[Samba] Moving DC1 to a Virtual Machine

[Paul Littlefield]

Hello

I have primary and secondary Samba 4 DCs running very nicely with replication.

I have DC1 using the official Backup scripts.

We are moving these to virtual machines.

We are changing the Linux OS on DC1 from Gentoo to Ubuntu.

REAL DC1 = FSMO Role
REAL DC1 = Gentoo
REAL DC2 = Ubuntu
VIRTUAL DC1 = Ubuntu

What is the correct way to change DC1 to a virtual machine?

Do I just restore from REAL DC1 backup files?

Or, do I shut down REAL DC1 and 'join' VIRTUAL DC1 to REAL DC2?

Do I have to change the FSMO role first?

(I was going to shut down REAL DC2, shut down REAL DC1, restore files from REAL DC1 to VIRTUAL DC1, start up VIRTUAL DC1 and test, etc.)

I could not find a definitive answer on the Samba Wiki, and my apologies if I missed it.

Many thanks for your help in advance.

Regards,

Paul Littlefield
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Marc Muehlfeld]

Hello Paul,

Am 24.01.2015 um 16:38 schrieb Paul Littlefield:
> What is the correct way to change DC1 to a virtual machine?

One way is to join the new virtual DC to the domain, transfer the FSMO
roles from DC1 to the new one and demote DC1. But then your new DC has a
new name, of course. And we currently have a bug, that not all roles are
transfered, even if samba-tools says 'successful'. And then you can't
demote the old one, until you manually edit the AD database.



The second way, and the one I would go, is
- shutdown Samba on DC1
- copy all databases and SysVol content to the new host,
into the folders, where your new OS expect them
- disconnect the old machine from the network
- start Samba on the new host
It's very important that the old host is never connected to the network
any more or you will mess up your AD!

I don't know what Samba version Gentoo and Ubuntu are shipping. But I
suggest that the OS on the new host, doesn't have an older version.

If you don't know where the OS of your new host puts the databases,
provision a new domain in a test environment and see, where the
databases are placed.


About the FSMO roles, you usually don't have to worry. Make sure, that
you understand what the five roles are for
(https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles#The_five_FSMO_roles).
Some domain features aren't available, if the DC owning a role is
temporary down. But in most situations, this isn't business critical.
Like if the RID master is down, your can e. g. create only new objects
(users, groups, etc), until your second DCs RID pool is empty.



Regards,
Marc

[Paul Littlefield]

On 24/01/15 17:56, Marc Muehlfeld wrote:
> The second way, and the one I would go, is
> - shutdown Samba on DC1
> - copy all databases and SysVol content to the new host,
> into the folders, where your new OS expect them
> - disconnect the old machine from the network
> - start Samba on the new host
> It's very important that the old host is never connected to the network
> any more or you will mess up your AD!
>
> I don't know what Samba version Gentoo and Ubuntu are shipping. But I
> suggest that the OS on the new host, doesn't have an older version.

Hello Marc

Thanks for your reply.

Yes, that's what I thought... belt and braces copy all databases and sysvol content using the backup script and restore instructions on the wiki.

Yes, I was going to literally turn OFF both the old 'real' DC1 and 'real' DC2 just in case the 'virtual' DC1 went fooey and interfered with DC2.

I am also going to turn off all non-essential computers on the network so that Windows DC and login can be tested without any horrific consequences.

What do the others think? Am I being paranoid or wise?

:)

Paul Littlefield

PS: now I think about it, I amy as well 'virtualise' DC2 as well AS IS, then use that (with the same IP addresses, hostnames, etc. to test the new 'virtual' DC1 for replication, etc.

Thoughts?

[Marc Muehlfeld]

Am 24.01.2015 um 19:45 schrieb Paul Littlefield:
> Yes, that's what I thought... belt and braces copy all databases and
> sysvol content using the backup script and restore instructions on the
> wiki.

If you have shutdown Samba on the DC, you don't need the backup-script.
This script just create hot-backups, so you don't have to shutdown a DC
for backup. If Samba is already stopped, then it's save to backup/copy
the files.

> Yes, I was going to literally turn OFF both the old 'real' DC1 and
> 'real' DC2 just in case the 'virtual' DC1 went fooey and interfered with
> DC2.

If you have brought the new DC1 together with DC2 and the replication
has started, you can't go back to the old DC1, if something doesn't
work. Then you will get an inconsistent AD.

> I am also going to turn off all non-essential computers on the network
> so that Windows DC and login can be tested without any horrific
> consequences.

If you want to test this before, then do this in a separated
installation and not in production. Then you're save from any horrific
consequences. Not if you do this in with other production
DCs/workstations. Even if you've turned most computers off, you don't
know what the others change in the meantime in AD (eg. machine password
changes). If you roll-back, you can run into problems.

