.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Migrating a Samba domain to a Microsoft domain
  :keywords: Windows, Samba-AD, documentation, MSAD

.. _samba_migration_to_ms_domain:

##################################################################################################
Migrating a Samba domain to a Microsoft domain
##################################################################################################

If you have problems with your Samba-AD, before you migrate to MS-AD, :ref:`give us a call to talk about it <contact_tranquil_it>`!

*****************************
Presentation of the procedure
*****************************

In the following documentation, it is assumed:

* That the last Samba-AD server we will keep in the domain until the switch to MS-AD is called *samba-ad1.mydomain.lan*.

* That the temporary MS-AD server needed to initiate the migration process is called *ms-ad-temp.mydomain.lan*.

* That the first final MS-AD that will be kept at the end of the migration is called *ms-ad-final1.mydomain.lan*.

* That the second final MS-AD that will be kept at the end of the migration is called *ms-ad-final2.mydomain.lan*.

In the instructions described below, you will replace *mydomain.lan* with your own domain name and machine names with names of your choosing;

The first Windows machine *ms-ad-temp.mydomain.lan* will be a transition machine because there is currently a problem with the ``ntSecurityDescriptor`` attribute when joining *ms-ad-temp.mydomain.lan* with *samba-ad1.mydomain.lan*.
So we will use *ms-ad-temp.mydomain.lan* as a pivot.
Then *ms-ad-final1.mydomain.lan* will be joined to *ms-ad-temp.mydomain.lan*, which will ensure that the replication works properly and that the ACLs on LDAP and :file:`SYSVOL` are correctly applied.
Next, the *ms-ad-temp.mydomain.lan* controller will be removed.
Finally, a second Windows domain controller *ms-ad-final2.mydomain.lan* will be added to the Windows 2012R2 domain, which will allow to validate globally that it works correctly.

Joining a first MS-AD domain controller to the Samba-AD domain
==============================================================

* **Prepare** a first Windows 2012R2 *ms-ad-temp.mydomain.lan* machine by following the `official Microsoft Sysprep documentation <https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep–system-preparation–overview>`_.

* Integrate *ms-ad-temp.mydomain.lan* in the Samba-AD domain by following the documentation for :ref:`joining a Windows AD in a Samba-AD domain <samba_add_windows_active_directory>`.

Demoting the Samba-AD domain controllers
========================================

Once the MS-AD is joined correctly to the domain, you need to demote the Samba-AD servers.
To do this it is best to remove all references to the Samba-AD domain directly on *ms-ad-temp.mydomain.lan*.

.. note::

  Conceptually it is better to delete references on the server that remains active rather than on the server you want to delete.

* Remove all domain controllers except *samba-ad1.mydomain.lan*.
  To do this, and for each controller of the Samba-AD domain, execute the following command on *samba-ad1.mydomain.lan*:

  .. code-block:: bash

    samba-tool domain demote  --remove-other-dead-server=<other-samba-servers>

* Turn off Samba services on the last Samba-AD *samba-ad1.mydomain.lan*.
  However, we will keep *samba-ad1.mydomain.lan* running for a little while longer to continue to use the flexibility of **samba-tool** commands for some subsequent operations, and also to make `your mourning of Samba-AD less painful <http://www.cdeville.fr/article-32408659.html>`_.

  .. code-block:: bash

    systemctl stop samba
    systemctl disable samba

* Remove the last Samba-AD domain controller by running the following command *samba-ad1.mydomain.lan*.
  Point the execution of the command to the MS-AD *ms-ad-temp.mydomain.lan*:

  .. code-block:: bash

    samba-tool domain demote --remove-other-dead-server=samba-ad1 -H ldap://ms-ad-temp.mydomain.lan -U administrator

* Check that the FSMO roles have been transferred during the last demoting.
  The *DomainDnsZones* and *ForestDNSZones* roles will remain untransferred, the transfer is thus forced:

