[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC

Andrew Bartlett abartlet at samba.org
Sun Oct 2 01:46:06 UTC 2016

On Wed, 2016-09-28 at 16:11 +0000, Charish Patel via samba wrote:
> Hi folks,
> I've been tasked with a migration of our servers and, as the subject
> implies, part of it involves a PDC and BDC that were set up before my
> time. However, I'm trying to accomplish a little bit more to give
> myself, the sysadmin, a little bit more automation capability:
> ·         Migrate the PDC and BDC both to new servers (part of this
> I've already done with copying /etc/passwd, group, shadow, and
> gshadow along with smb.conf, secrets.tdb and passwd.tdb. There is no
> LDAP and/or Kerberos configuration).
> ·         Upgrade the PDC and BDC to AD Controllers that will work in
> redundancy.
> ·         Updating our netlogon script to mount Samba shares based on
> the user logging in.
> o   Part of this is getting a non-.bat script to work with both
> Windows and Mac (it's mostly a Windows environment, but we have 12
> Macs as well). I was thinking something along the lines of trying to
> detect the OS via a fastscan with nmap and, based on the OS, kick off
> logon.bat (Windows) or login.sh (for Macs) in order to mount the
> network shares as well as pushing out an agent for that takes an
> inventory of the workstations logging in.
> §  The Macs haven't been joined to the domain yet, but with the new
> Samba instances it's something I'm looking into doing.

I don't think the macs even understand the logon script.  Also just
note that the logon script from the smb.conf is not used any more, it
has to be set per-user in AD (eg with a script, or with ADUC editing
multiple users).

> ·         The part that has me nervous: actually testing all this
> out. My biggest concern is if I spin up the new Samba AD controllers,
> it will interfere with the existing ones and thereby causing hell for
> my users. Is there any way to isolate the set up for testing so that,
> if it's successful, it'd just be a matter of shutting down the old
> PDC and BDC, spin up the new redundant AD controllers and have the
> users be able to continue working seamlessly.

Isolated networks is what we suggest, and trial runs.  If you get 
the trials to the point where it it automatic, you may be able to do
your production deploy on the production network in downtime, otherwise
ideally your test LAN is isolated enough that it has the same IP
address space so you can slot it right in. 

The big issue with clients not falling back came from NT4 system
policies, but I've not tested that for most of a decade, so no doubt it
is more these days. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list