Camthompson/Migration Notes From win2k Server to Samba4
This is the wiki page for a 140-computer production environment being migrated from two windows Domain Controllers to two Samba4 Domain Controllers. It is by no means a howto. Everyone has their way of doing things, and this is the story of how we are going to do it.
- What needs to be done to be able to vampire a win2k ad?
[root@dev-teadc1 bin]# ./net vampire -Uadministrator -WWINTEAL --target-dir=/usr/local/samba winteal.tundraeng.com Password for [WINTEAL\administrator]: Become DC [(null)] of Domain[WINTEAL]/[winteal.tundraeng.com] Promotion Partner is Server[tedc2.winteal.tundraeng.com] from Site[Default-First-Site-Name] Options:crossRef behavior_version schema object_version domain behavior_version domain w2k3_update_revision Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 - NT_STATUS_INVALID_PARAMETER libnet_BecomeDC() failed - NT_STATUS_INVALID_PARAMETER Traceback (most recent call last): File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 99, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/vampire.py", line 51, in run (domain_name, domain_sid) = net.vampire(domain=domain, target_dir=target_dir) RuntimeError: NT_STATUS_INVALID_PARAMETER
- The above is still an issue, here are additional snippets showing the syntax parsing problems ./net vampire is experiencing right now
- I fixed the above issue by specifying -Uadministrator@domain.example.com%password
[root@dev-teadc1 bin]# ./net vampire -Uadministrator -WWINTEAL winteal Traceback (most recent call last): File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 99, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/vampire.py", line 51, in run (domain_name, domain_sid) = net.vampire(domain=domain, target_dir=target_dir) TypeError: argument 2 must be string, not None
- Above is complaining that there is no "--target-dir" parameter defined
[root@dev-teadc1 bin]# ./net -Uadministrator -WWINTEAL --target-dir=/tmp vampire winteal Invalid option --target-dir=/tmp: unknown option Usage: net <command> [options] Type 'net help' for all available commands
- And now it's complaining that --target-dir isn't a valid option
[root@dev-teadc1 bin]# ./net -Uadministrator -WWINTEAL vampire winteal No command: vampire Usage: net <command> [options] Type 'net help' for all available commands
- I traced the function that returns the NT_Status to composite_wait(ptr) (source4/libcli/composite/composite.c) but don't know where to go from here.
- Now that I've gotten past initial syntactical problems with the net command, I am running into real errors:
Aquiring initiator credentials failed: Cannot allocate memory Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_UNSUCCESSFUL Failed to start GENSEC client mechanism gssapi_krb5: NT_STATUS_UNSUCCESSFUL
Samba4 Detailed Migration Plan
Plan for moving from testing environment to production environment
Config and Naming
For simplicity sake, the main win2k AD DC with all 5 FSMO roles is referred to as PDC.
2nd win2k AD DC is BDC
Neither PDC or BDC run DNS or DHCP services, this is done on other linux nodes with dhcpd and bind.
Both PDC and BDC run WINS.
S4 intended replacement PDC is S4DC1
S4 intended replacement BDC is S4DC2
Config - DNS
Primarily a BIND environment on other Linux nodes. PDC is tertiary DNS and a slave, updating Primary DNS.
Additional Preparation before S4 Enters Production
TODO - remove DNS service from PDC completely and test TODO - move user homes from PDC to primary file and print TODO - virtualize PDC (BDC already virtualized)
Provisioning to Production
TODO: provision command line TODO: net rpc samsync command line TODO: How to provision samba to avoid logins until in sync?
- firewall? our vlans could help here -- block all but ssh on all but vlan2 (server core)
- PDC and BDC log review at the beginning and end of the day.
- update "The Architect" (Andrew Bartlett)
- consider git diff as seen in dev-lan, rebuild and upgrade or re-provision
PDC Corruption - Minor
- domain remains active for logins
- perhaps replication stops
PDC Corruption - Disaster
- domain does not allow logins
- TODO: need to know very quickly which DC is directly being used for a given login test
- TODO: shorewall panic script to run on S4 nodes to block all comm except for ssh
- hourly test login script, failure SMS'ed
- quick assessment, revert to snapshots
- Note: Snapshot reversion will likely cause replication to fail. Depending on severity, we could attempt to revert memory-included snapshots for both PDC and BDC near simultaneously
Relevant port references gratefully taken from http://people.samba.org/people/2005/09/03
- udp 88 - kerberos - udp 53 - dns - udp 389 - cldap - tcp 135 - rpc portmapper - tcp 139 - SMB/CIFS - tcp 389 - ldap - tcp 445 - SMB/CIFS - tcp 1024, 1025, 1026 - RPC