Use a test installation and don't test in production.




Regards,
Marc

[Paul Littlefield]

On 24/01/15 19:38, Marc Muehlfeld wrote:
> If you want to test this before, then do this in a separated
> installation and not in production. Then you're save from any horrific
> consequences. Not if you do this in with other production
> DCs/workstations. Even if you've turned most computers off, you don't
> know what the others change in the meantime in AD (eg. machine password
> changes). If you roll-back, you can run into problems.
>
> Use a test installation and don't test in production.

Hello Marc

Thanks for your reply.

OK, I will take copies of real DC1 and DC2 to my VirtualBox at home... well away from the client's network.

I will then fire up and check databases, DNS, Kerberos, etc.

If they both talk to each other, and a dummy Windows PC can join the domain, am I OK to roll it out to the client's network?

Are there any other strict checks I need to do?

Regards,

Paul Littlefield

[Stefan Kania]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Or you try this:
http://relax-and-recover.org/
With Rear it ist possible to do a P2V migration.

Am 24.01.2015 um 19:45 schrieb Paul Littlefield:

- --
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTFMMIACgkQ2JOGcNAHDTbnvACbBBJbym8E5JLlA45H0DrkVi1d
FT0An1u0BEUELbOWTMhinNeFP+U9hGeN
=5YN4
-----END PGP SIGNATURE-----

[Paul Littlefield]

On 25/01/15 18:07, Stefan Kania wrote:
> Or you try this:
> http://relax-and-recover.org/
> With Rear it ist possible to do a P2V migration.

Hello Stefan

Oh wow, amazing piece of software... the YouTube video sold it to me.

REAR could be very useful.

List - I'll take all your comments under my wing, and return with a full report.

Many thanks.

:)

Paul Littlefield

[mourik jan heupink - merit]

Hi Stefan,

On 01/25/2015 07:07 PM, Stefan Kania wrote:
> Or you try this:
> http://relax-and-recover.org/
> With Rear it ist possible to do a P2V migration.

Thanks for sharing this, I did not know about this!

[Paul Littlefield]

On 26/01/15 13:00, Marc Muehlfeld wrote:
> P2V yes. But I don't understand how REAR helps, when the OP want to do
> an OS switch from Gentoo to Ubuntu at the same time?!

Hello Marc

If I cannot switch from Gentoo to Ubuntu (I am currently testing in VirtualBox Ubuntu Server fresh install)... then I will just use REAR to do P2V and keep it Gentoo :(

Yes, I would rather have 2 DCs which are exactly the same O/S and Samba version.

Yes, I want to end with Ubuntu Server 14.04.1 LTS running latest Samba stable from Git.

However, I am really worried about the consequences of getting it wrong.

Hence, why I am testing this at home with VBox.

Regards,

[Marc Muehlfeld]

Am 26.01.2015 um 10:44 schrieb Paul Littlefield:
>> Or you try this:
>> http://relax-and-recover.org/
>> With Rear it ist possible to do a P2V migration.
>

> Oh wow, amazing piece of software... the YouTube video sold it to me.
>
> REAR could be very useful.

P2V yes. But I don't understand how REAR helps, when the OP want to do
an OS switch from Gentoo to Ubuntu at the same time?!

Regards,
Marc

[Paul Littlefield]

On 26/01/15 13:06, Paul Littlefield wrote:
> If I cannot switch from Gentoo to Ubuntu (I am currently testing in VirtualBox Ubuntu Server fresh install)... then I will just use REAR to do P2V and keep it Gentoo :(

Hello All

Alas, as predicted when I try to restore the 'real DC1' files to the 'virtual DC1' and test, it fails...


root@samba:~# /usr/local/samba/bin/samba-tool ntacl sysvolreset
Traceback (most recent call last):
File "/usr/local/samba/bin/samba-tool", line 33, in <module>
from samba.netcmd.main import cmd_sambatool
File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 27, in <module>
import samba.param
ImportError: /usr/local/samba/lib/private/libserver-role.so: version `SAMBA_4.2.0PRE1_GIT_F8EC0F9' not found (required by /usr/local/samba/lib/python2.7/site-packages/samba/param.so)


...which is why this was put on the official Samba Wiki and I did read it, but thought it was worth a try...


"Very important notes:
Never do a restore and a version change at once! Always restore on a system that uses the same Samba version than the one you created the backup on! Restore on a system with the same IP and Hostname. Otherwise you'll run into Kerberos and DNS issues. Recommended: Restore on the same OS than where you created the backup."


So, it looks like I have to virtualise my real Gentoo DC1 and stick with that.

Will I ever be able to swap operating system?!

:(

[Rowland Penny]

Yes, set up a new DC with your new OS and join this to the domain, once
up and running, transfer the seven (yes, there are 7) FSMO roles to the
new DC. Once everything is running ok, turn off the old DC and remove
*all* mention of it from the domain.

