.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Migrating from Samba3-NT4 to Samba-AD
  :keywords: migration, migrate, Samba-AD, documentation, Samba3, NT4

.. _migrate_from_samba3_to_samba-ad:

#####################################
Migrating from Samba3-NT4 to Samba-AD
#####################################

This documentation is used to migrate a Samba PDC NT4 to a Samba Active Directory.

The NT4 domain type, also called *classic* in Samba documentation refers to the old operating mode that emulated an NT4 domain controller.

You can have a Samba 4.x in NT4 mode. For this case, the migration mode is the same.

***********************************
Preparing Samba-AD Active Directory
***********************************

Install your new machine with Debian 64bit basic by :ref:`following this documentation <install_base_debian>`.

.. note::

  In this documentation, it is assumed:

  * That the Samba3-NT4 domain controller uses **OpenLDAP** as backend.

  * That the existing Samba3-NT4 server is called *samba3*.

  * That the new server in Debian Stretch 64bit that you just installed following the :ref:`Samba-AD installation documentation <server_install_samba_debian>` is called *srvads* and that the target forest and domain level is 2008R2.

  * That the domain is called *mydomain.lan*.

In the instructions below, you will replace *mydomain.lan* with your own domain name and *srvads* with the machine name of your choice.

Installing additional software libraries for the migration
==========================================================

.. code-block:: bash

  apt-get install python-ldap libldap2-dev

*********************************
Migrating the Samba-NT4 user base
*********************************

Transferring data from Samba3-NT4 to Samba-AD
=============================================

* Create the file :file:`/root/samba3` on *srvads*:

  .. code-block:: bash

    mkdir /root/samba3

* Stop the samba service on *samba3* and transfer the directory contents from *samba3* to *srvads*:

  .. code-block:: bash

    /etc/init.d/samba stop
    rsync -aP /var/lib/samba/private/secrets.tdb root@IPsrvads:/root/samba3/
    rsync -aP /etc/samba/smb.conf root@IPsrvads:/root/samba3/

  where *IPsrvads* is the IP address of your new Samba-AD server.

* On *srvads*, edit the file :file:`/root/samba3/smb.conf` and replace if needed the server name:

  .. code-block:: ini

    netbios name = <srvads>

*************************************
Migrating from Samba3-NT4 to Samba-AD
*************************************

*  Suck up machine accounts and user accounts:

  .. code-block:: bash

    samba-tool domain samba3upgrade --dbdir=/root/samba3/ --realm='''MYDOMAIN.LAN''' /root/samba3/smb.conf

  .. hint::

    Possible errors during aspiration:

    * Unable to connect to ldap. In :file:`/root/samba3/smb.conf`, if the ldap connection IP points to 127.0.0.1, set the IP of *samba3* again.

    * `Duplicate SID <https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Notes_about_migrating_from_LDAP_backend>`_.

    * Unable to retrieve the :abbr:`UID (Unique IDentifier)`.
      Check that the user in question has its posix properties and correct the entry if necessary (manually or by script).

    * Old reference to a BDC domain controller that no longer exists: delete the entry.

    * Groups and users with the same name: delete or rename one of the two.

Adjusting post-configuration
============================

* On *srvads*, add the :abbr:`DNS (Domain Name Service)` *forwarder* in the file :file:`/etc/samba/smb.conf`:

  .. code-block:: ini

    dns forwarder = 8.8.8.8

* On *srvads*, delete the following line from :file:`/etc/samba/smb.conf`:

  .. code-block:: ini

    idmap_ldb:use rfc2307 = yes

* When packages are installed, the :program:`Samba` service is automatically started as a file server, the easiest way is to reboot the server with a :command:`reboot`:

  .. code-block:: bash

    reboot

* Edit :file:`/etc/resolv.conf` to make it point to itself:

  .. code-block:: ini

    search mydomain.lan
    nameserver 127.0.0.1

* Check that the DNS entries are correct:

  .. code-block:: bash

    dig @127.0.0.1 srvads.mydomain.lan
    dig -t SRV @127.0.0.1 _ldap._tcp.mydomain.lan #(doit renvoyer la machine srvads.mydomain.lan)
    dig @127.0.0.1 google.fr

* Then :ref:`configure the NTP service  <server_install_ntp_debian>`;

* Reconfigure the :file:`/etc/nsswitch.conf` of the servers that use :program:`nss_ldap` to use instead :program:`nss_winbind`;

* Add the *forward* and *reverse* entries of all the servers in the fleet;

Useful links
============

* https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO