[Samba] Eventually transitioning to Windows Server 2016

Rowland Penny rpenny at samba.org
Sat Dec 16 14:45:39 UTC 2017

On Sat, 16 Dec 2017 14:09:44 +0100
Fabian Fritz via samba <samba at lists.samba.org> wrote:

> Hi,
> I am preparing to get our Data Center from a Samba 3.5 NT4 domain to
> AD. All users, file ownerships, etc. have to remain of course. I am
> planning to use Samba 4.7.x, but I was wondering if it is possible to
> eventually transition to Windows Server 2016 as the only DC hosts.
> The way I understand it is that this is not possible right now,
> because Samba doesn't support that schema version (among other
> things). Thus I couldn't join WS 2016 DCs and take out the Samba DC.
> So unless Samba is updated, once I have AD with Samba-only DC I can't
> get to WS 2016 with my domain, right?
> The other way would be to go to WS 2016 straight away. I've heard
> there's this ADMT tool that can get you from a NT4-style domain to a
> modern AD domain. But assuming I do that and have WS2016 DCs, can
> Samba 4.7.x at least join as a member to act as a file server?
> Also, a kind of unrelated question: Are the passwords from the NT4
> domain somehow rehashed to whatever AD uses? I've heard NT4 uses DES
> and that's considered rather insecure these days, but I can't think
> of how Samba would be able to change the hash method without knowing
> the passwords in plain text.
> Thanks,
> Fabian

You can use the Samba 'classicupgrade' tool to migrate your NT4-style
domain to a Samba AD domain, but, at the moment, you will only get a
2008R2 domain. The work to update 2012 is nearing completion and will
possibly be in Samba 4.8.0. The work to upgrade to 2016 hasn't even
started yet, but from what I have read, it shouldn't take as much work
as the 2012 upgrade has taken.

From my understanding 'ADMT' will only run on a windows server, so I
don't think this is going to work. What you should be able to do is
upgrade to a Samba AD DC, join a windows 2008 DC, transfer all the FSMO
roles to the windows DC, demote the Samba AD DC, then upgrade the
windows DC to the domain function level you require and then start
paying for cals.

Probably easier to set up a new domain ;-)


More information about the samba mailing list