Discussion:
[Samba] How to migrate Active Directory from one Samba4 server to another
X-Dimension
2012-08-11 20:03:09 UTC
Permalink
Hello!

We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain controller in a small production environment and because the Resara development has ended we want to switch to a plain Samba4 beta based Ubuntu 12.04/Zentyal Server.
I have installed and configured the new server with the same domain-name and the same hostname like the old server.
How can i export the Active Directory from the old server and import it to the new Samba4 server?
Do i need to rejoin the clients to the domain, after this?

Thx for help! :)
Andrew Bartlett
2012-08-13 07:47:35 UTC
Permalink
Post by X-Dimension
Hello!
We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain controller in a small production environment and because the Resara development has ended we want to switch to a plain Samba4 beta based Ubuntu 12.04/Zentyal Server.
I have installed and configured the new server with the same domain-name and the same hostname like the old server.
How can i export the Active Directory from the old server and import it to the new Samba4 server?
Something like this (unstested):

Use a different hostname, then run 'samba-tool domain join' to join it
to the first domain. Then you can use the
source4/scripting/bin/renamedc script to rename it back to the name of
the first DC, after running 'samba-tool domain demote' on it.

You may need to seize FSMO roles from one DC to the other with
'samba-tool domain fsmo'.
Post by X-Dimension
Do i need to rejoin the clients to the domain, after this?
No.

Additional complications may include DNS configuration. You may need to
use --dns-backend=none on the join command.

This is just a series of hints to get you started. Hopefully you can
work it out from here.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
X-Dimension
2012-08-13 17:56:27 UTC
Permalink
-------- Original-Nachricht --------
Datum: Mon, 13 Aug 2012 17:47:35 +1000
Von: Andrew Bartlett <abartlet at samba.org>
An: X-Dimension at gmx.net
CC: samba at lists.samba.org
Betreff: Re: [Samba] How to migrate Active Directory from one Samba4 server to another
Post by X-Dimension
Hello!
We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain controller
in a small production environment and because the Resara development has
ended we want to switch to a plain Samba4 beta based Ubuntu 12.04/Zentyal
Server.
Post by X-Dimension
I have installed and configured the new server with the same domain-name
and the same hostname like the old server.
Post by X-Dimension
How can i export the Active Directory from the old server and import it
to the new Samba4 server?
Use a different hostname, then run 'samba-tool domain join' to join it
to the first domain. Then you can use the
source4/scripting/bin/renamedc script to rename it back to the name of
the first DC, after running 'samba-tool domain demote' on it.
You may need to seize FSMO roles from one DC to the other with
'samba-tool domain fsmo'.
Post by X-Dimension
Do i need to rejoin the clients to the domain, after this?
No.
Additional complications may include DNS configuration. You may need to
use --dns-backend=none on the join command.
This is just a series of hints to get you started. Hopefully you can
work it out from here.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Thank you Andrew, this was very helpful!
Joining the new Samba4 Server to the old one replicates the Active Directory without a problem! After shutting down the old server, renaming the new server and restore smb.conf and krb5.conf i can access the new server with RSAT now. :-)

What does not work is the dns-backend! :-(
After the AD replication the DNS snap-in from RSAT does not work anymore.
The join option "--dns-backend=none" is not available here (Samba4.0.0beta2 Zentyal package)
Is there another way to get DNS working after the replication from the old server?

I have also another question: What does the "renamedc" script do?
When i start it, it always tells me that there are opened transactions and so it can't run.
Because of this i simple change the hostname in /etc/hostname/ and /etc/hosts and run hostname -F /etc/hostname. After a restart all looks good so far. (but i haven't tested it very much)

