[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon

[Havany]

Hello,

Le 06/06/2024 à 15:40, Rowland Penny via samba a écrit :
> On Thu, 6 Jun 2024 13:33:04 +0200
> Havany via samba <samba at lists.samba.org> wrote:
> 
> 
>> - Classisupgrade is destructive for the NT4 Domain, but we can keep
>> data of the old NT4 Domain and we can rollback to this with ours
>> Ansible playbooks. We will loose all change between migration and
>> rollback and we will improve a possible long downtime.
>>
>> - With "Big Bang" approach we are able to keep our old NT4 Domain if
>> we need to rollback to it. But in this case the problem is the access
>> to the filers. I think that we can't have a file server that allow
>> access at the same time to an NT4 Domain and a Samba 4 AD Domain (I
>> will search information about that). The second problem for this
>> approach is that we need to write a (maybe complex) logon script to
>> be able to keep user local profile when a computer is moved to the
>> new Domain.
> 
> There is one big problem with either of those scenarios, once your
> Windows clients see an AD DC, they will never reconnect to your old
> NT4-style PDC.

Yes you're right. A rollback is not as simple in all cases.

> 
> It sounds like you are still using the old, deprecated (by Windows)
> roaming profiles, instead of Folder redirection.

No we do not use roaming profile.

I replayed the "classicupgrade" on our test infrastructure. I applied 
the domain security configurations, except for the functional level, 
which I left at 2008_R2 with schema version 88 (default on 4.19). I also 
upgraded our test file server to the Samba4 AD member style. Everything 
seems correct.

So, I think I will use the "classicupgrade" method. I will wait a few 
days to make sure everything works well before making the final decision 
and moving on to the next steps.

Thanks to all,

> 
> Rowland
> 
>   
>