think another possible scenario is that you create AD (active 
directory) from your Samba4 server, join windows server to it and 
replicate data there, then you can keep win server running or you can 
swithc it off.

But this takes quite some study - i'm in the process myself, as i plan 
on moving from Samba3 ->4.

But again, you need to decide which type of domain you aim for - AD or 
classic NTv4 with PDC-BDC?

Karel Lang

On 10/09/2014 02:43 PM, Daniel ATUALIZEM TENHO NOVO MSN wrote:
> HI,
> I have a Windows 2003 as AD PDC.
> My intention is disable this Windows and use Samba4 instead.
> I have compiled Samba 4.1.12  on Debian 7 without problems.
> I followed Samba Wiki to Join this machine to Win domain, without to do the Samba4 provision steps, as mentioned.
> The join process occurs without errors and all strutcture of Wind2003 was replicated to Samba4. All modifications done on Windows 2003 are updated to Samba 4.
> But, using RSAT to conect to Samba4, I can't create or delete new users or groups. I receive this message on RSAT:
> "The server is unwilling to process the request"
> This is the output on log.samba when I try to create or modify an user by RSAT connected on Samba 4
> [2014/10/09 09:36:29.901189,  0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
>    ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_NO_LOGON_SERVERS - extended_ret[0x0]
> And, this message is output on log.samba all the time:
> [2014/10/09 09:37:00.527471,  0] ../source4/librpc/rpc/dcerpc_util.c:681(dcerpc_pipe_auth_recv)
>    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for e3514235-4b06-11d1-ab04-00c04fc2dcd2 at ncacn_ip_tcp:e50ee076-7a81-4616-aace-c18b350b7d4d._msdcs.ITEMNT[1025,seal,krb5] NT_STATUS_NO_LOGON_SERVERS
> I need a help to solve this issue.
> I want to change Wind2003 AD to Samba4 AD by:
> 1 - using Samba4 as secondary to get all users from Windows;
> 2 - testing Samba4 to create, modify and delete users, and replicate to Windows 2003;
> 3 - If step 2 pass, I wanto to "promote" samba 4 as primary DC and turning off Windows 2003;
> 4 - I will create a new samba4 to use as secondary DC.
> Thanks for any help!

More information about the samba mailing list