Migrating a Samba domain to a Microsoft domain
If you have problems with your Samba-AD, before you migrate to MS-AD, give us a call to talk about it!
Presentation of the procedure
In the following documentation, it is assumed:
That the last Samba-AD server we will keep in the domain until the switch to MS-AD is called samba-ad1.mydomain.lan.
That the temporary MS-AD server needed to initiate the migration process is called ms-ad-temp.mydomain.lan.
That the first final MS-AD that will be kept at the end of the migration is called ms-ad-final1.mydomain.lan.
That the second final MS-AD that will be kept at the end of the migration is called ms-ad-final2.mydomain.lan.
In the instructions described below, you will replace mydomain.lan with your own domain name and machine names with names of your choosing;
The first Windows machine ms-ad-temp.mydomain.lan will be a transition machine because there is currently a problem with the ntSecurityDescriptor attribute when joining ms-ad-temp.mydomain.lan with samba-ad1.mydomain.lan.
So we will use ms-ad-temp.mydomain.lan as a pivot.
Then ms-ad-final1.mydomain.lan will be joined to ms-ad-temp.mydomain.lan, which will ensure that the replication works properly and that the ACLs on LDAP and SYSVOL are correctly applied.
Next, the ms-ad-temp.mydomain.lan controller will be removed.
Finally, a second Windows domain controller ms-ad-final2.mydomain.lan will be added to the Windows 2012R2 domain, which will allow to validate globally that it works correctly.
Joining a first MS-AD domain controller to the Samba-AD domain
Prepare a first Windows 2012R2 ms-ad-temp.mydomain.lan machine by following the official Microsoft Sysprep documentation.
Integrate ms-ad-temp.mydomain.lan in the Samba-AD domain by following the documentation for joining a Windows AD in a Samba-AD domain.
Demoting the Samba-AD domain controllers
Once the MS-AD is joined correctly to the domain, you need to demote the Samba-AD servers. To do this it is best to remove all references to the Samba-AD domain directly on ms-ad-temp.mydomain.lan.
Note
Conceptually it is better to delete references on the server that remains active rather than on the server you want to delete.
Remove all domain controllers except samba-ad1.mydomain.lan. To do this, and for each controller of the Samba-AD domain, execute the following command on samba-ad1.mydomain.lan:
samba-tool domain demote --remove-other-dead-server=<other-samba-servers>
Turn off Samba services on the last Samba-AD samba-ad1.mydomain.lan. However, we will keep samba-ad1.mydomain.lan running for a little while longer to continue to use the flexibility of samba-tool commands for some subsequent operations, and also to make your mourning of Samba-AD less painful.
systemctl stop samba systemctl disable samba
Remove the last Samba-AD domain controller by running the following command samba-ad1.mydomain.lan. Point the execution of the command to the MS-AD ms-ad-temp.mydomain.lan:
samba-tool domain demote --remove-other-dead-server=samba-ad1 -H ldap://ms-ad-temp.mydomain.lan -U administrator
Check that the FSMO roles have been transferred during the last demoting. The DomainDnsZones and ForestDNSZones roles will remain untransferred, the transfer is thus forced:
samba-tool fsmo show -H ldap://ms-ad-temp.mydomain.lan -U administrator samba-tool fsmo seize --role=all -H ldap://ms-ad-temp.mydomain.lan -U administrator
Clean DNS entries. In a DNS console opened on ms-ad-temp.mydomain.lan, check that the DNS entries for ms-ad-temp.mydomain.lan are all present (fields A, NS, SRV, CNAME) and delete the DNS references to samba-ad1.mydomain.lan. We will also correct the GLUE records (field type NS) for the _msdcs field in the mydomain.lan zone (not in the _msdcs.mydomain.lan zone).
Create the reverse zone if it does not yet exist and then create the PTR field for ms-ad-temp.mydomain.lan;
Now we have a full Microsoft domain with a single domain controller.
Update the forest level to the 2012R2 level with Powershell:
Set-ADDomainMode -identity mydomain.lan -DomainMode Windows2012R2Domain Set-ADForestMode -identity mydomain.lan -ForestMode Windows2012R2Forest
Joining the first definitive Windows domain controller
To finish the migration it is necessary to put a second MS-AD in place and to reset the DFS-R part for the replication of the SYSVOL:
Sysprep a second Windows 2012R2 ms-ad-final1.mydomain.lan machine by following the official Microsoft Sysprep documentation.
Join ms-ad-final1.mydomain.lan to the domain controller ms-ad-temp.mydomain.lan.
With a DNS console open on ms-ad-final1.mydomain.lan, check that the DNS fields are all present.
On ms-ad-final1.mydomain.lan, check for replication:
repadmin /kcc repadmin /showrepl
Demote ms-ad-temp.mydomain.lan by executing the following command on samba-ad1.mydomain.lan (with of course Samba services stopped and disabled);
samba-tool domain demote --remove-other-dead-server=ms-ad-temp -H ldap://ms-ad-final1.mydomain.lan -U administrator
Clean DNS;
Regenerate the DFS-R;
dfsrmig /createglobalobjects net stop dfsr net start dfsr
Check that dcdiag is clean (Warning: dcdiag may display eventlog errors which may be obsolete and not related to the migration);
dcdiag
Joining the second final Windows domain controller
This step validates the proper functioning of the domain in MS-AD environment.
Sysprep a third Windows 2012R2 machine ms-ad-final2.mydomain.lan by following the Microsoft Sysprep documentation.
Join ms-ad-final2.mydomain.lan into the Windows domain by following the documentation for joining a Windows AD in a domain stopping after the section on joining. After rebooting, the
SYSVOLdirectory must be correctly replicated and theSYSVOLandNetLogonshares must be created without changing theSysvolReadykey.Clean DNS (attention to the _msdcs CNAME field).
Verify that the replication is working properly by creating a file in the
SYSVOLfolder and checking that it replicates well.
Turning off your Samba permanently
On your samba-ad1.mydomain.lan, run the command:
shutdown -h now
Optionally: update your CV.
Note
Now you have a Microsoft domain that works the same way as your Samba-AD domain. If your Samba-AD domain did not work well, then your MS-AD domain will not work any better.
You can always rely on Tranquil IT to help you. Mastering Samba and MS-AD is above all understanding the Active Directory protocol and we hope that this documentation will have proven you this mastery.