THX
X-Dimension
2012-08-16 11:29:42 UTC
Permalink
Post by X-Dimension
-------- Original-Nachricht --------
Datum: Mon, 13 Aug 2012 17:47:35 +1000
Von: Andrew Bartlett <abartlet at samba.org>
An: X-Dimension at gmx.net
CC: samba at lists.samba.org
Betreff: Re: [Samba] How to migrate Active Directory from one Samba4
server to another
Post by X-Dimension
Hello!
We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain
controller
in a small production environment and because the Resara development has
ended we want to switch to a plain Samba4 beta based Ubuntu
12.04/Zentyal
Server.
Post by X-Dimension
I have installed and configured the new server with the same
domain-name
and the same hostname like the old server.
Post by X-Dimension
How can i export the Active Directory from the old server and import
it
to the new Samba4 server?
Use a different hostname, then run 'samba-tool domain join' to join it
to the first domain. Then you can use the
source4/scripting/bin/renamedc script to rename it back to the name of
the first DC, after running 'samba-tool domain demote' on it.
You may need to seize FSMO roles from one DC to the other with
'samba-tool domain fsmo'.
Post by X-Dimension
Do i need to rejoin the clients to the domain, after this?
No.
Additional complications may include DNS configuration. You may need to
use --dns-backend=none on the join command.
This is just a series of hints to get you started. Hopefully you can
work it out from here.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Thank you Andrew, this was very helpful!
Joining the new Samba4 Server to the old one replicates the Active
Directory without a problem! After shutting down the old server, renaming the new
server and restore smb.conf and krb5.conf i can access the new server with
RSAT now. :-)
What does not work is the dns-backend! :-(
After the AD replication the DNS snap-in from RSAT does not work anymore.
The join option "--dns-backend=none" is not available here
(Samba4.0.0beta2 Zentyal package)
Is there another way to get DNS working after the replication from the old server?
I have also another question: What does the "renamedc" script do?
When i start it, it always tells me that there are opened transactions and so it can't run.
Because of this i simple change the hostname in /etc/hostname/ and
/etc/hosts and run hostname -F /etc/hostname. After a restart all looks good so
far. (but i haven't tested it very much)
THX
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've tried now also Samba4.0.0beta6 and when i join this server with the --dns-backend=NONE option to the old samba4alpha PDC i have no working DNS service on the new Samba server. Bind9 won't start because it can't find sam.ldb. This file is created on provisioning the Samba server the first time, but while our old Resara Server uses plain Bind without the Samba-LDAP-backend sam.ldb is not created when joining the new server to the existing domain.
Is there a way setup the DNS-part after the replication, so that it uses the internal LDAP of Samba4? I don't need to get the DNS entries of the old server to the new server, but i need a working DNS-Samba/LDAP Backend to create Zones and entries with RSAT.

Thx for help!
Julian Timm
2012-09-03 13:39:25 UTC
Permalink
-------- Original-Nachricht --------
Datum: Thu, 16 Aug 2012 13:29:42 +0200
Von: X-Dimension at gmx.net
An: samba at lists.samba.org
Betreff: Re: [Samba] How to migrate Active Directory from one Samba4 server to another
Post by X-Dimension
-------- Original-Nachricht --------
Datum: Mon, 13 Aug 2012 17:47:35 +1000
Von: Andrew Bartlett <abartlet at samba.org>
An: X-Dimension at gmx.net
CC: samba at lists.samba.org
Betreff: Re: [Samba] How to migrate Active Directory from one Samba4
server to another
Post by X-Dimension
Hello!
We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain
controller
in a small production environment and because the Resara development
has
Post by X-Dimension
ended we want to switch to a plain Samba4 beta based Ubuntu
12.04/Zentyal
Server.
Post by X-Dimension
I have installed and configured the new server with the same
domain-name
and the same hostname like the old server.
Post by X-Dimension
How can i export the Active Directory from the old server and import
it
to the new Samba4 server?
Use a different hostname, then run 'samba-tool domain join' to join it
to the first domain. Then you can use the
source4/scripting/bin/renamedc script to rename it back to the name of
the first DC, after running 'samba-tool domain demote' on it.
You may need to seize FSMO roles from one DC to the other with
'samba-tool domain fsmo'.
Post by X-Dimension
Do i need to rejoin the clients to the domain, after this?
No.
Additional complications may include DNS configuration. You may need
to
Post by X-Dimension
use --dns-backend=none on the join command.
This is just a series of hints to get you started. Hopefully you can
work it out from here.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Thank you Andrew, this was very helpful!
Joining the new Samba4 Server to the old one replicates the Active
Directory without a problem! After shutting down the old server,
renaming the new
Post by X-Dimension
server and restore smb.conf and krb5.conf i can access the new server
with
Post by X-Dimension
RSAT now. :-)
What does not work is the dns-backend! :-(
After the AD replication the DNS snap-in from RSAT does not work
anymore.
Post by X-Dimension
The join option "--dns-backend=none" is not available here
(Samba4.0.0beta2 Zentyal package)
Is there another way to get DNS working after the replication from the
old
Post by X-Dimension
server?
I have also another question: What does the "renamedc" script do?
When i start it, it always tells me that there are opened transactions
and
Post by X-Dimension
so it can't run.
Because of this i simple change the hostname in /etc/hostname/ and
/etc/hosts and run hostname -F /etc/hostname. After a restart all looks
good so
Post by X-Dimension
far. (but i haven't tested it very much)
THX
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've tried now also Samba4.0.0beta6 and when i join this server with the
--dns-backend=NONE option to the old samba4alpha PDC i have no working DNS
service on the new Samba server. Bind9 won't start because it can't find
sam.ldb. This file is created on provisioning the Samba server the first time,
but while our old Resara Server uses plain Bind without the
Samba-LDAP-backend sam.ldb is not created when joining the new server to the existing
domain.
Is there a way setup the DNS-part after the replication, so that it uses
the internal LDAP of Samba4? I don't need to get the DNS entries of the old
server to the new server, but i need a working DNS-Samba/LDAP Backend to
create Zones and entries with RSAT.
Thx for help!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm now a big step ahead and i get the BIND_DLZ backend working.