Not easy, but it can be done.

Of course it would have been a lot easier if you hadn't used the samba
version from git. It would also be a lot better if people read and
accepted what is written on the wiki.

Rowland

[Paul Littlefield]

On 26/01/15 15:08, Rowland Penny wrote:
> Yes, set up a new DC with your new OS and join this to the domain, once up and running, transfer the seven (yes, there are 7) FSMO roles to the new DC. Once everything is running ok, turn off the old DC and remove *all* mention of it from the domain.

Hi Rowland

Indeed, this was suggested but was frowned upon, as there are bugs?

> Not easy, but it can be done.

Yes, and I believe it could potentially **** up the existing DC2 and any machines attached to it, meaning you have to join every single machine on the network domain again.

> Of course it would have been a lot easier if you hadn't used the samba version from git. It would also be a lot better if people read and accepted what is written on the wiki.

Yes, hindsight is a wonderful thing :)

The whole Domain Controller thing on this network is a tale of "suck it and see" and then "if it ain't broke don't fix it."

It was done in the early days of Samba 4 when there was only the git version, and so I thought it would be best to stick with that method for DC2.

So far, they have worked flawlessly for a year, but now the boss wants to cut down the heat generating boxes which are in the server room.

:)

So, I will...

* P2V my Gentoo DC1 exactly as is.
* P2V my Ubuntu DC2 exactly as it.

...and be done with it.

That sound OK?

For now.

:)

Regards,

Paul Littlefield

[Marc Muehlfeld]

Am 26.01.2015 um 15:55 schrieb Paul Littlefield:
> root@samba:~# /usr/local/samba/bin/samba-tool ntacl sysvolreset
> Traceback (most recent call last):
> File "/usr/local/samba/bin/samba-tool", line 33, in <module>
> from samba.netcmd.main import cmd_sambatool
> File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py",
> line 27, in <module>
> import samba.param
> ImportError: /usr/local/samba/lib/private/libserver-role.so: version
> `SAMBA_4.2.0PRE1_GIT_F8EC0F9' not found (required by
> /usr/local/samba/lib/python2.7/site-packages/samba/param.so)
>
>
> ...which is why this was put on the official Samba Wiki and I did read
> it, but thought it was worth a try...
>
>
> "Very important notes:
> Never do a restore and a version change at once! Always restore on a
> system that uses the same Samba version than the one you created the
> backup on! Restore on a system with the same IP and Hostname. Otherwise
> you'll run into Kerberos and DNS issues. Recommended: Restore on the
> same OS than where you created the backup."

I wrote this for real disaster scenarios. There you have other problems,
than searching for update problems.

But in a test environment you can play with a new version, of course. At
least you should not downgrade. And of course not upgrade to a pre
release like 4.2. But usually you never want unofficial version in
production. But your error looks like you had 4.2pre1 on your old
system? Is that right?

But you can syncronize the versions by self compiling or using the
Sernet packages.

Regards,
Marc

[Paul Littlefield]

On 26/01/15 15:40, Rowland Penny wrote:
> I think that in the short term, that is all you can do.

OK.

Thanks for everyone's input.

I am now off to have a look at http://relax-and-recover.org to P2V...

...unless someone knows a full-proof verified way of cloning a software raid Gentoo system, instead of a stage4 tarball?

:)

--

Paul Littlefield

Telephone: 07801 125705
Email: in...@paully.co.uk
Web: http://www.paully.co.uk
Twitter: https://twitter.com/paullittlefield
Wiki: http://wiki.indie-it.com/index.php?title=Special:AllPages
Blog: http://www.littlefield.info
Photo: http://gravatar.com/plittlefield
Google+: https://plus.google.com/+PaulLittlefield
LinkedIn: http://uk.linkedin.com/in/paullittlefield
Trakt: http://trakt.tv/user/plittlefield
LastFM: http://www.last.fm/user/paullittlefield

Paul Littlefield is environmentally responsible. Please consider the environment before printing this email. This email and any attachment is intended for the named addressee only, or person authorised to receive it on their behalf. The content should be treated as confidential and the recipient may not disclose this message or any attachment to anyone else without authorisation. If this transmission is received in error please notify the sender immediately and delete this message from your email system. All electronic transmissions to and from me are recorded and may be monitored. Finally, the recipient should check this email and any attachments for viruses. Paul Littlefield accepts no liability for any damage caused by any virus transmitted by this email.


Ubuntu 14.04.1 LTS (x86_64)

[Rowland Penny]

On 26/01/15 15:16, Paul Littlefield wrote:
> On 26/01/15 15:08, Rowland Penny wrote:
>> Yes, set up a new DC with your new OS and join this to the domain,
>> once up and running, transfer the seven (yes, there are 7) FSMO roles
>> to the new DC. Once everything is running ok, turn off the old DC and
>> remove *all* mention of it from the domain.
>
> Hi Rowland
>
> Indeed, this was suggested but was frowned upon, as there are bugs?

