Migrating a Samba domain to a Microsoft domain

If you have problems with your Samba-AD, before you migrate to MS-AD, give us a call to talk about it!

Presentation of the procedure

In the following documentation, it is assumed:

  • That the last Samba-AD server we will keep in the domain until the switch to MS-AD is called samba-ad1.mydomain.lan.

  • That the temporary MS-AD server needed to initiate the migration process is called ms-ad-temp.mydomain.lan.

  • That the first final MS-AD that will be kept at the end of the migration is called ms-ad-final1.mydomain.lan.

  • That the second final MS-AD that will be kept at the end of the migration is called ms-ad-final2.mydomain.lan.

In the instructions described below, you will replace mydomain.lan with your own domain name and machine names with names of your choosing;

The first Windows machine ms-ad-temp.mydomain.lan will be a transition machine because there is currently a problem with the ntSecurityDescriptor attribute when joining ms-ad-temp.mydomain.lan with samba-ad1.mydomain.lan. So we will use ms-ad-temp.mydomain.lan as a pivot. Then ms-ad-final1.mydomain.lan will be joined to ms-ad-temp.mydomain.lan, which will ensure that the replication works properly and that the ACLs on LDAP and SYSVOL are correctly applied. Next, the ms-ad-temp.mydomain.lan controller will be removed. Finally, a second Windows domain controller ms-ad-final2.mydomain.lan will be added to the Windows 2012R2 domain, which will allow to validate globally that it works correctly.

Joining a first MS-AD domain controller to the Samba-AD domain

Demoting the Samba-AD domain controllers

Once the MS-AD is joined correctly to the domain, you need to demote the Samba-AD servers. To do this it is best to remove all references to the Samba-AD domain directly on ms-ad-temp.mydomain.lan.

Note

Conceptually it is better to delete references on the server that remains active rather than on the server you want to delete.

  • Remove all domain controllers except samba-ad1.mydomain.lan. To do this, and for each controller of the Samba-AD domain, execute the following command on samba-ad1.mydomain.lan:

    samba-tool domain demote  --remove-other-dead-server=<other-samba-servers>
    
  • Turn off Samba services on the last Samba-AD samba-ad1.mydomain.lan. However, we will keep samba-ad1.mydomain.lan running for a little while longer to continue to use the flexibility of samba-tool commands for some subsequent operations, and also to make your mourning of Samba-AD less painful.

    systemctl stop samba
    systemctl disable samba
    
  • Remove the last Samba-AD domain controller by running the following command samba-ad1.mydomain.lan. Point the execution of the command to the MS-AD ms-ad-temp.mydomain.lan:

    samba-tool domain demote --remove-other-dead-server=samba-ad1 -H ldap://ms-ad-temp.mydomain.lan -U administrator
    
  • Check that the FSMO roles have been transferred during the last demoting. The DomainDnsZones and ForestDNSZones roles will remain untransferred, the transfer is thus forced:

    samba-tool fsmo show -H ldap://ms-ad-temp.mydomain.lan -U administrator
    samba-tool fsmo seize --role=all -H ldap://ms-ad-temp.mydomain.lan -U administrator
    
  • Clean DNS entries. In a DNS console opened on ms-ad-temp.mydomain.lan, check that the DNS entries for ms-ad-temp.mydomain.lan are all present (fields A, NS, SRV, CNAME) and delete the DNS references to samba-ad1.mydomain.lan. We will also correct the GLUE records (field type NS) for the _msdcs field in the mydomain.lan zone (not in the _msdcs.mydomain.lan zone).

  • Create the reverse zone if it does not yet exist and then create the PTR field for ms-ad-temp.mydomain.lan;

Now we have a full Microsoft domain with a single domain controller.

  • Update the forest level to the 2012R2 level with Powershell:

    Set-ADDomainMode -identity mydomain.lan -DomainMode Windows2012R2Domain
    Set-ADForestMode -identity mydomain.lan -ForestMode Windows2012R2Forest
    

Joining the first definitive Windows domain controller

To finish the migration it is necessary to put a second MS-AD in place and to reset the DFS-R part for the replication of the SYSVOL:

  • Sysprep a second Windows 2012R2 ms-ad-final1.mydomain.lan machine by following the official Microsoft Sysprep documentation.

  • Join ms-ad-final1.mydomain.lan to the domain controller ms-ad-temp.mydomain.lan.

  • With a DNS console open on ms-ad-final1.mydomain.lan, check that the DNS fields are all present.

  • On ms-ad-final1.mydomain.lan, check for replication:

    repadmin /kcc
    repadmin /showrepl
    
  • Demote ms-ad-temp.mydomain.lan by executing the following command on samba-ad1.mydomain.lan (with of course Samba services stopped and disabled);

    samba-tool domain demote --remove-other-dead-server=ms-ad-temp -H ldap://ms-ad-final1.mydomain.lan -U administrator
    
  • Clean DNS;

  • Regenerate the DFS-R;

    dfsrmig /createglobalobjects
    net stop dfsr
    net start dfsr
    
  • Check that dcdiag is clean (Warning: dcdiag may display eventlog errors which may be obsolete and not related to the migration);

    dcdiag
    

Joining the second final Windows domain controller

This step validates the proper functioning of the domain in MS-AD environment.

  • Sysprep a third Windows 2012R2 machine ms-ad-final2.mydomain.lan by following the Microsoft Sysprep documentation.

  • Join ms-ad-final2.mydomain.lan into the Windows domain by following the documentation for joining a Windows AD in a domain stopping after the section on joining. After rebooting, the SYSVOL directory must be correctly replicated and the SYSVOL and NetLogon shares must be created without changing the SysvolReady key.

  • Clean DNS (attention to the _msdcs CNAME field).

  • Verify that the replication is working properly by creating a file in the SYSVOL folder and checking that it replicates well.

Turning off your Samba permanently

  • On your samba-ad1.mydomain.lan, run the command:

    shutdown -h now
    
  • Optionally: update your CV.

Note

Now you have a Microsoft domain that works the same way as your Samba-AD domain. If your Samba-AD domain did not work well, then your MS-AD domain will not work any better.

You can always rely on Tranquil IT to help you. Mastering Samba and MS-AD is above all understanding the Active Directory protocol and we hope that this documentation will have proven you this mastery.