Univention AD Takeover
From Univention Wiki
UCS 3.1 introduced support for the takeover of user, groups and computer objects as well as Group Policy Objects (GPOs) from a Microsoft Active Directory (AD) domain. The takeover is an interactive process initiated from the command line consisting of three distinct phases:
- Joining the UCS domain controller into the Active Directory domain
- Manual copying of the group policy files from the AD SYSVOL share to UCS
- Deactivation of the AD server und assignment of all FSMO roles to the UCS DC
The following requirements must be met for the takeover:
- The UCS DC needs to be installed with a unique hostname, not used in the AD domain.
- The UCS DC needs to be installed with the same DNS domain name, NetBIOS (pre-Windows 2000) domain name and Kerberos realm as the AD domain. It is also recommended to configure the same LDAP base DN.
- The UCS DC needs to be installed with a unique IPv4 address in the same IP subnet as the AD domain controller that is used for the takeover (an IPv4 network is currently required)
The univention-ad-takeover script is installed as a part of the package univention-s4-connector and needs to be run as root on the domain controller that runs the Univention S4 Connector (usually the master domain controller).
The following steps are strongly recommended before attempting the AD takeover:
- A backup of the AD server(s) should be performed. If the AD server is running on a virtualization solution, a snapshot should be made. The snapshot allows for a flexible and safe restore of the original AD server in case of unforeseeable obstacles.
- In a default installation the Administrator account of the AD server is deactivated. It should be activated in the local user management module.
The activation of the Administrator account on the AD server is recommended because this account has all the required rights to copy the GPO sysvol files in phase II of the process. This can be achieved by means of the "Active Directory Users and Computers" module or by running the following two commands:
net user administrator /active:yes net user administrator <password>
where <password> needs to be replaced by the actual password. To simplify matters it is recommended to set the same password for the Administrator account on AD server as the corresponding account in the UCS domain. In case different passwords are used, the password that was set last, will be the one that is finally valid after the takeover process (timestamps are compared for this).
- If user logins are possible (e.g. through domain logins or terminal server sessions) it is recommended to deactivate them
- It is also recommended to stop any services in the AD domain, which deliver data, e.g. mail servers.
The last two points ensure that no data is lost in case of a rollback to the original snapshot/backup.
Installation of the UCS system
We now need to install the UCS domain, where the Active Directory data is migrated to. Instructions for installing UCS can be found in the quick start guide.
The DNS domain name must be set to the DNS domain name of the Active Directory domain. The hostname and the IP address of the UCS system must be different from the AD server. The IP address must be in the same subnet of the Active Directory server, where the data is read from.
For the initial takeover only one system is installed, a master domain controller. After successful migration additional Samba domain controllers can be added.
All settings in Samba 4 on the UCS domain controller will be removed by the takeover process and replaced by the data of the Active Directory domain.
AD Takeover Phase I
The takeover is initiated on the UCS domain controller that runs the S4 Connector. By default this is the fist UCS DC that was installed with Samba 4 / Active Directory services (usually the master domain controller).
During the takeover process Samba 4 must only run on this UCS system. If other Samba 4 domain controllers have been added to the UCS domain, they need to be stopped!
This can be achieved by logging into each of the other UCS domain controllers as root user and running
This is important to avoid data corruption by mixing directory data taken over from Active Directory with Samba 4 directory data replicated from other UCS domain controllers. Finally, after the AD takeover is finished, all other UCS domain controllers offering Samba 4 / Active Directory services will need to be re-joined.
After ensuring that only the S4 Connector host runs Samba 4, the takeover process can be started on this UCS domain controller. If the UCS domain was installed initially with an UCS version before UCS 3.2, the following UCR variable needs to be set first:
ucr set connector/s4/mapping/group/grouptype=false
The takeover process can be started from the command line by running the following command as the root user:
univention-ad-takeover <IP of the AD server>
The script will try to access the LDAP directory of the specified Active Directory server. If no additional options are provived, the script will ask for the password of the Administrator account on the AD server. By adding the -U option a different member account of the Active Directory group Domain Admins can be used.
