Monday, July 10, 2017

Notes on migrating / upgrading Samba PDC to AD

Notes on upgrading/migrating a Samba 3 PDC to a Samba 4 AD on a totally separate system.

Scenario (in my case):
  • Running an older Samba 3 release with a tdbsam backend as a PDC, file and print server on an older distro that cannot be (easily, if at all) upgraded.
  • A need to move to Active Directory technology.
  • Will use best practices - keeping the AD server separate from the file and printer server.
  • The new AD will be on a new server with a different hostname and IP address. The old PDC will remain running until the new AD is in place and tested.

Most info for doing this is detailed in the link below:

Some gotchas are detailed in:

Another gotcha that I ran into was that my old PDC was using a local Windows built-in group (Print Operators in this case), and such mapped groups will cause the classicupgrade process to fail.

What isn’t immediately realized (or wasn’t by me) is that if you just take a brand new Samba install on a brand new server and attempt the classicupgrade process as detailed above there will be problems. The reason is that Samba PDC databases do not contain all of the information necessary to do the upgrade. The users, machines, and groups all exist in ‘nix land and are necessary to that environment.

Even though the new AD (again operating as just an AD) itself does not need the ‘nix equivalent users and groups for proper operation, the upgrade process does.

It is necessary to create the same users (including machines) and groups on the new “virgin” box. It is not necessary to match UID’s of the users or machines but the GID’s of the groups must match, and the users need to added to the groups they are members of.

Once the upgrade is complete and the AD is up and running the added ‘nix users and groups can be removed.