Table of Contents
Samba4 AD DC classic upgrade from a Samba3 NT4-style PDC
Here you find what I learned while migrating from a single Samba 3 NT4-style Primary Domain Controller (PDC) to Samba 4 with the new Active Directory (AD) Domain Controller (DC) functionality.
When I started to plan this migration I quickly stumbled into several big problems.
What was a no brainer was we wanted to have “real” Active Directory” (AD) functionality. That’s the primary reason why we would do the upgrade in the first place. You want these group policies, neat integration with third party software, single-sign-on, replication, … But if you are coming from a “pure” Linux background with only some rough understanding of Microsoft’s AD you have quite some work to do.
Those are the questions which arose while reading a lot of documentation not only on the samba website:
- what DNS namespace should I use? What about the old NT4 style domain name?
- should we use the built in DNS or better stick to Bind?
- what about DHCP, do we need these dynamic DNS updates?
- should we do a “classic upgrade” or build the whole site from scratch while running in parallel?
- how should the AD look like - i.e. how would you plan your directory service?
- what features does MS AD offer? What flaws do you have to expect?
Further questions popped up while diving deeper into the world of Samba4. I’ll cover them later.
(e.g. Backup DC, howto backup filesystem ACLs, printing with CUPS, use of quota)
Solutions we came up with/the decisions we made:
With AD you depend on a working DNS. So you basically need to pick a DNS name for your AD domain to start with. A very common approach is to have something ending in .local, .site or .lan
But as the ICANN is flooding the Internet with new top level domains at present, using one of them might lead to problems in the future. So if you already have a domain name registered why not use it? Conclusion: we decided to use the following name scheme (ds stands for directory service):
hostname = samba-srv1.location.ds.example.com AD realm = location.ds.example.com domainname (NT style) = EXAMPLE (keep this from your current NT4 Samba3)
Internal DNS vs. Bind
The next big question. The recommendations you find on the internet usually end up with “it depends on your needs which one you choose”. Yeah. We tested both. There’s no big difference in functionality when it comes to the “MS Windows Remote Administration Tools”. And as everything you can do with the internal DNS works with Bind, we decided to use Bind because you’ll have full control and flexibility with it. You’ll find quite some documentation about Bind and Samba4 out there.
“Classic upgrade” vs. build from scratch
If you decide to go the “classic upgrade” migration path there is no way back, if anything goes wrong. Once a Windows client talked to the new AD server, this client will refuse any further communication with the old NT style samba 3. That’s the one and only drawback we found so far. But if properly planned and tested this will save a lot of work and hassle in the long run.
If you think building the site from scratch and doing a step by step migration of clients while both systems run in parallel you can avoid this ominous “no way back if something breaks” you will find yourself in a lot of trouble:
- think about user profiles - every single one has to be migrated to the new user/SID on the new server once the user moves over
- your existing DNS service might collide/interfere with the new one on the samba4 server (e.g. reverse lookups, who is the master for a given zone, one subnet served from two different servers) - you’ll have to do a lot of work figuring out if Bind could save your day
- there can only be one authoritative DHCP server in a subnet - this might be problematic, too
- you might need some sort of interdomain trust between the old and the new server
- when would you move the userdata (your shares) to the new server? What about permissions?
⇒ Want to guess? We went for the “classic upgrade” path.
Planning the Active Directory tree
Before your begin to make big plans it would be better to know what AD can actually do for you. So my recommendation is to read at least one book about Windows Server Administration.