When we started our software development company, we decided to use Samba
as a PDC
for the few Windows workstations we had. We use Samba
with OpenLDAP
, and it has been a good replacement for AD for almost 6 years now (using Windows XP
workstations).
Now I'm facing a few problems with our setup:
- The Linux server where the PDC runs is very outdated (and is a
Gentoo
install, don't ask why!) - We started using
Windows 7
on some of the workstations, and these can't join theSamba
domain (there's a workaround, I know)
Our company has grown a bit, and we have now about 20 workstations (and plan to have more in the near future).
I have to reinstall our PDC
, and was thinking on updating to another Linux
distro and the latest Samba 3.4
. However, I started having second thoughts, and now I think going to a Windows Server for the PDC
is the way to go. The main drivers to opt for a Windows Server
would be its easy administration and the ability to use Windows 7
out of the box, without any registry hacks.
My question(s) then is(are):
- How should I do this migration?
- Can I keep the same domain name?
- What will happen to the users? Will they be recreated and won't be identified by the workstations as being the same user, even if the actual username is the same?
What steps would you recommend me to migrate from Samba
to Windows Server
?
Bonus question: If you think staying in Samba
is the way to go with my current setup, I'm also interested on your thoughts.
The Samba documentation talks about using Microsoft's ADMT tool to do a migration from a Samba domain into an AD domain. It works well in Windows-to-Windows migrations, so I'd try it out in your scenario on a limited basis and see how it acts. I've never used it w/ a Samba domain personally, but it seems like a good thing to try.
You won't be able to keep the same domain name (since the Samba domain and the AD domain would be co-existing during the migration), but your user accounts and workstation domain trust relationships would be seamlessly migrated.
Personally, I'd go with an Active Directory domain for Group Policy. Not having Group Policy would be a nightmare, to me. Having a Windows Server machine means you can also run Windows Server Update Services (WSUS) and get some centralized control of Microsoft updates being applied on your client computers. The licensing expense for a couple of seats of Windows Server 2008 R2 (you really should have two domain controller computers, though only one needs to be on "server class" hardware) and CALs for a network that small would be quickly eaten-up by administrative labor in a Samba domain if you intend to provide any Group Policy-like functionality via scripting.
A terminology note: In Active Directory there is a "role" held by a single Domain Controller computer called "PDC Emulator" which provides some backwards-compatibility functionality and time synchronization services. Other than that, there are no "Primary" Domain Controller computers in Active Directory-- they're all just "Domain Controllers".