Discussion:
Migrating S4 DC
(too old to reply)
titantoppler
2011-12-29 04:41:07 UTC
Permalink
Hi list,

Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
Everything has been good so far, but I've been looking at virtualizing the
set up for portability's sake. This is especially so because all my eggs
are in one basket - this particular machine is running as a file server, a
domain controller, a DNS server and a VPN server. I want to separate their
roles into different virtual machines.

So what I want to do is to re-install S4 on my DC, after first putting
XenServer on it.

Problems:
1) It's the only DC right now, so I need to set up another DC before I can
safely bring the existing S4 installation down. How good/reliable is the
replication feature in S4?
2) My users are using roaming profiles, stored on the DC. Will this be
replicated, or do I have to manually do it?
3) My users have mapped drives that they use to access their files from;
these are also put on the S4 DC. Is there any way that I can transparently
shift it over to another server?
4) Extra difficulty - due to a design decision early on, I used ReiserFS,
which did not support extended attributes properly. I ended up having to
use the "posix:eadb" option in my smb.conf to store the permissions.
Assuming I now have an ext4 data partition, how can I "restore" the
permissions?
5) After splitting the roles, does the file server VM need to run S4, or
will S3 do? How should I go about the configuration (esp. the permissions
portion)?

Cheers!
Matthieu Patou
2011-12-30 04:34:52 UTC
Permalink
Post by titantoppler
Hi list,
Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
Everything has been good so far, but I've been looking at virtualizing the
set up for portability's sake. This is especially so because all my eggs
are in one basket - this particular machine is running as a file server, a
domain controller, a DNS server and a VPN server. I want to separate their
roles into different virtual machines.
So what I want to do is to re-install S4 on my DC, after first putting
XenServer on it.
1) It's the only DC right now, so I need to set up another DC before I can
safely bring the existing S4 installation down. How good/reliable is the
replication feature in S4?
Quite good, I mean a couple of production sites use a multi DC setup
without too much bad news.
Post by titantoppler
2) My users are using roaming profiles, stored on the DC. Will this be
replicated, or do I have to manually do it?
Not replicated you have to do it on you own, pay attention to the fact
that the UID/GID of the users are not necessarily the same across all
the DC as S4 for the moment allocate UID when needed.
Post by titantoppler
3) My users have mapped drives that they use to access their files from;
these are also put on the S4 DC. Is there any way that I can transparently
shift it over to another server?
Not in Samba 4 for the moment, one way to do it is to use DFS with
domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
only support DFS referral for sysvol and netlogon shares.
Post by titantoppler
4) Extra difficulty - due to a design decision early on, I used ReiserFS,
which did not support extended attributes properly. I ended up having to
use the "posix:eadb" option in my smb.conf to store the permissions.
Assuming I now have an ext4 data partition, how can I "restore" the
permissions?
It's not a definite guide, the way I would search is to to use
samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
the current DC, then change your smb.conf to remove the posix:eadb
option and use samba-tool ntacl set sddl_of_the_file <file>
Post by titantoppler
5) After splitting the roles, does the file server VM need to run S4, or
will S3 do? How should I go about the configuration (esp. the permissions
portion)?
Well depending your needs you might want to keep the fileserver stuff in
the S4 DC, if not then S3 will work as a domain member for the UID/GID
you'll have to handle it manually.
Post by titantoppler
Cheers!
Matthieu
--
Matthieu Patou
Samba Team
http://samba.org
Andrew Bartlett
2011-12-30 08:34:41 UTC
Permalink
Post by Matthieu Patou
Post by titantoppler
Hi list,
Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
Everything has been good so far, but I've been looking at virtualizing the
set up for portability's sake. This is especially so because all my eggs
are in one basket - this particular machine is running as a file server, a
domain controller, a DNS server and a VPN server. I want to separate their
roles into different virtual machines.
So what I want to do is to re-install S4 on my DC, after first putting
XenServer on it.
1) It's the only DC right now, so I need to set up another DC before I can
safely bring the existing S4 installation down. How good/reliable is the
replication feature in S4?
Quite good, I mean a couple of production sites use a multi DC setup
without too much bad news.
Post by titantoppler
2) My users are using roaming profiles, stored on the DC. Will this be
replicated, or do I have to manually do it?
Not replicated you have to do it on you own, pay attention to the fact
that the UID/GID of the users are not necessarily the same across all
the DC as S4 for the moment allocate UID when needed.
Post by titantoppler
3) My users have mapped drives that they use to access their files from;
these are also put on the S4 DC. Is there any way that I can transparently
shift it over to another server?
Not in Samba 4 for the moment, one way to do it is to use DFS with
domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
only support DFS referral for sysvol and netlogon shares.
Post by titantoppler
4) Extra difficulty - due to a design decision early on, I used ReiserFS,
which did not support extended attributes properly. I ended up having to
use the "posix:eadb" option in my smb.conf to store the permissions.
Assuming I now have an ext4 data partition, how can I "restore" the
permissions?
It's not a definite guide, the way I would search is to to use
samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
the current DC, then change your smb.conf to remove the posix:eadb
option and use samba-tool ntacl set sddl_of_the_file <file>
Post by titantoppler
5) After splitting the roles, does the file server VM need to run S4, or
will S3 do? How should I go about the configuration (esp. the permissions
portion)?
Well depending your needs you might want to keep the fileserver stuff in
the S4 DC, if not then S3 will work as a domain member for the UID/GID
you'll have to handle it manually.
For all of these tasks, it may work best to use a windows file copy tool
preserving permissions to move the files. That way, moving s4 -> s3, or
s4 -> s4 will keep permissions, ownerships etc correct without major
fuss.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
titantoppler
2011-12-31 07:04:47 UTC
Permalink
Hi all,

Thanks for the insights so far.

As far as I understand things:
1) I can use the built-in replication - but what about GPOs? Will they
propogate to the backup DC as well?
2) Files (profiles and shared files) will have to be done manually, as will
the permissions. A hassle, but nothing unmanageable
3) S3 isn't ideal for an AD set up since the configuration of the file
permissions will have to be done from smb.conf - I'd prefer to do it all
from the Windows management tools (I know, I know...)

Andrew: If I understand you correctly, if I want to retain the correct file
permissions without having to reapply them (because of the migration from
posix:eadb to built-in file attributes) I should do the following:
a) Set up the appropriate shares in the new file server
b) Copy the files from share to share using Windows - this will preserve
the file permissions (esp. for user profiles), thus saving me from having
to reconfigure the permissions again.
c) Re-map the users' home and profile shares on the AD side of things.

Is there anything else that I should be considering but am not?

Cheers, and happy holidays!
Post by titantoppler
Post by Matthieu Patou
Post by titantoppler
Hi list,
Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
Everything has been good so far, but I've been looking at virtualizing
the
Post by Matthieu Patou
Post by titantoppler
set up for portability's sake. This is especially so because all my
eggs
Post by Matthieu Patou
Post by titantoppler
are in one basket - this particular machine is running as a file
server, a
Post by Matthieu Patou
Post by titantoppler
domain controller, a DNS server and a VPN server. I want to separate
their
Post by Matthieu Patou
Post by titantoppler
roles into different virtual machines.
So what I want to do is to re-install S4 on my DC, after first putting
XenServer on it.
1) It's the only DC right now, so I need to set up another DC before I
can
Post by Matthieu Patou
Post by titantoppler
safely bring the existing S4 installation down. How good/reliable is
the
Post by Matthieu Patou
Post by titantoppler
replication feature in S4?
Quite good, I mean a couple of production sites use a multi DC setup
without too much bad news.
Post by titantoppler
2) My users are using roaming profiles, stored on the DC. Will this be
replicated, or do I have to manually do it?
Not replicated you have to do it on you own, pay attention to the fact
that the UID/GID of the users are not necessarily the same across all
the DC as S4 for the moment allocate UID when needed.
Post by titantoppler
3) My users have mapped drives that they use to access their files
from;
Post by Matthieu Patou
Post by titantoppler
these are also put on the S4 DC. Is there any way that I can
transparently
Post by Matthieu Patou
Post by titantoppler
shift it over to another server?
Not in Samba 4 for the moment, one way to do it is to use DFS with
domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
only support DFS referral for sysvol and netlogon shares.
Post by titantoppler
4) Extra difficulty - due to a design decision early on, I used
ReiserFS,
Post by Matthieu Patou
Post by titantoppler
which did not support extended attributes properly. I ended up having
to
Post by Matthieu Patou
Post by titantoppler
use the "posix:eadb" option in my smb.conf to store the permissions.
Assuming I now have an ext4 data partition, how can I "restore" the
permissions?
It's not a definite guide, the way I would search is to to use
samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
the current DC, then change your smb.conf to remove the posix:eadb
option and use samba-tool ntacl set sddl_of_the_file <file>
Post by titantoppler
5) After splitting the roles, does the file server VM need to run S4,
or
Post by Matthieu Patou
Post by titantoppler
will S3 do? How should I go about the configuration (esp. the
permissions
Post by Matthieu Patou
Post by titantoppler
portion)?
Well depending your needs you might want to keep the fileserver stuff in
the S4 DC, if not then S3 will work as a domain member for the UID/GID
you'll have to handle it manually.
For all of these tasks, it may work best to use a windows file copy tool
preserving permissions to move the files. That way, moving s4 -> s3, or
s4 -> s4 will keep permissions, ownerships etc correct without major
fuss.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Gémes Géza
2011-12-31 12:17:18 UTC
Permalink
Hi,
Post by titantoppler
Hi all,
Thanks for the insights so far.
1) I can use the built-in replication - but what about GPOs? Will they
propogate to the backup DC as well?
GPOs have an in directory and a file part (in the SYSVOL share). The in
directory part is replicated via DRS replication. The file part is not
(until FRS gets implemented)
Post by titantoppler
2) Files (profiles and shared files) will have to be done manually, as will
the permissions. A hassle, but nothing unmanageable
3) S3 isn't ideal for an AD set up since the configuration of the file
permissions will have to be done from smb.conf - I'd prefer to do it all
from the Windows management tools (I know, I know...)
The file permissions are perfectly manageable via the explorer
properties sheets.
The share permissions also can be managed from mmc with a little work.
Post by titantoppler