Here is what i've done:

1. Join the new Samba4.0.0beta8 server "PDC2" to the old Samba4.0.0alpha server "PDC" with:

samba-tool domain join mydomain.lan DC -Uadministrator --realm=mydomain.lan --dns-backend=none

2. Copy the file based Bind9 configuration from /etc/bind of "PDC" to "PDC2"

3. Disconnect "PDC" from the network

4. run samba_upgradedns on "PDC2" to get BIND_DLZ to work

5. Configure Bind9 to use Samba4/BIND_DLZ

What works:
A. I can browse with Microsoft RSAT through the Active Directory and can edit or create users and so on
B. I can create and modify DNS-entries from the DNS-Tool of MS RSAT

C. I can join a computer to "PDC2" when logging on with "administrator at mydomain"

What does not work:
A. I can't join a computer to "PDC2" when using only "administrator" instead of "administrator at mydomain"
B. After joining a computer successfully to the domain, user login don't work! I get always "Wrong username or password" message :(

What goes wrong here?

Some other things:
1. The "fsmo" option as described by Andrew is not known when i'm using "samba-tool domain fsmo" here.

2. When running the "renamedc" script to rename the new server "PDC2" back to "PDC" i get an error because the new name "PDC" already exist in the Actify Directory. So the skript won't rename it.

Thanks for any ideas that helps to get the Samba4 to Samba4 migration to work! :)
X-Dimension
2012-09-04 08:54:00 UTC
Permalink
After my migration tests, i have now three domain controllers in my active directory, but only one is online.
I've tried to remove the two other domain controllers with the active directory tool from MS RSAT, but it doesn't work.

How can i delete the non used domain controllers completely?

Thx for help!

Andrew Bartlett
2012-08-17 22:44:57 UTC
Permalink
Post by X-Dimension
-------- Original-Nachricht --------
Datum: Mon, 13 Aug 2012 17:47:35 +1000
Von: Andrew Bartlett <abartlet at samba.org>
An: X-Dimension at gmx.net
CC: samba at lists.samba.org
Betreff: Re: [Samba] How to migrate Active Directory from one Samba4 server to another
Post by X-Dimension
Hello!
We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain controller
in a small production environment and because the Resara development has
ended we want to switch to a plain Samba4 beta based Ubuntu 12.04/Zentyal
Server.
Post by X-Dimension
I have installed and configured the new server with the same domain-name
and the same hostname like the old server.
Post by X-Dimension
How can i export the Active Directory from the old server and import it
to the new Samba4 server?
Use a different hostname, then run 'samba-tool domain join' to join it
to the first domain. Then you can use the
source4/scripting/bin/renamedc script to rename it back to the name of
the first DC, after running 'samba-tool domain demote' on it.
You may need to seize FSMO roles from one DC to the other with
'samba-tool domain fsmo'.
Post by X-Dimension
Do i need to rejoin the clients to the domain, after this?
No.
Additional complications may include DNS configuration. You may need to
use --dns-backend=none on the join command.
This is just a series of hints to get you started. Hopefully you can
work it out from here.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Thank you Andrew, this was very helpful!
Joining the new Samba4 Server to the old one replicates the Active Directory without a problem! After shutting down the old server, renaming the new server and restore smb.conf and krb5.conf i can access the new server with RSAT now. :-)
What does not work is the dns-backend! :-(
After the AD replication the DNS snap-in from RSAT does not work anymore.
The join option "--dns-backend=none" is not available here (Samba4.0.0beta2 Zentyal package)
Is there another way to get DNS working after the replication from the old server?
I have also another question: What does the "renamedc" script do?
When i start it, it always tells me that there are opened transactions and so it can't run.
Because of this i simple change the hostname in /etc/hostname/ and /etc/hosts and run hostname -F /etc/hostname. After a restart all looks good so far. (but i haven't tested it very much)
If you don't rename it in the database, then it won't be able to accept
kerberos tickets under it's new name, and other bad things will happen,
particularly once you decommission the old name (particularly to do with
replication).

We may need to work out why the script fails for you (and probably
promote it to be a samba-tool command).

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Loading...