Re: [Samba] Adding a Windows Server down the road
man, 25.04.2005 kl. 20.47 skrev Aaron Butters: Blah To whom are you writing, c.q. replying? Quote and do not top post. --Tonni -- Nothing sucksseeds like a pigeon without a beak ... mail: [EMAIL PROTECTED] http://www.billy.demon.nl They'll love us, won't they? They feed us, don't they? ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Adding a Windows Server down the road
I should probably start a new thread as my question is slightly different, however there are enough similarities :) I've tried to follow your instructions here as they match up perfectly with what I am trying to accomplish, which is to migrate users and most importantly locally stored user profiles, from a Samba v2.x server that I have had no involvement with. To a SBS2003 active directory domain controller. My problem is that when I try to run the ADMT and test migrate users I get the following error: The network path was not found. (Error code=53, domain=sambadomainname) Couple of unknowns for me... I'm not sure of the setup of the samba server... It appears to me that it may not have been fully setup as a domain controller? Also I'm wondering if the ADMT only works when migrating from Samba V3? I've tried to using nbtstat on the SBS2003 server and nmblookup on the samba server to verify that each of them can see the other domain, and it appears that they can... Not sure what other information to add. Thanks in advance for any help! (Which of course is greatly appreciated!) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adding a Windows Server down the road
One more thing I forgot to mention when using ADMT: it helps if your client workstations' DNS server is set to be the one that's authoritative for the new domain. Things might work OK thru WINS/NetBIOS name resolution, but I've had to do the DNS thing, too. --Jon Johnson Sutinen Consulting, Inc. www.sutinen.com On Tue, 19 Apr 2005, Andrew Debnar wrote: > John, > Thanks I also tested and this worked great. Now I get to do Linux. > > Thanks, > Andrew > -Original Message- > From: Jonathan Johnson [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 14, 2005 3:19 AM > To: [EMAIL PROTECTED] > Cc: samba@lists.samba.org > Subject: Re: [Samba] Adding a Windows Server down the road > > John H Terpstra wrote: > > >On Wednesday 13 April 2005 11:46, Josh Kelley wrote: > > > > > >>Andrew Bartlett wrote: > >> > >> > >>>What's wrong with running the windows server as a domain member. There > >>>is no way to import users (well, their passwords are the tricky part) > >>> > >>> > >>>from Samba into AD that I know of. > >> > >>Microsoft provides the Active Directory Migration Tool (ADMT). As one > >>of its features, it's supposed to let you import users from a NT 4 > >>domain. Since a Samba server runs an NT 4 domain, any chance that ADMT > >>would work? > >> > >>I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 > >>BDC, but I thought that I'd mention it as a possibility and see if > >>anyone knew if it would work. > >> > >> > > > >Why don't you do a test installation of ADS and try it. Please let me know > >what happens. I'd appreciate your help in documenting this process to spare > > >others from having to ask. > > > >- John T. > > > > > Been there, done that, and can say YES, it works. I had to do this when > a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus > required migration to a Windows 2003 Active Directory domain. There are > a few gotchas to be aware of: > > 1. Administrator password must be THE SAME on the Samba server, the 2003 > ADS, and the local Administrator account on the workstations. This is > not documented. (Perhaps this goes without saying, but there needs to be > an account called "Administrator" in your Samba domain, with full > administrative (root) rights to that domain.) > > 2. In the Advanced/DNS section of the TCP/IP settings on your Windows > workstations, make sure "DNS suffix for this connection" field is blank. > This is not documented. > > 3. Because you are migrating from Samba, user passwords cannot be > migrated. You'll have to reset everyone's passwords. (If you were > migrating from NT4 to ADS, you could migrate passwords as well.) > > 4. I don't know how well this works with roaming profiles; I've only > used this with local profiles. > > 5. Disable the Windows Firewall on all workstations. Otherwise, > workstations won't be migrated to the new domain. This is not documented. > > 6. When migrating machines, always test first (using ADMT's test mode) > and satisfy all errors before committing the migration. Note that the > test will always fail, because the machine will not have been actually > migrated. You'll need to interpret the errors to know whether the > failure was due to a problem, or simply due to the fact that it was just > a test. > > There are some significant benefits of using the ADMT, besides just > migrating user accounts. > > 1. You can also migrate workstations remotely. You can specify that SIDs > be simply added instead of replaced, giving you the option of joining a > workstation back to the old domain if something goes awry. The > workstations will be joined to the new domain. > > 2. Not only are user accounts migrated from the old domain to the new > domain, but ACLs on the workstations are migrated as well. Like SIDs, > ACLs can be added instead of replaced. > > 3. Locally stored user profiles on workstations are migrated as well, > presenting almost no disruption to the user. Saved passwords will be > lost, just as when you administratively reset the password in Windows ADS. > > 4. The ADMT lets you test all operations before actually performing the > migration. You can migrate accounts and workstations individually or in > batches. User accounts can be safely migrated all at once (since no > changes are made on the original domain); I recommend migrating only one > or two work
RE: [Samba] Adding a Windows Server down the road