Not as far as I know, the problem is that samba-tool only knows about
five of the FSMO roles, it knows nothing about the 'ForestDnsZones' &
'DomainDnsZones' FSMO roles, so this means you have to sieze them
manually. Though having said that, I suppose this could be classed as a bug.

>
>> Not easy, but it can be done.
>
> Yes, and I believe it could potentially **** up the existing DC2 and
> any machines attached to it, meaning you have to join every single

> machine on the network domain again..

Well possibly, so you would have to back everything up and do this when
every other machine was turned off

>
>
>> Of course it would have been a lot easier if you hadn't used the
>> samba version from git. It would also be a lot better if people read
>> and accepted what is written on the wiki.
>
> Yes, hindsight is a wonderful thing :)
>

Very true :-)

> The whole Domain Controller thing on this network is a tale of "suck
> it and see" and then "if it ain't broke don't fix it."
>

I worked for a company like that.

> It was done in the early days of Samba 4 when there was only the git
> version, and so I thought it would be best to stick with that method
> for DC2.
>
> So far, they have worked flawlessly for a year, but now the boss wants
> to cut down the heat generating boxes which are in the server room.
>
> :)
>
> So, I will...
>
> * P2V my Gentoo DC1 exactly as is.
> * P2V my Ubuntu DC2 exactly as it.
>
> ...and be done with it.
>
> That sound OK?
>
> For now.
>

I think that in the short term, that is all you can do.

Rowland

[Sketch]

On Mon, 26 Jan 2015, Paul Littlefield wrote:

> So, I will...
>
> * P2V my Gentoo DC1 exactly as is.
> * P2V my Ubuntu DC2 exactly as it.
>
> ...and be done with it.
>
> That sound OK?

Either that, or just create a new VM on your OS of choice and join it to
the existing domain as a new DC. Claim all the FSMO roles, and shut your
old DC down. It will have a new name and IP, but it will work fine. That
is one nice thing about AD DCs, they are pretty much interchangeable.

[L.P.H. van Belle]

just a suggestion..

get www.xenserver.org install a xen server.

get xen convertion tools. http://www.citrix.nl/downloads/xenserver/tools/conversion.html

and migrate the linux on hardware box to Xen server.

from here you can also export to OVF/OVA package or XVA file.
the OVF can be inported in virtual box..

but i do everything with xen server.


greetz,

Louis


>-----Oorspronkelijk bericht-----
>Van: in...@paully.co.uk [mailto:samba-...@lists.samba.org]
>Namens Paul Littlefield
>Verzonden: maandag 26 januari 2015 16:45
>Aan: Rowland Penny; sa...@lists.samba.org
>Onderwerp: Re: [Samba] Moving DC1 to a Virtual Machine

[Paul Littlefield]

On 26/01/15 15:55, Sketch wrote:
> Either that, or just create a new VM on your OS of choice and join it to the existing domain as a new DC. Claim all the FSMO roles, and shut your old DC down. It will have a new name and IP, but it will work fine. That is one nice thing about AD DCs, they are pretty much interchangeable.

Hello Sketch

Thanks for your comments!

You're sounding all very positive and confident :)

So, it all depends on whether _I_ am feeling daring...

* [physical dc1] transfer all 7 FSMO roles to physical dc2.
* [physical dc2] check databases, dns, sysvol, kerberos, pc logons, blood type, etc.
* [physical dc1] shut down.
* [network pcs] test logins then shut down.
* [virtual dc1] ubuntu fresh install, samba install, same version as physical dc2.
* [virtual dc1] check different ip, join domain as new dc.
* [virtual dc1] + [physical dc2] set up replication.
* do a rain dance, say 3 hail marys and keep your fingers crossed.

That sound about right?

What have I missed?

:)

Paul Littlefield

[Paul Littlefield]

On 26/01/15 16:00, L.P.H. van Belle wrote:
> just a suggestion..
>
> getwww.xenserver.org install a xen server.
>
> get xen convertion tools.http://www.citrix.nl/downloads/xenserver/tools/conversion.html

>
> and migrate the linux on hardware box to Xen server.
>
> from here you can also export to OVF/OVA package or XVA file.
> the OVF can be inported in virtual box..
>
> but i do everything with xen server.

Hello Louis

Thanks for that.

I am currently trying out Proxmox which (I have to say) rocks.

Ofcourse, I cannot find a nice big button that says "transfer your physical server to this node now".

That would be SO nice.

:)

Paul Littlefield

https://lists.samba.org/archive/samba/2015-January/188609.html