  .. code-block:: bash

    samba-tool fsmo show -H ldap://ms-ad-temp.mydomain.lan -U administrator
    samba-tool fsmo seize --role=all -H ldap://ms-ad-temp.mydomain.lan -U administrator

* Clean DNS entries. In a DNS console opened on *ms-ad-temp.mydomain.lan*, check that the DNS entries for *ms-ad-temp.mydomain.lan* are all present (fields A, NS, SRV, CNAME) and delete the DNS references to *samba-ad1.mydomain.lan*.
  We will also correct the *GLUE records* (field type NS) for the *_msdcs* field in the *mydomain.lan* zone (not in the *_msdcs.mydomain.lan* zone).

* Create the reverse zone if it does not yet exist and then create the PTR field for *ms-ad-temp.mydomain.lan*;

**Now we have a full Microsoft domain with a single domain controller.**

* Update the forest level to the 2012R2 level with :program:`Powershell`:

  .. code-block:: text

    Set-ADDomainMode -identity mydomain.lan -DomainMode Windows2012R2Domain
    Set-ADForestMode -identity mydomain.lan -ForestMode Windows2012R2Forest

Joining the first definitive Windows domain controller
======================================================

To finish the migration it is necessary to put a second MS-AD in place and to reset the DFS-R part for the replication of the :file:`SYSVOL`:

* **Sysprep** a second Windows 2012R2 *ms-ad-final1.mydomain.lan* machine by following the official `Microsoft Sysprep documentation <https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep–system-preparation–overview>`_.

* Join *ms-ad-final1.mydomain.lan* to the domain controller *ms-ad-temp.mydomain.lan*.

* With a DNS console open on *ms-ad-final1.mydomain.lan*, check that the DNS fields are all present.

* On *ms-ad-final1.mydomain.lan*, check for replication:

  .. code-block:: text

    repadmin /kcc
    repadmin /showrepl

* Demote *ms-ad-temp.mydomain.lan* by executing the following command on *samba-ad1.mydomain.lan* (with of course Samba services stopped and disabled);

  .. code-block:: bash

    samba-tool domain demote --remove-other-dead-server=ms-ad-temp -H ldap://ms-ad-final1.mydomain.lan -U administrator

* Clean DNS;

* Regenerate the DFS-R;

  .. code-block:: bash

    dfsrmig /createglobalobjects
    net stop dfsr
    net start dfsr

* Check that :command:`dcdiag` is clean (Warning: :command:`dcdiag` may display eventlog errors which may be obsolete and not related to the migration);

  .. code-block:: text

    dcdiag

Joining the second final Windows domain controller
==================================================

This step validates the proper functioning of the domain in MS-AD environment.

* **Sysprep** a third Windows 2012R2 machine *ms-ad-final2.mydomain.lan* by following the `Microsoft Sysprep documentation <https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep–system-preparation–overview>`_.

* Join *ms-ad-final2.mydomain.lan* into the Windows domain by following the documentation for :ref:`joining a Windows AD in a domain <samba_add_windows_active_directory>` stopping after the section on joining. After rebooting, the :file:`SYSVOL` directory must be correctly replicated and the :file:`SYSVOL` and ``NetLogon`` shares must be created without changing the ``SysvolReady`` key.

* Clean DNS (**attention to the _msdcs** CNAME field).

* Verify that the replication is working properly by creating a file in the :file:`SYSVOL` folder and checking that it replicates well.

Turning off your Samba permanently
==================================

* On your *samba-ad1.mydomain.lan*, run the command:

  .. code-block:: bash

    shutdown -h now

* Optionally: update your CV.

.. note::

  Now you have a Microsoft domain that works the same way as your Samba-AD domain.
  If your Samba-AD domain did not work well, then your MS-AD domain will not work any better.

You can always :ref:`rely on Tranquil IT <contact_tranquil_it>` to help you.
Mastering Samba and MS-AD is above all understanding the Active Directory protocol and we hope that this documentation will have proven you this mastery.
