Difference between revisions of "Camthompson/Migration Notes From win2k Server to Samba4"

 
Line 2: Line 2:
  
 
This is the wiki page for a 140-computer production environment being migrated from two windows Domain Controllers to two Samba4 Domain Controllers.  It is by no means a howto.  Everyone has their way of doing things, and this is the story of how we are going to do it.
 
This is the wiki page for a 140-computer production environment being migrated from two windows Domain Controllers to two Samba4 Domain Controllers.  It is by no means a howto.  Everyone has their way of doing things, and this is the story of how we are going to do it.
 +
 +
== Samba4 Detailed Migration Plan ==
 +
 +
Plan for moving from testing environment to production environment
 +
 +
'''Config and Naming'''
 +
 +
For simplicity sake, the main win2k AD DC with all 5 FSMO roles is referred to as ''PDC''.
 +
 +
2nd win2k AD DC is ''BDC''
 +
 +
Neither PDC or BDC run DNS or DHCP services, this is done on other linux nodes with dhcpd and bind.
 +
 +
Both PDC and BDC run WINS.
 +
 +
 +
S4 intended replacement PDC is S4DC1
 +
 +
S4 intended replacement BDC is S4DC2
 +
 +
 +
'''Config - DNS'''
 +
 +
Primarily a BIND environment on other Linux nodes.  PDC is tertiary DNS and a slave, updating Primary DNS.
 +
 +
 +
'''Additional Preparation before S4 Enters Production'''
 +
 +
TODO - remove DNS service from PDC completely and test
 +
TODO - move user homes from PDC to primary file and print
 +
TODO - virtualize PDC (BDC already virtualized)
 +
 +
 +
'''Provisioning to Production'''
 +
 +
''Clean Provision''
 +
 +
TODO:  provision command line
 +
TODO:  net rpc samsync command line
 +
TODO:  How to provision samba to avoid logins until in sync?
 +
* firewall?  our vlans could help here -- block all but ssh on all but vlan2 (server core)
 +
 +
 +
 +
'''Daily Tasks'''
 +
 +
#  PDC and BDC log review at the beginning and end of the day.
 +
 +
 +
'''Weekly Tasks'''
 +
 +
# update "The Architect" (Andrew Bartlett)
 +
# consider git diff as seen in dev-lan, rebuild and upgrade or re-provision
 +
 +
 +
'''Potential Scenarios'''
 +
 +
PDC Corruption - Minor
 +
* domain remains active for logins
 +
* perhaps replication stops
 +
 +
PDC Corruption - Disaster
 +
* domain does not allow logins
 +
* TODO: need to know very quickly which DC is directly being used for a given login test
 +
* TODO:  shorewall panic script to run on S4 nodes to block all comm except for ssh
 +
 +
Monitoring Plan:
 +
* hourly test login script, failure SMS'ed
 +
 +
Recovery Plan:
 +
* quick assessment, revert to snapshots
 +
** Note:  Snapshot reversion will likely cause replication to fail.  Depending on severity, we could attempt to revert memory-included snapshots for both PDC and BDC near simultaneously
 +
 +
'''References'''
 +
 +
Relevant port references gratefully taken from http://people.samba.org/people/2005/09/03
 +
- udp 88  - kerberos
 +
- udp 53  - dns
 +
- udp 389 - cldap
 +
- tcp 135 - rpc portmapper
 +
- tcp 139 - SMB/CIFS
 +
- tcp 389 - ldap
 +
- tcp 445 - SMB/CIFS
 +
- tcp 1024, 1025, 1026 - RPC

Revision as of 23:23, 7 April 2010

Preamble

This is the wiki page for a 140-computer production environment being migrated from two windows Domain Controllers to two Samba4 Domain Controllers. It is by no means a howto. Everyone has their way of doing things, and this is the story of how we are going to do it.

Samba4 Detailed Migration Plan

Plan for moving from testing environment to production environment

Config and Naming

For simplicity sake, the main win2k AD DC with all 5 FSMO roles is referred to as PDC.

2nd win2k AD DC is BDC

Neither PDC or BDC run DNS or DHCP services, this is done on other linux nodes with dhcpd and bind.

Both PDC and BDC run WINS.


S4 intended replacement PDC is S4DC1

S4 intended replacement BDC is S4DC2


Config - DNS

Primarily a BIND environment on other Linux nodes. PDC is tertiary DNS and a slave, updating Primary DNS.


Additional Preparation before S4 Enters Production

TODO - remove DNS service from PDC completely and test 
TODO - move user homes from PDC to primary file and print
TODO - virtualize PDC (BDC already virtualized)


Provisioning to Production

Clean Provision

TODO:  provision command line 
TODO:  net rpc samsync command line
TODO:  How to provision samba to avoid logins until in sync?
  • firewall? our vlans could help here -- block all but ssh on all but vlan2 (server core)


Daily Tasks

  1. PDC and BDC log review at the beginning and end of the day.


Weekly Tasks

  1. update "The Architect" (Andrew Bartlett)
  2. consider git diff as seen in dev-lan, rebuild and upgrade or re-provision


Potential Scenarios

PDC Corruption - Minor

  • domain remains active for logins
  • perhaps replication stops

PDC Corruption - Disaster

  • domain does not allow logins
  • TODO: need to know very quickly which DC is directly being used for a given login test
  • TODO: shorewall panic script to run on S4 nodes to block all comm except for ssh

Monitoring Plan:

  • hourly test login script, failure SMS'ed

Recovery Plan:

  • quick assessment, revert to snapshots
    • Note: Snapshot reversion will likely cause replication to fail. Depending on severity, we could attempt to revert memory-included snapshots for both PDC and BDC near simultaneously

References

Relevant port references gratefully taken from http://people.samba.org/people/2005/09/03

- udp 88  - kerberos
- udp 53  - dns
- udp 389 - cldap
- tcp 135 - rpc portmapper
- tcp 139 - SMB/CIFS
- tcp 389 - ldap
- tcp 445 - SMB/CIFS
- tcp 1024, 1025, 1026 - RPC