.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Migrating a Samba domain to a Microsoft domain :keywords: Windows, Samba-AD, documentation, MSAD .. _samba_migration_to_ms_domain: ################################################################################################## Migrating a Samba domain to a Microsoft domain ################################################################################################## If you have problems with your Samba-AD, before you migrate to MS-AD, :ref:`give us a call to talk about it `! ***************************** Presentation of the procedure ***************************** In the following documentation, it is assumed: * That the last Samba-AD server we will keep in the domain until the switch to MS-AD is called *samba-ad1.mydomain.lan*. * That the temporary MS-AD server needed to initiate the migration process is called *ms-ad-temp.mydomain.lan*. * That the first final MS-AD that will be kept at the end of the migration is called *ms-ad-final1.mydomain.lan*. * That the second final MS-AD that will be kept at the end of the migration is called *ms-ad-final2.mydomain.lan*. In the instructions described below, you will replace *mydomain.lan* with your own domain name and machine names with names of your choosing; The first Windows machine *ms-ad-temp.mydomain.lan* will be a transition machine because there is currently a problem with the ``ntSecurityDescriptor`` attribute when joining *ms-ad-temp.mydomain.lan* with *samba-ad1.mydomain.lan*. So we will use *ms-ad-temp.mydomain.lan* as a pivot. Then *ms-ad-final1.mydomain.lan* will be joined to *ms-ad-temp.mydomain.lan*, which will ensure that the replication works properly and that the ACLs on LDAP and :file:`SYSVOL` are correctly applied. Next, the *ms-ad-temp.mydomain.lan* controller will be removed. Finally, a second Windows domain controller *ms-ad-final2.mydomain.lan* will be added to the Windows 2012R2 domain, which will allow to validate globally that it works correctly. Joining a first MS-AD domain controller to the Samba-AD domain ============================================================== * **Prepare** a first Windows 2012R2 *ms-ad-temp.mydomain.lan* machine by following the `official Microsoft Sysprep documentation `_. * Integrate *ms-ad-temp.mydomain.lan* in the Samba-AD domain by following the documentation for :ref:`joining a Windows AD in a Samba-AD domain `. Demoting the Samba-AD domain controllers ======================================== Once the MS-AD is joined correctly to the domain, you need to demote the Samba-AD servers. To do this it is best to remove all references to the Samba-AD domain directly on *ms-ad-temp.mydomain.lan*. .. note:: Conceptually it is better to delete references on the server that remains active rather than on the server you want to delete. * Remove all domain controllers except *samba-ad1.mydomain.lan*. To do this, and for each controller of the Samba-AD domain, execute the following command on *samba-ad1.mydomain.lan*: .. code-block:: bash samba-tool domain demote --remove-other-dead-server= * Turn off Samba services on the last Samba-AD *samba-ad1.mydomain.lan*. However, we will keep *samba-ad1.mydomain.lan* running for a little while longer to continue to use the flexibility of **samba-tool** commands for some subsequent operations, and also to make `your mourning of Samba-AD less painful `_. .. code-block:: bash systemctl stop samba systemctl disable samba * Remove the last Samba-AD domain controller by running the following command *samba-ad1.mydomain.lan*. Point the execution of the command to the MS-AD *ms-ad-temp.mydomain.lan*: .. code-block:: bash samba-tool domain demote --remove-other-dead-server=samba-ad1 -H ldap://ms-ad-temp.mydomain.lan -U administrator * Check that the FSMO roles have been transferred during the last demoting. The *DomainDnsZones* and *ForestDNSZones* roles will remain untransferred, the transfer is thus forced: .. code-block:: bash samba-tool fsmo show -H ldap://ms-ad-temp.mydomain.lan -U administrator samba-tool fsmo seize --role=all -H ldap://ms-ad-temp.mydomain.lan -U administrator * Clean DNS entries. In a DNS console opened on *ms-ad-temp.mydomain.lan*, check that the DNS entries for *ms-ad-temp.mydomain.lan* are all present (fields A, NS, SRV, CNAME) and delete the DNS references to *samba-ad1.mydomain.lan*. We will also correct the *GLUE records* (field type NS) for the *_msdcs* field in the *mydomain.lan* zone (not in the *_msdcs.mydomain.lan* zone). * Create the reverse zone if it does not yet exist and then create the PTR field for *ms-ad-temp.mydomain.lan*; **Now we have a full Microsoft domain with a single domain controller.** * Update the forest level to the 2012R2 level with :program:`Powershell`: .. code-block:: text Set-ADDomainMode -identity mydomain.lan -DomainMode Windows2012R2Domain Set-ADForestMode -identity mydomain.lan -ForestMode Windows2012R2Forest Joining the first definitive Windows domain controller ====================================================== To finish the migration it is necessary to put a second MS-AD in place and to reset the DFS-R part for the replication of the :file:`SYSVOL`: * **Sysprep** a second Windows 2012R2 *ms-ad-final1.mydomain.lan* machine by following the official `Microsoft Sysprep documentation `_. * Join *ms-ad-final1.mydomain.lan* to the domain controller *ms-ad-temp.mydomain.lan*. * With a DNS console open on *ms-ad-final1.mydomain.lan*, check that the DNS fields are all present. * On *ms-ad-final1.mydomain.lan*, check for replication: .. code-block:: text repadmin /kcc repadmin /showrepl * Demote *ms-ad-temp.mydomain.lan* by executing the following command on *samba-ad1.mydomain.lan* (with of course Samba services stopped and disabled); .. code-block:: bash samba-tool domain demote --remove-other-dead-server=ms-ad-temp -H ldap://ms-ad-final1.mydomain.lan -U administrator * Clean DNS; * Regenerate the DFS-R; .. code-block:: bash dfsrmig /createglobalobjects net stop dfsr net start dfsr * Check that :command:`dcdiag` is clean (Warning: :command:`dcdiag` may display eventlog errors which may be obsolete and not related to the migration); .. code-block:: text dcdiag Joining the second final Windows domain controller ================================================== This step validates the proper functioning of the domain in MS-AD environment. * **Sysprep** a third Windows 2012R2 machine *ms-ad-final2.mydomain.lan* by following the `Microsoft Sysprep documentation `_. * Join *ms-ad-final2.mydomain.lan* into the Windows domain by following the documentation for :ref:`joining a Windows AD in a domain ` stopping after the section on joining. After rebooting, the :file:`SYSVOL` directory must be correctly replicated and the :file:`SYSVOL` and ``NetLogon`` shares must be created without changing the ``SysvolReady`` key. * Clean DNS (**attention to the _msdcs** CNAME field). * Verify that the replication is working properly by creating a file in the :file:`SYSVOL` folder and checking that it replicates well. Turning off your Samba permanently ================================== * On your *samba-ad1.mydomain.lan*, run the command: .. code-block:: bash shutdown -h now * Optionally: update your CV. .. note:: Now you have a Microsoft domain that works the same way as your Samba-AD domain. If your Samba-AD domain did not work well, then your MS-AD domain will not work any better. You can always :ref:`rely on Tranquil IT ` to help you. Mastering Samba and MS-AD is above all understanding the Active Directory protocol and we hope that this documentation will have proven you this mastery.