Migrating a Samba domain to a Microsoft domain
If you have problems with your Samba-AD, before you migrate to MS-AD, give us a call to talk about it!
Presentation of the procedure
In the following documentation, it is assumed:
That the last Samba-AD server we will keep in the domain until the switch to MS-AD is called samba-ad1.mydomain.lan.
That the temporary MS-AD server needed to initiate the migration process is called ms-ad-temp.mydomain.lan.
That the first final MS-AD that will be kept at the end of the migration is called ms-ad-final1.mydomain.lan.
That the second final MS-AD that will be kept at the end of the migration is called ms-ad-final2.mydomain.lan.
In the instructions described below, you will replace mydomain.lan with your own domain name and machine names with names of your choosing;
The first Windows machine ms-ad-temp.mydomain.lan will be a transition machine because there is currently a problem with the ntSecurityDescriptor
attribute when joining ms-ad-temp.mydomain.lan with samba-ad1.mydomain.lan.
So we will use ms-ad-temp.mydomain.lan as a pivot.
Then ms-ad-final1.mydomain.lan will be joined to ms-ad-temp.mydomain.lan, which will ensure that the replication works properly and that the ACLs on LDAP and SYSVOL
are correctly applied.
Next, the ms-ad-temp.mydomain.lan controller will be removed.
Finally, a second Windows domain controller ms-ad-final2.mydomain.lan will be added to the Windows 2012R2 domain, which will allow to validate globally that it works correctly.
Joining a first MS-AD domain controller to the Samba-AD domain
Prepare a first Windows 2012R2 ms-ad-temp.mydomain.lan machine by following the official Microsoft Sysprep documentation.
Integrate ms-ad-temp.mydomain.lan in the Samba-AD domain by following the documentation for joining a Windows AD in a Samba-AD domain.
Demoting the Samba-AD domain controllers
Once the MS-AD is joined correctly to the domain, you need to demote the Samba-AD servers. To do this it is best to remove all references to the Samba-AD domain directly on ms-ad-temp.mydomain.lan.
Note
Conceptually it is better to delete references on the server that remains active rather than on the server you want to delete.
Remove all domain controllers except samba-ad1.mydomain.lan. To do this, and for each controller of the Samba-AD domain, execute the following command on samba-ad1.mydomain.lan:
samba-tool domain demote --remove-other-dead-server=<other-samba-servers>
Turn off Samba services on the last Samba-AD samba-ad1.mydomain.lan. However, we will keep samba-ad1.mydomain.lan running for a little while longer to continue to use the flexibility of samba-tool commands for some subsequent operations, and also to make your mourning of Samba-AD less painful.
systemctl stop samba systemctl disable samba
Remove the last Samba-AD domain controller by running the following command samba-ad1.mydomain.lan. Point the execution of the command to the MS-AD ms-ad-temp.mydomain.lan:
samba-tool domain demote --remove-other-dead-server=samba-ad1 -H ldap://ms-ad-temp.mydomain.lan -U administrator
Check that the FSMO roles have been transferred during the last demoting. The DomainDnsZones and ForestDNSZones roles will remain untransferred, the transfer is thus forced:
samba-tool fsmo show -H ldap://ms-ad-temp.mydomain.lan -U administrator samba-tool fsmo seize --role=all -H ldap://ms-ad-temp.mydomain.lan -U administrator
Clean DNS entries. In a DNS console opened on ms-ad-temp.mydomain.lan, check that the DNS entries for ms-ad-temp.mydomain.lan are all present (fields A, NS, SRV, CNAME) and delete the DNS references to samba-ad1.mydomain.lan. We will also correct the GLUE records (field type NS) for the _msdcs field in the mydomain.lan zone (not in the _msdcs.mydomain.lan zone).
Create the reverse zone if it does not yet exist and then create the PTR field for ms-ad-temp.mydomain.lan;
Now we have a full Microsoft domain with a single domain controller.
Update the forest level to the 2012R2 level with Powershell:
Set-ADDomainMode -identity mydomain.lan -DomainMode Windows2012R2Domain Set-ADForestMode -identity mydomain.lan -ForestMode Windows2012R2Forest
Joining the first definitive Windows domain controller
To finish the migration it is necessary to put a second MS-AD in place and to reset the DFS-R part for the replication of the SYSVOL
:
Sysprep a second Windows 2012R2 ms-ad-final1.mydomain.lan machine by following the official Microsoft Sysprep documentation.
Join ms-ad-final1.mydomain.lan to the domain controller ms-ad-temp.mydomain.lan.
With a DNS console open on ms-ad-final1.mydomain.lan, check that the DNS fields are all present.
On ms-ad-final1.mydomain.lan, check for replication:
repadmin /kcc repadmin /showrepl
Demote ms-ad-temp.mydomain.lan by executing the following command on samba-ad1.mydomain.lan (with of course Samba services stopped and disabled);
samba-tool domain demote --remove-other-dead-server=ms-ad-temp -H ldap://ms-ad-final1.mydomain.lan -U administrator
Clean DNS;
Regenerate the DFS-R;
dfsrmig /createglobalobjects net stop dfsr net start dfsr
Check that dcdiag is clean (Warning: dcdiag may display eventlog errors which may be obsolete and not related to the migration);
dcdiag
Joining the second final Windows domain controller
This step validates the proper functioning of the domain in MS-AD environment.
Sysprep a third Windows 2012R2 machine ms-ad-final2.mydomain.lan by following the Microsoft Sysprep documentation.
Join ms-ad-final2.mydomain.lan into the Windows domain by following the documentation for joining a Windows AD in a domain stopping after the section on joining. After rebooting, the
SYSVOL
directory must be correctly replicated and theSYSVOL
andNetLogon
shares must be created without changing theSysvolReady
key.Clean DNS (attention to the _msdcs CNAME field).
Verify that the replication is working properly by creating a file in the
SYSVOL
folder and checking that it replicates well.
Turning off your Samba permanently
On your samba-ad1.mydomain.lan, run the command:
shutdown -h now
Optionally: update your CV.
Note
Now you have a Microsoft domain that works the same way as your Samba-AD domain. If your Samba-AD domain did not work well, then your MS-AD domain will not work any better.
You can always rely on Tranquil IT to help you. Mastering Samba and MS-AD is above all understanding the Active Directory protocol and we hope that this documentation will have proven you this mastery.