[Samba] migrate several samba3+openldap pdc to samba3

[Andrew Bartlett]

On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via samba wrote:
>   
> 
> Hi there! I have one domain, shared between several samba3+openldap
> on different geographical locations. I want to migrate them to samba4.
> 
> 
> The domain has aprox 4000 users accounts, 4000 workstations, and
> several groups. 
> 
> I was able to successfully migrate the domain in a
> test environment. But I am faced with the problem that I will not be
> able to migrate in parallel the more than 20 locations at the same time.
> Most likely I have to do one per day, or one every other day. But during
> that time, users will continue to use the domain and change their
> passwords. As also the machine accounts will continue to interact with
> the domain to update their credentials.
> 
> Any idea to gradually migrate
> every location without having the problem that since I made the first
> migration, there have probably been changes in passwords, creations of
> users, etc?

I certainly can and has been done.  It is easier if you can assert that
now new users will be added during the migration.  Password changes can
be forced though by exporting the password and forcing it in to the AD
DC.  

For a long time I've wanted to extend the classicupgrade tool to
operate in an incremental mode (watching the pwdLastSet to pick the
most recent password change) but for the moment you will need to write
your own scripts. 

Others on the list who have done this in operational migrations will be
able to give more specific advise.  In general ensure the two domains
can't see each other (not share the same netbios namespace) during the
migration to ensure a client can't attempt a domain login against one
and then the other. 

I wish you all the best with the migration,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba