Replacing An NT4 Domain Controller With Samba 3
by Carla Schroder
It’s official: as of December 31, 2004, Windows NT4 is no longer supported by Microsoft, unless you want to buy a year of custom, paid support. For all of you hardworking sysadmins of NT4 domain controllers who are now wondering what to do, here are some of your options:
- Change nothing. So you lose vendor support — so what? Was it so hot in the first place?
- Upgrade to Windows XP or 2003. This costs much money in licenses, and you may need to upgrade your hardware as well. Plus you’ll have a whole new set of bugs and security holes to get acquainted with. However, this also gives you Active Directory, which may be something you want to move up to.
- Replace your NT4 box with a Samba 3 domain controller.
If you start out with Samba as your domain controller, then decide you want to upgrade to Active Directory, no problem — Samba 3 snugs right into Active Directory with a few configuration tweaks.
This series is about option 3. In Part 1 we’re going to look at the pros and cons of migrating from NT4 to Samba, and give an overview of the steps. In Part 2 we’ll walk through the migration process, including migrating user and machine accounts, step-by-step. Setting up a Samba domain controller is quite simple when you start from scratch. Migrating existing NT4 accounts, profiles, and login scripts is the tricky bit.
An NT4 primary domain controller (PDC) typically has two major functions: single-sign-on user authentication, and controlling access to network resources. Samba can do these things quite ably. And it also does these things:
- Easily integrate Linux hosts into your LAN.
- Save you from expensive, Byzantine Microsoft licensing and fear of the License Police.
- Greater stability, reliability, and performance.
- Multiple choices of database backends: tdbsam, ldapsam, or mysqlsam.
- Community and commercial support.
- Secure remote administration via SSH.
- Distributed authentication: running multiple secondary Samba servers is much simpler to manage than NT4 primary and backup domain controllers. You don’t have to hassle with silliness like promotions and re-installations – just tweak a configuration file.
- Reliable, efficient synchronization of Samba servers via rsync.
- If you start out with Samba as your domain controller, then decide you want to upgrade to Active Directory, no problem — Samba 3 snugs right into Active Directory with a few configuration tweaks. Unlike NT4, which requires a complete re-installation to change its role from a domain controller to a domain member.
Samba also makes a great file and print server for mixed Windows/Linux LANs, so once you learn any part of Samba, you can continue to build on your knowledge.
Samba runs on Linux, or almost any Unix-type operating system. If your old NT4 server handled your network load adequately, Samba and Linux will work fine on the same hardware. In fact you should see an increase in performance.
If you’re completely new to Linux, you’re facing a bit of a learning curve. The best thing to do in this case is set up a test PC running Linux, and get acquainted with it before putting it into production. Red Hat and Novell/SuSE have great user manuals, vendor support, and all kinds of additional online documentation and help resources. Any Linux comes with great community support — you can always find answers. And with Linux, there are no artificial distinctions between “server” and “workstation” versions. Any Linux can be customized to serve whatever role you wish; you won’t find yourself wrestling with crippled editions designed solely to extract more money from you.
Samba’s default is encrypted logins. These Windows versions do not support encrypted logins, but only cleartext:
- Windows 95 pre-OSR2
- Windows NT 3.x
- Windows NT pre-SP4
Fortunately, there is a patch for Windows 95 called Vrdrupd.exe. See Microsoft KB165403 for details. Last time I checked, NT4 was up to Service Pack 6, so that’s covered. So that leaves only Windows NT3.x unsupported. (If you still have to admin NT3, you have my sympathies.) If you really really really want cleartext logins, Samba supports them. You have to choose one or the other, you can’t mix n match. Configuring Samba for cleartext logins is a single line in a configuration file. But configuring your Windows 95/98/ME/200x/XP clients for cleartext logins requires Registry hacks. I am going to pretend this option does not exist. It’s in the Samba documentation for anyone determined to implement it.
Remember, There Can Be Only One. Domain controller, that is. These are the steps to follow to replace your old NT4 domain controller with a gleaming new Samba domain controller:
- Configure Samba as a backup domain controller
- Join the Samba BDC to your NT4 domain
- Migrate user and machine accounts
- Shutdown the NT4 domain controller
- “Promote” Samba to a PDC
- And in a perfect, ideal world your users will now login with ease and never know the difference.
Come back next week to learn what these are, and how to cunningly foil them. For example, Windows does not use case-sensitivity for file and usernames; Samba does. Windows and Linux handle file permissions a little differently. And so forth. Fortunately, Samba ships with a number of custom scripts and commands for handling migration, such as vampire and pbdedit. That’s right, you’ll be able to report to your boss that you successfully vampired your NT4 server over to Samba.