[Samba] How to Migrate Samba AD from one server to another
rpenny at samba.org
Sun Sep 11 17:20:00 UTC 2016
See inline comments:
On Sun, 11 Sep 2016 10:38:22 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> > On Sun, 11 Sep 2016 00:48:09 -0600
> > "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> >> essentially do what I want? Basically clone the AD on another
> >> server. Then is it as easy as joining the new server to the domain
> >> and then demoting the old server? How do others do this task?
> > If you just want to replace a DC with another DC, then you only
> > need to add the new DC to the domain, let replication do its thing,
> > transfer any FSMO roles from the old DC to the new DC, demote old
> > DC and then turn off the old DC.
> Rowland, thanks for your reply. What you describe is pretty simple in
> principle. It is the details about which I am confused. There are 3
> aspects of a Samba 4 AD that have to be properly setup for the AD to
> function correctly. Namely the Samba configuration, Kerberos and DNS.
> If any of these are incorrectly configured the AD will not function.
> So here are my questions regarding the details of what you describe.
> 0.) Backup up the old DC.
Well, yes, just in case.
> 1.) I assume two of the preparation steps would be to point the new
> DC DNS (/etc/resolv.conf) to the old DC server DNS
Possibly, it just needs to point to a DC in the domain, and if you only
> and then take the
> smb.conf configuration from the old DC and move to the new DC.
No, definitely NO. The join will create a new one.
> 2.) After the preparation step in 1, is it sufficient to just issue
> > samba-tool domain join mydom.example.com DC -Uadministrator
> --realm=MYDOM.EXAMPLE.COM --dns-backend=BIND9_DLZ
> to get the AD added to the domain and replication to occur?
Yes, it will become just another DC.
> 3.) What will actually get replicated? From what I could sketch
> together from the web the DNS will be moved. I know how to handle
> that but are there any entries that have to be manually added as
> indicated from some web sites I have found?
Everything should get created except for a few dns objects and these
will get created the first time samba is started, but there is a gotcha,
it needs to use the computers kerberos ticket to do this, so you need
to change /etc/resolv.conf to point to itself before you start samba.
Once everything is correct and all dns objects exist, you can
> 4.) What about the kerberos configuration? Do I configure kerberos on
> the new DC as it was on the old DC? Does that happen at step 1 and
> then do the samba-tool join or does replication take care of the
> keytab files and config?
You will need to create /etc/krb5.conf before running the join command,
it needs to look just like this:
default_realm = <PUT YOUR REALM HERE>
dns_lookup_realm = false
dns_lookup_kdc = true
> 5.) Do I have to manually set the sysvol ACLs via:
> > samba-tool ntacl sysvolreset
> as suggested by some sites?
Good point and something I missed, you will need to sync sysvol from
the old DC to the new one and then run 'samba-tool ntacl sysvolreset'
or you could use 'osync', see here for info:
> 6.) Transfer FSMO roles
> 7.) Demote old DC
> 8.) Anything else I am missing?
Not that I can think, but if I have missed anything, somebody is bound
to point it out ;-)
More information about the samba