FreeNAS to replace old Windows Server 2003 Server/Domain?

[Metis IT]

Hello,

I want to use a fresh FreeNAS instance to replace an old long overdue windows 2003 server still providing a domain and some file services to its clients, optimally migrating the domain to FreeNAS with no work on clients required. Is this possible?

I was thinking somewhere along those steps

• make FreeNAS a member server of existing w2k3 domain
• make FreeNAS provide shares for netlogon and user homes same as the old server does
• FreeNAS takes over FSMO roles from windows server
• take windows server offline

...but I am not sure how exactly it would need to be done or things to consider as FreeNAS is running some things on top of FreeBSD. Ofc i would do stuff using the root shell... When done i would like to keep doing the administration in the FreeNAS UI.

Any pointers? Thx in advance.

 

[anodos]

Hello,

I want to use a fresh FreeNAS instance to replace an old long overdue windows 2003 server still providing a domain and some file services to its clients, optimally migrating the domain to FreeNAS with no work on clients required. Is this possible?

I was thinking somewhere along those steps

• make FreeNAS a member server of existing w2k3 domain
• make FreeNAS provide shares for netlogon and user homes same as the old server does
• FreeNAS takes over FSMO roles from windows server
• take windows server offline

...but I am not sure how exactly it would need to be done or things to consider as FreeNAS is running some things on top of FreeBSD. Ofc i would do stuff using the root shell... When done i would like to keep doing the administration in the FreeNAS UI.

Any pointers? Thx in advance.

When you start talking about taking over FSMO roles, you're talking about changing the FreeNAS server to being a DC in your 2003 domain. I don't think FreeNAS is a good fit for this.

Currently, you're better off using a specialized linux distribution for this (make sure it has up-to-date and correct packages). Rough steps are:
1) Install and configure a samba Active Directory Domain Controller per instructions in the Samba project wiki
2) perform a DC promo to promote the samba ADDC to be a domain controller in your AD domain. https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
3) transfer FSMO roles https://wiki.samba.org/index.php/Transferring_and_Seizing_FSMO_Roles
3) demote the windows DC.

 

[JohnL7]

I would never use a linux box to handle FSMO roles or be more than a member of a windows domain. There are too many X factors and possible failure points for it to give me warm fuzzies. I would expect this to require more monitoring and maintenance than just a regular windows domain controller unless your a wiz at linux.

 

[mbalsam]

I just went through the same process of replacing an 2003 AD and using Freenas Samba.

What I did was to create new MS 2016 AD. Joined it as a BDC to the domain and then promoted it to PDC. The process is not automatically supported as 2003 was over 15 years ago. :)

I did find a few YouTube video's documenting how its done. if you want i can dig them up.

After completing it, I had a hell of a time getting Freenas to join that domain, but now it works. The problems are mostly due to lack of documentation of extra manual options that needed to be added to the ActiveDirectory and SMB services.

Funny, I see you just answered one of my questions, as I was writing this. :)

These are some of the issues I had.

0) After you manually migrate your AD to 2016, there are a lot of extra Metadata hanging around. You will need to research the Metadata cleanup for AD.

1) The weights of all domain controllers are not adjusted in DNS, so when you do

host -t srv _ldap._tcp.YOURCO.net

Therefore all ad's are 100. This means if the first one is down, it did not switch over to the others. I've just ignored this issue for now.

2) Debugging permission issues is very confusing. What found was to set the logging level to full and monitor these log files.

1. tail -f /var/log/debug.log
2. tail -f /var/log/samba4/log.smbd

3) You need to be sure to set the users AD groups to have Domain Users as their primary group.

So, it took a few days, but it is possible. In hindsight, if I did not have a lot of hosts, I would of removed all of my systems from the domain, created a clean 2016 AD and joined everyone to that. In my case it was not possible to do that.

Let me know if I can help. I'm looking for others who have skills to augment my own as support for this is very thin on this forum. :)

Mitch

 

[mbalsam]

Forgot the main issue that stopped me. You Must be sure that the time is synced on all DC's, as the authentication and account creation process fails, without sufficient clarity as to its cause.