[Samba] classic upgrade, splitting servers

L.P.H. van Belle belle at bazuin.nl
Wed May 24 11:09:29 UTC 2017 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 24 mei 2017 12:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> 
> Am 2017-05-24 um 12:23 schrieb L.P.H. van Belle via samba:
> > Ok, lets start with : 
> >> Thinking of the other ~25 machines at their site I am not 
> yet there 
> >> to deploy the new DC, I assume.
> > Correct, your not there yet. 
> > 
> >> I don't see a share tab in the properties of \\dc\netlogon and 
> >> \\dc\sysvol
> > 
> > Login as Adminstrator,
> > Open de  "computer manager" ( rigth klik computer, manage 
> ), right klik, connect to, .. 
> > Now you should see share and security tab. 
> 
> I can't find it ... sorry. The german/english makes it harder ...

I mean this 
https://www.isunshare.com/windows-8/run-computer-management-by-command-line.html 
(first picture) 
Rechtsklicken Sie auf Computerverwaltung . 
Dann eine Verbindung mit FSMO Rollen an den DC machen. 
klicken Sie auf das Pluszeichen, System-Tools, gibt es geteilte Ordner.

You can write in german to me, if thats more easy for you, 
i can read it, i only lost my write skill. 


> 
> 
> > Now, you can login as root, yes, but use Administrator. 
> > Root is not known in AD, this is why it logins faster. 
> > Adminsitrator is in an OU=Users, which "should not" have 
> any GPO settings assigned expect domain defaults.
> > 
> > How long did you wait the first time for the login and any 
> windows event id's from that login? 
> 
> 5-10 min ... just wait
> 
> event logs : I have to dig
> 
> > How did you migrate your users profiles. 
> > Just a copy past? Because as far i know thats not going to work. 
> 
> NO migration.
> Local profiles only, no server based ones.
> 
> that's the whole point in doing this, I don't want to touch 
> the individual PCs at all. This worked at another site as well.
Ok thats good, then you missed someing in the setup. 

> 
> 
> > You need something like : 
> > https://www.forensit.com/domain-migration.html
> > 
> > Or
> > https://www.microsoft.com/en-us/download/details.aspx?id=19188
> > Or
> > USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx
> > 
> > But in all three above, i dont use it. :-/ I configure 
> everything in 
> > GPO, only 1 thing i have to do manualy, setup the email signing.
> > And for that on my new mail server its done also. 
> > I only do , rename a pc, join a pc domain, set static ip if needed, 
> > reboot 2x and login as my "second" Admin users to apply 
> every computer policy.
> > Yes these first logins can take some time, i see that also, 
> but thats only once here.
> > And the first login added my root CA.
> > 
> > So, if your network setup is good, every is applied by GPO. 
> > Im setting for example
> > any windows setting i want. ( per user/group or OU) Deploy software 
> > where needed.
> > All my (MS) Office settings, Adobe reader, Printer 
> deployment, certifcate deployment and security settings. 
> > 
> > But my best advice about GPO'.s start with small changes, 
> and group you changes.
> > Like "GPO:InternetSettings"  i have 1 gpo for 
> IE/EDGE/CHROME/Firefox. With defaults. 
> > Or GPO:PrinterDeploy, with only printer settings. 
> > Etc. think good about this, and ask questions. 
> > Order is > Computer policy rules, and most settings can be 
> overruled by a user setting. 
> > For example, my user are not allowed to read/write from USB. 
> > 
> > Thats simple done in GPO, I now have for example. 
> > 1) nobody can read/write from USB	( domain wide policy ) 
> > 2) a computer gpo setting can overwrite this by GPO. ( 
> computer policy per OU or computer or group member ) 
> > 3) 2 groups contains, 1 read and 1 write 			
> ( regular groups USB_read and USB_write with members ) 
> > 4) select group of users has read right on usb.		
> ( GPO linked to USB_read )
> > 5) select group of users has read/write right on usb.	
> ( GPO linked to USB_read and USB_write ) 
> > 
> > And really take small steps how this works, but once setup, 
> your done, 
> > and then you can enjoy for extra free time on samba problems on the 
> > list ;-P
> 
> I use GPOs at another site, so I know about the need to take 
> small steps, right!
> 
> -
> 
> Did inbetween:
> 
> * rerun classic update: new policies, everything fresh, lower 
> functional level now
You should stay at 2008R2 in my opinion. 

> 
> * uninstalled Kaspersky on the test PC
> 
> * unjoined, rm-ed machine account on DC, re-joined ...
> 
> I get lost somehow ...
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list