John, Thanks I also tested and this worked great. Now I get to do Linux. Thanks, Andrew -Original Message- From: Jonathan Johnson [mailto:[EMAIL PROTECTED] Sent: Thursday, April 14, 2005 3:19 AM To: [EMAIL PROTECTED] Cc: samba@lists.samba.org Subject: Re: [Samba] Adding a Windows Server down the road John H Terpstra wrote: >On Wednesday 13 April 2005 11:46, Josh Kelley wrote: > > >>Andrew Bartlett wrote: >> >> >>>What's wrong with running the windows server as a domain member. There >>>is no way to import users (well, their passwords are the tricky part) >>> >>> >>>from Samba into AD that I know of. >> >>Microsoft provides the Active Directory Migration Tool (ADMT). As one >>of its features, it's supposed to let you import users from a NT 4 >>domain. Since a Samba server runs an NT 4 domain, any chance that ADMT >>would work? >> >>I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 >>BDC, but I thought that I'd mention it as a possibility and see if >>anyone knew if it would work. >> >> > >Why don't you do a test installation of ADS and try it. Please let me know >what happens. I'd appreciate your help in documenting this process to spare >others from having to ask. > >- John T. > > Been there, done that, and can say YES, it works. I had to do this when a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus required migration to a Windows 2003 Active Directory domain. There are a few gotchas to be aware of: 1. Administrator password must be THE SAME on the Samba server, the 2003 ADS, and the local Administrator account on the workstations. This is not documented. (Perhaps this goes without saying, but there needs to be an account called "Administrator" in your Samba domain, with full administrative (root) rights to that domain.) 2. In the Advanced/DNS section of the TCP/IP settings on your Windows workstations, make sure "DNS suffix for this connection" field is blank. This is not documented. 3. Because you are migrating from Samba, user passwords cannot be migrated. You'll have to reset everyone's passwords. (If you were migrating from NT4 to ADS, you could migrate passwords as well.) 4. I don't know how well this works with roaming profiles; I've only used this with local profiles. 5. Disable the Windows Firewall on all workstations. Otherwise, workstations won't be migrated to the new domain. This is not documented. 6. When migrating machines, always test first (using ADMT's test mode) and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually migrated. You'll need to interpret the errors to know whether the failure was due to a problem, or simply due to the fact that it was just a test. There are some significant benefits of using the ADMT, besides just migrating user accounts. 1. You can also migrate workstations remotely. You can specify that SIDs be simply added instead of replaced, giving you the option of joining a workstation back to the old domain if something goes awry. The workstations will be joined to the new domain. 2. Not only are user accounts migrated from the old domain to the new domain, but ACLs on the workstations are migrated as well. Like SIDs, ACLs can be added instead of replaced. 3. Locally stored user profiles on workstations are migrated as well, presenting almost no disruption to the user. Saved passwords will be lost, just as when you administratively reset the password in Windows ADS. 4. The ADMT lets you test all operations before actually performing the migration. You can migrate accounts and workstations individually or in batches. User accounts can be safely migrated all at once (since no changes are made on the original domain); I recommend migrating only one or two workstations as a test before committing them all. I'm fairly impressed with the Active Directory Migration Tool. It sure made my job easier, both times I used it (once migrating from NT4 to ADS 2003; second time from Samba 3 to ADS 2003). The three gotchas that I labeled "not documented" are things that tripped me up, but (thankfully) I was able to resolve. ADMT can be found on the Windows 2003 CD. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
John H Terpstra wrote: On Wednesday 13 April 2005 11:46, Josh Kelley wrote: Andrew Bartlett wrote: What's wrong with running the windows server as a domain member. There is no way to import users (well, their passwords are the tricky part) from Samba into AD that I know of. Microsoft provides the Active Directory Migration Tool (ADMT). As one of its features, it's supposed to let you import users from a NT 4 domain. Since a Samba server runs an NT 4 domain, any chance that ADMT would work? I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 BDC, but I thought that I'd mention it as a possibility and see if anyone knew if it would work. Why don't you do a test installation of ADS and try it. Please let me know what happens. I'd appreciate your help in documenting this process to spare others from having to ask. - John T. Been there, done that, and can say YES, it works. I had to do this when a customer wanted to move to Exchange (don't ask me WHY! :-) ) and thus required migration to a Windows 2003 Active Directory domain. There are a few gotchas to be aware of: 1. Administrator password must be THE SAME on the Samba server, the 2003 ADS, and the local Administrator account on the workstations. This is not documented. (Perhaps this goes without saying, but there needs to be an account called "Administrator" in your Samba domain, with full administrative (root) rights to that domain.) 2. In the Advanced/DNS section of the TCP/IP settings on your Windows workstations, make sure "DNS suffix for this connection" field is blank. This is not documented. 3. Because you are migrating from Samba, user passwords cannot be migrated. You'll have to reset everyone's passwords. (If you were migrating from NT4 to ADS, you could migrate passwords as well.) 4. I don't know how well this works with roaming profiles; I've only used this with local profiles. 