DC Demotion Question
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Yes! As long as you've not moved your forest past 2008R2.
Does being on 2003 count?
-
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
Seriously, it's a full AD server, it's not an alternative, it's a drop in replacement of AD 2008R2.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Would I have all the same users and security and stuff as I currently do?
It's a 100% replacement. No lost features.
Really. Interesting.
So I could just replace my AD with Samba4?
Yes! As long as you've not moved your forest past 2008R2.
Does being on 2003 count?
Yup, Samba4 would be a three step upgrade in base AD functionality level for you.
-
If things are already that out of date, go with Samba. Skip the Windows updates. Great chance to save money over the long term now that no one is used to having modern Windows options available.
-
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
-
Just throwing some initial thoughts out here while answering morning tickets, so my apologies if I'm misdiagnosing or forgetting something. I went through this process a few years ago, but my recollection is pretty foggy on what all was involved.
Could you setup the first Virtual as the secondary DC, change JOE's IP and drop him, set the new secondary virtual with JOE's IP so it takes over as your secondary DC? Once that's running for a few days to assure no conflicts, repeat the process with BOB?
-
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
I like to have two in case a service goes down.
What happens if you only have one and it goes down? I've had people go for weeks with no AD working and no one noticed because it doesn't cause services to stop working in most cases.
I know I'm 17 hours late back to this, but this is amazaing to me. They had AD go down for weeks and didn't notice? What was doing DNS for them? I am guessing they weren't using that AD server for DNS, otherwise they would have noticed ASAP. If they weren't using AD for DNS, then why did they even have AD in the first place? Did they really need it? Perhaps they did need it, but not for the end users, but instead for other services, in which case a claim that it was down and no one noticed for weeks would be like saying that third car you have that you only drive once a month or less was broken, but you didn't realize it until you tried to use it, but when telling the story, you failed to mention that you drive it less than once a month making the situation seem more dire.
-
@scottalanmiller said in DC Demotion Question:
@tiagom said in DC Demotion Question:
What happens if you are out to lunch, or vacation?
Nothing. Because no clients stop working
The glory of AD, it's easy to make redundant and the redundancy isn't even needed for normal usage. Once clients are authenticated, they stay authenticated.Sure, I suppose this is true for AD itself - but the other services that go along with AD are generally pretty critical.
Personally I've never seen AD fail without a whole box failure.
-
@BRRABill said in DC Demotion Question:
@scottalanmiller said in DC Demotion Question:
@BRRABill said in DC Demotion Question:
Is there some sort of migration tool?
There is no migration. You just add Samba to the domain and remove Windows. You are not migrating to or from anything.
What? That can't be possible.
Scott's actually been posting this info for a few years now.
FYI, Don't think you can sync this to Azure AD though if you wanted single sign on with O365... but then again, neither would you be able to use your 2003 servers, you'd have to upgrade to Win Server 2012(R2).
-
@dafyre said in DC Demotion Question:
As far as I can tell, you can use the Windows RSAT stuff to manage the SAMBA4 domain controllers, GPOs should work... Dang.. I need to spin one up now, lol.
That's correct, because it implements the AD interfaces so all the same tools keep working.
-
@Dashrender said in DC Demotion Question:
I know I'm 17 hours late back to this, but this is amazaing to me. They had AD go down for weeks and didn't notice? What was doing DNS for them? I am guessing they weren't using that AD server for DNS, otherwise they would have noticed ASAP. If they weren't using AD for DNS, then why did they even have AD in the first place?
DNS failed over to public. That's trivial to do. First DNS is AD1, second DNS is AD2, tertiary is Google.
-
@Dashrender said in DC Demotion Question:
I know I'm 17 hours late back to this, but this is amazaing to me. They had AD go down for weeks and didn't notice? What was doing DNS for them? I am guessing they weren't using that AD server for DNS, otherwise they would have noticed ASAP. If they weren't using AD for DNS, then why did they even have AD in the first place? Did they really need it? Perhaps they did need it, but not for the end users, but instead for other services, in which case a claim that it was down and no one noticed for weeks would be like saying that third car you have that you only drive once a month or less was broken, but you didn't realize it until you tried to use it, but when telling the story, you failed to mention that you drive it less than once a month making the situation seem more dire.
AD is only needed for normal computing when someone signs onto a computer for the first time and/or when they do an action like changing a password or if you add on an additional dependency to it. The standard use case for AD has no impact under normal conditions unless your users are regularly moving to new workstations that they have not used anytime recently. So for a normal SMB, AD has no direct impact when down.
AD authentication caches on the workstations. So AD Authentication will easily work for weeks or months should AD be down, it's specifically designed for this resiliency.
Think of AD like DHCP. If your DHCP has really long leases, no one normally notices even if DHCP is down for days, no one is impacted under normal conditions. But it doesn't mean that DHCP isn't really used, it just is a resilient service that doesn't cause disaster just because one component of the infrastructure is off line for an extended period of time.
Under the basic use situations, AD is designed to be able to go offline for an extended period of time with little or no impact. It's how it is designed.
-
@Dashrender said in DC Demotion Question:
FYI, Don't think you can sync this to Azure AD though if you wanted single sign on with O365... but then again, neither would you be able to use your 2003 servers, you'd have to upgrade to Win Server 2012(R2).
Never looked into that, it might work. The sync tool would need a place to run though.
-
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
They do, or can, but it isn't fast. Certainly not in the weeks category. It's configurable on each workstation via GPO. But by default, they are designed to let you work offline for a very, very long time. Remember that workers who go out of the office need to be able to keep working on laptops without network access for potentially months by default.
-
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
-
@coliver said in DC Demotion Question:
@tiagom said in DC Demotion Question:
For some reason i though that cached credentials expire, which is obviously not the case. Don't know where i picked that up from.
I don't think, by default, cached credentials expire.
Maybe they never do. I've got one system that's been off of AD for years and still works on cached creds, but it is 2003.
-
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
-
@tiagom said in DC Demotion Question:
I looked it up before i posted and it doesn't seem possible to make cached credentials expire. That's why i found it so odd that i thought the did expire.
Well I thought that there was a way to expire them, too. That is very weird.