In phase I of the process the script
- ensures that the AD domain controller can be accessed
- adjusts the system time of the UCS system to the system time of the Active Directory domain controller in case they differ by more than three minutes.
- joins the UCS domain controller into the Active Directory domain
- starts Samba 4 and the UniventionS4 connector to replicate the Active Directory objects into the UCS OpenLDAP directory
- finally reports the successful completion of phase I and gives instructions for phase II
The script report is shown on the terminal output and logs additional detailed information to a logfile (/var/log/univention/ad-takeover.log).
AD Takeover Phase II
With the completion of phase I the UCS domain controller now contains all users, groups and computers of the Active Directory domain. This is required for the correct takeover of permissions of the files and directories that will be copied in phase II.
This phase requires to log onto the Active Directory domain controller as the Administrator. There a command needs to be started to copy the group policy files from the Active Directory system volume share to the UCS system volume share. (The system volume share contains data required for user logins, such as group policy data and logon scripts).
For convenience the univention-ad-takeover script prints this command line to the screen at the end of phase I:
net use \\UCSDCNAME\sysvol /USER:Administrator robocopy /mir /sec /z \\ADDCName\sysvol \\UCSDCName\\sysvol
It may be necessary to install the required robocopy tool, which is part of the Windows Server 2003 Resource Kit Tools. On Windows 2008 [R2] the tool is already installed.
Note: The "/mir" option of robocopy mirrors the specified source directory to the destination directory. Please be aware that if you delete data in the source directory and execute this command a second time, this data will also be deleted in the destination directory.
After successful completion of this step, it is now necessary to shutdown all AD domain controllers of the Active Directory domain.
AD Takeover Phase III
After completing phase II by switching off the AD server(s), the takeover process proceeds on the command line of the UCS domain controller, where the univention-ad-takeover kept waiting to continue with phase III.
After confirmation of the command line prompt, the univention-ad-takeover script ensures that the AD server is not accessible any longer. This is important, because the script will claim all FSMO roles for the UCS domain controller to finalise the AD takeover process.
In phase III of the process the script
- takes over the name of the Active Directory domain controller as an alias in the UCS DNS server
- configures the IP address of the Active Directory domain controller as a virtual ethernet interface
- performs some cleanup, e.g. removal of the domain controller account and related objects in the Samba 4 SAM account database.
- claims all FSMO roles for the UCS domain controller
- finally restarts Samba 4 and DNS server
Required tasks after the takeover
After completion of the AD Takeover script the following steps are required:
- The domain function level needs to be checked by running the following command:
samba-tool domain level showIn case this command returns the message
ATTENTION: You run SAMBA 4 on a forest function level lower than Windows 2000 (Native).the following commands should be run to fix this:
samba-tool domain level raise --forest-level=2003 --domain-level=2003 samba-tool dbcheck --fix --yes
- In case there has been more than one Active Directory domain controller in the original Active Directory domain, all their host accounts must be removed in the Computers module of the Univention Management Console.
- If more than one UCS domain controller with Samba 4 has been installed, these servers need to be re-joined
- All Windows clients need to be rebooted
- In case there have been more than one Active Directory domain controller in the original Active Directory domain, remove all their accounts from the Samba 4 SAM database. This may be done by logging on to a migrated Windows client as domain Administrator and running the Active Directory Users and Computers tool.
Tests after the takeover
It is recommended to perform thorough tests with Windows client systems, e.g.
- login to a migrated client as a migrated user
- login to a migrated client as the UCS Administrator
- access to Samba 4 with the Active Directory Users and Computers tool
- start of the Windows Group Policy Managment Console (GPMC)
- join of a new windows client
- creation of a new UCS user and login to a windows client