[Samba] classic upgrade, splitting servers

[Stefan G. Weichinger]

Am 2017-05-24 um 12:23 schrieb L.P.H. van Belle via samba:
> Ok, lets start with : 
>> Thinking of the other ~25 machines at their site I am not yet 
>> there to deploy the new DC, I assume.
> Correct, your not there yet. 
> 
>> I don't see a share tab in the properties of \\dc\netlogon 
>> and \\dc\sysvol
> 
> Login as Adminstrator, 
> Open de  "computer manager" ( rigth klik computer, manage ), right klik, connect to, .. 
> Now you should see share and security tab. 

I can't find it ... sorry. The german/english makes it harder ...


> Now, you can login as root, yes, but use Administrator. 
> Root is not known in AD, this is why it logins faster. 
> Adminsitrator is in an OU=Users, which "should not" have any GPO settings assigned expect domain defaults.
> 
> How long did you wait the first time for the login and any windows event id's from that login? 

5-10 min ... just wait

event logs : I have to dig

> How did you migrate your users profiles. 
> Just a copy past? Because as far i know thats not going to work. 

NO migration.
Local profiles only, no server based ones.

that's the whole point in doing this, I don't want to touch the
individual PCs at all. This worked at another site as well.


> You need something like : 
> https://www.forensit.com/domain-migration.html
> 
> Or 
> https://www.microsoft.com/en-us/download/details.aspx?id=19188
> Or 
> USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
> 
> But in all three above, i dont use it. :-/ 
> I configure everything in GPO, only 1 thing i have to do manualy, setup the email signing. 
> And for that on my new mail server its done also. 
> I only do , rename a pc, join a pc domain, set static ip if needed, reboot 2x and 
> login as my "second" Admin users to apply every computer policy. 
> Yes these first logins can take some time, i see that also, but thats only once here.
> And the first login added my root CA.
> 
> So, if your network setup is good, every is applied by GPO. 
> Im setting for example 
> any windows setting i want. ( per user/group or OU) 
> Deploy software where needed.
> All my (MS) Office settings, Adobe reader, Printer deployment, certifcate deployment and security settings. 
> 
> But my best advice about GPO'.s start with small changes, and group you changes.
> Like "GPO:InternetSettings"  i have 1 gpo for IE/EDGE/CHROME/Firefox. With defaults. 
> Or GPO:PrinterDeploy, with only printer settings. 
> Etc. think good about this, and ask questions. 
> Order is > Computer policy rules, and most settings can be overruled by a user setting. 
> For example, my user are not allowed to read/write from USB. 
> 
> Thats simple done in GPO, I now have for example. 
> 1) nobody can read/write from USB	( domain wide policy ) 
> 2) a computer gpo setting can overwrite this by GPO. ( computer policy per OU or computer or group member ) 
> 3) 2 groups contains, 1 read and 1 write 			( regular groups USB_read and USB_write with members ) 
> 4) select group of users has read right on usb.		( GPO linked to USB_read )
> 5) select group of users has read/write right on usb.	( GPO linked to USB_read and USB_write ) 
> 
> And really take small steps how this works, but once setup, your done, 
> and then you can enjoy for extra free time on samba problems on the list ;-P 

I use GPOs at another site, so I know about the need to take small
steps, right!

-

Did inbetween:

* rerun classic update: new policies, everything fresh, lower functional
level now

* uninstalled Kaspersky on the test PC

* unjoined, rm-ed machine account on DC, re-joined ...

I get lost somehow ...