5. Disable the Windows Firewall on all workstations. Otherwise, workstations won't be migrated to the new domain. This is not documented. 6. When migrating machines, always test first (using ADMT's test mode) and satisfy all errors before committing the migration. Note that the test will always fail, because the machine will not have been actually migrated. You'll need to interpret the errors to know whether the failure was due to a problem, or simply due to the fact that it was just a test. There are some significant benefits of using the ADMT, besides just migrating user accounts. 1. You can also migrate workstations remotely. You can specify that SIDs be simply added instead of replaced, giving you the option of joining a workstation back to the old domain if something goes awry. The workstations will be joined to the new domain. 2. Not only are user accounts migrated from the old domain to the new domain, but ACLs on the workstations are migrated as well. Like SIDs, ACLs can be added instead of replaced. 3. Locally stored user profiles on workstations are migrated as well, presenting almost no disruption to the user. Saved passwords will be lost, just as when you administratively reset the password in Windows ADS. 4. The ADMT lets you test all operations before actually performing the migration. You can migrate accounts and workstations individually or in batches. User accounts can be safely migrated all at once (since no changes are made on the original domain); I recommend migrating only one or two workstations as a test before committing them all. I'm fairly impressed with the Active Directory Migration Tool. It sure made my job easier, both times I used it (once migrating from NT4 to ADS 2003; second time from Samba 3 to ADS 2003). The three gotchas that I labeled "not documented" are things that tripped me up, but (thankfully) I was able to resolve. ADMT can be found on the Windows 2003 CD. ~Jonathan Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
On Wednesday 13 April 2005 11:46, Josh Kelley wrote: > Andrew Bartlett wrote: > >What's wrong with running the windows server as a domain member. There > >is no way to import users (well, their passwords are the tricky part) > >from Samba into AD that I know of. > > Microsoft provides the Active Directory Migration Tool (ADMT). As one > of its features, it's supposed to let you import users from a NT 4 > domain. Since a Samba server runs an NT 4 domain, any chance that ADMT > would work? > > I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 > BDC, but I thought that I'd mention it as a possibility and see if > anyone knew if it would work. Why don't you do a test installation of ADS and try it. Please let me know what happens. I'd appreciate your help in documenting this process to spare others from having to ask. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
Andrew Bartlett wrote: What's wrong with running the windows server as a domain member. There is no way to import users (well, their passwords are the tricky part) from Samba into AD that I know of. Microsoft provides the Active Directory Migration Tool (ADMT). As one of its features, it's supposed to let you import users from a NT 4 domain. Since a Samba server runs an NT 4 domain, any chance that ADMT would work? I'm guessing no, for the same reason that a Samba PDC can't take an NT 4 BDC, but I thought that I'd mention it as a possibility and see if anyone knew if it would work. Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
That I think that could work, the thing I am concerned about is that if we get some crazy software that interacts with AD or something like that. Do you know it is possible to use LDAP, and then make the Windows server the PDC and just not copy the users to AD but still have them function on the network with out recreating them on the windows server? Thanks for all the help Andrew On 4/12/05, Andrew Bartlett <[EMAIL PROTECTED]> wrote: > On Tue, 2005-04-12 at 17:45 -0400, Andrew Debnar wrote: > > I just started at a new company and they do not have a server at all I > > want to put a samba server in place but I need to make sure that in > > the future I could add a windows server if we buy software that > > requires it. Does anybody know if this is possible to do? I ideally I > > would like it to import the users and their information to the AD on > > the windows server but is not required. > > What's wrong with running the windows server as a domain member. There > is no way to import users (well, their passwords are the tricky part) > from Samba into AD that I know of. > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net > > > -- Andrew Debnar 703-652-6012 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Adding a Windows Server down the road
On Tue, 2005-04-12 at 17:45 -0400, Andrew Debnar wrote: > I just started at a new company and they do not have a server at all I > want to put a samba server in place but I need to make sure that in > the future I could add a windows server if we buy software that > requires it. Does anybody know if this is possible to do? I ideally I > would like it to import the users and their information to the AD on > the windows server but is not required. What's wrong with running the windows server as a domain member. There is no way to import users (well, their passwords are the tricky part) from Samba into AD that I know of. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Adding a Windows Server down the road
I just started at a new company and they do not have a server at all I want to put a samba server in place but I need to make sure that in the future I could add a windows server if we buy software that requires it. Does anybody know if this is possible to do? I ideally I would like it to import the users and their information to the AD on the windows server but is not required. Thanks Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba