[Samba] No good way to migrate 4.1 on Server A to 4.7.6 on New Server B
glenn at gbitservices.ca
Mon Nov 26 02:46:18 UTC 2018
Update to the below: Amazingly, I now seem to have everything working. All told, for this migration project, there were a lot of things that had to be manually fixed after transferring to the new server. The final few things I had to do tonight seems to have cleared the rest of my issues up. Those were:
- Change the DHCP server on the firewall so it gives out the new server's IP for the DNS server.
- Shut down old server
- For each user profile, change their roaming profile path to the new server, from the old one. IE: Changed from \\isofs\profiles\<username> to \\isofs2\profiles\<username>.
What I tried first and what failed was changing the DNS entry for "isofs" on both old and new PDC's to isofs2's IP. You would think that would have worked but I guess not.
I wish I had documented every little silly thing I had to do and fix throughout this project, but 50 (not really) different things to try I'd spend most of the time re-writing docs. I guess that answers my question on why no doc has been written yet for this __
On 2018-11-25, 6:04 PM, "Glenn Bergeron" <glenn at gbitservices.ca> wrote:
The old server is Debian 3.2.101-1 running a compiled-from-source Samba 4.1.0. The new server I'm trying to migrate to is Ubuntu Server 18.04LTS, running a package-installed (apt) Samba 4.7.7.
Old server name: isofs 10.4.0.2
New server name: isofs2 10.4.0.3
netbios name = ISOFS2
realm = ISO.PRIVATE
server role = active directory domain controller
workgroup = ISO
ldap server require strong auth = no #Was required for FSMO transfer from old server
dns forwarder = 22.214.171.124
vfs objects = acl_xattr
map acl inherit = yes
hide dot files = yes
store dos attributes = yes
idmap_ldb:use rfc2307 = yes
mangled names = no
oplocks = no
path = /var/lib/samba/sysvol/iso.private/scripts
read only = No
path = /var/lib/samba/sysvol
read only = No
Where it's at now:
- FSMO transferred to new server. I used Migrate, not Seize, as I hope I can roll back to the original server if I can't get things working on the new server by Monday morning.
- GPO manually rsync'd to new server.
- "samba-tool ntacl sysvolreset" then run on new server, as well as "samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes".
- Old server demoted via "samba-tool domain demote -Uadministrator"
- Based on your comment below re: DNS updating, I just ran "samba_dnsupdate" on the both old and new servers. It returned "No DNS updates needed".
Errors in log.samba on new server:
Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:10.4.0.3[49152,seal,krb5,target_hostname=d4c15af5-dfd5-4650-95de-c354a7256d15._msdcs.iso.private,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.4.0.3] NT_STATUS_UNSUCCESSFUL
Can only log into DOMAIN\administrator. I can run "Active Directory Users and Computers", add a new user. But cannot log in as a user. Get error "The trust relationship between this workstation and the primary domain failed".
RSAT: Group Policy Management says is can't contact the domain controller.
On 2018-11-25, 5:23 AM, "Rowland Penny" <rpenny at samba.org> wrote:
On Sun, 25 Nov 2018 04:29:26 -0500
Glenn Bergeron via samba <samba at lists.samba.org> wrote:
> After many, many, many hours of trying, and lots of research both on
> this list, the Samba Wiki and elsewhere, I think I’ve finally come to
> the conclusion that there is no way to seamlessly migrate between
> Backing up and restoring (using samba_backup) doesn’t work.
> Permissions hell with Windows.
The old samba_backup script wasn't very good and there wasn't actually
a restore script. The latest Samba versions have a new way of backing
up and restoring Samba through samba-tools.
> Joining the new 4.7.7 server to the old 4.1 DC server, waiting for
> replication, then demoting the old server doesn’t work. It’s missing
> all the GPO files, RSAT utils either don’t work or barely work (no
> computer accounts listed for example), and workstations have their
> System Events log filled with not being able to find or connect to
> the domain server, DCOM errors relating to permissions, etc.
When you join a new DC, quite a lot of the required DNS records are not
created until you restart Samba or until samba_dnsupdate runs.
As for the GPO problems, They will not be on the new DC until you copy
them there, this is because Sysvol is not replicated between DC's
> I’m trying to not have to tell all the users that they’re going to
> have whole new Windows profiles and lose all their settings, because
> I can’t port anything and I have to start the AD server from scratch.
> Hasn’t anyone done this with any success? And if so, why isn’t there
> a solid document somewhere? I’m sorry I sound frustrated, but I’m at
> my limit with this what should have been a simple migration from old
> dying server to new server.
I am sure that this has been done successfully, otherwise this list
would have been full of posts similar to yours.
Samba is a rapidly changing target and part of your problem could be
the large jump between your versions, 4.1 to 4.7
What OS are you using ?
More information about the samba