Andrew: If I understand you correctly, if I want to retain the correct file
permissions without having to reapply them (because of the migration from
a) Set up the appropriate shares in the new file server
b) Copy the files from share to share using Windows - this will preserve
the file permissions (esp. for user profiles), thus saving me from having
to reconfigure the permissions again.
c) Re-map the users' home and profile shares on the AD side of things.
Is there anything else that I should be considering but am not?
Cheers, and happy holidays!
Post by titantoppler
Post by Matthieu Patou
Post by titantoppler
Hi list,
Have been running S4 (alpha 14, if memory serves) since last Aug 2010.
Everything has been good so far, but I've been looking at virtualizing
the
Post by Matthieu Patou
Post by titantoppler
set up for portability's sake. This is especially so because all my
eggs
Post by Matthieu Patou
Post by titantoppler
are in one basket - this particular machine is running as a file
server, a
Post by Matthieu Patou
Post by titantoppler
domain controller, a DNS server and a VPN server. I want to separate
their
Post by Matthieu Patou
Post by titantoppler
roles into different virtual machines.
So what I want to do is to re-install S4 on my DC, after first putting
XenServer on it.
1) It's the only DC right now, so I need to set up another DC before I
can
Post by Matthieu Patou
Post by titantoppler
safely bring the existing S4 installation down. How good/reliable is
the
Post by Matthieu Patou
Post by titantoppler
replication feature in S4?
Quite good, I mean a couple of production sites use a multi DC setup
without too much bad news.
Post by titantoppler
2) My users are using roaming profiles, stored on the DC. Will this be
replicated, or do I have to manually do it?
Not replicated you have to do it on you own, pay attention to the fact
that the UID/GID of the users are not necessarily the same across all
the DC as S4 for the moment allocate UID when needed.
Post by titantoppler
3) My users have mapped drives that they use to access their files
from;
Post by Matthieu Patou
Post by titantoppler
these are also put on the S4 DC. Is there any way that I can
transparently
Post by Matthieu Patou
Post by titantoppler
shift it over to another server?
Not in Samba 4 for the moment, one way to do it is to use DFS with
domain DFS (ie \\my.domain.tld\users_home) but for the moment samba 4
only support DFS referral for sysvol and netlogon shares.
Post by titantoppler
4) Extra difficulty - due to a design decision early on, I used
ReiserFS,
Post by Matthieu Patou
Post by titantoppler
which did not support extended attributes properly. I ended up having
to
Post by Matthieu Patou
Post by titantoppler
use the "posix:eadb" option in my smb.conf to store the permissions.
Assuming I now have an ext4 data partition, how can I "restore" the
permissions?
It's not a definite guide, the way I would search is to to use
samba-tool ntacl get <file> --as-sddl on all your files/dirs shared by
the current DC, then change your smb.conf to remove the posix:eadb
option and use samba-tool ntacl set sddl_of_the_file <file>
Post by titantoppler
5) After splitting the roles, does the file server VM need to run S4,
or
Post by Matthieu Patou
Post by titantoppler
will S3 do? How should I go about the configuration (esp. the
permissions
Post by Matthieu Patou
Post by titantoppler
portion)?
Well depending your needs you might want to keep the fileserver stuff in
the S4 DC, if not then S3 will work as a domain member for the UID/GID
you'll have to handle it manually.
For all of these tasks, it may work best to use a windows file copy tool
preserving permissions to move the files. That way, moving s4 -> s3, or
s4 -> s4 will keep permissions, ownerships etc correct without major
fuss.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Regards

Geza
Matthieu Patou
2012-01-01 18:21:38 UTC
Permalink
Post by titantoppler
Hi all,
Thanks for the insights so far.
1) I can use the built-in replication - but what about GPOs? Will they
propogate to the backup DC as well?
No replication for the moment, setup your own replication scheme ....
Post by titantoppler
2) Files (profiles and shared files) will have to be done manually, as will
the permissions. A hassle, but nothing unmanageable
3) S3 isn't ideal for an AD set up since the configuration of the file
permissions will have to be done from smb.conf - I'd prefer to do it all
from the Windows management tools (I know, I know...)
No no, I encourage you to use the acl_xattr module so that you have a
good NTACLs mapping and then you can use the Window explorer to set the
ACLs.
Post by titantoppler
Andrew: If I understand you correctly, if I want to retain the correct file
permissions without having to reapply them (because of the migration from
a) Set up the appropriate shares in the new file server
b) Copy the files from share to share using Windows - this will preserve
the file permissions (esp. for user profiles), thus saving me from having
to reconfigure the permissions again.
c) Re-map the users' home and profile shares on the AD side of things.
Is there anything else that I should be considering but am not?
Cheers, and happy holidays!
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
Continue reading on narkive:
Loading...