Univention AD Takeover
From Univention Wiki
UCS 3.1 introduces support for the takeover of user and computer objects as well as group and group policy objects from a Microsoft Active Directory (AD) domain. The takeover is an interactive process initiated from the command line that has three distinct phases:
- Join of the UCS domain controller into the Active Directory domain
- Manual copy of the GPO files from the AD sysvol share to UCS
- Deactivation of the AD server und assignement of all FSMO roles to the UCS DC
The following requirements must be met for the takeover:
- The UCS DC needs to be installed with a unique hostname, not used in the AD domain.
- The UCS DC needs to be installed with the same DNS domain and Kerberos Realm as the AD domain. It is also recommended to configure the same LDAP Base DN.
- The UCS DC needs to be installed with a unique IPv4 address in the same IP subnet as the AD domain controller that is used for the takeover.
- Currently the takover requires an IPv4 network.
The actual univention-ad-takeover script is installed as a part of the package univention-s4-connector and needs to be run on the domain controller that runs the Univention S4 Connector.
The following steps are strongly recommended before attempting the AD takeover:
- Backup of the AD server(s).
- Setup of a clone of the AD server that shall be used for the takeover. The use of virtualization technology may be very helpful for this. The cloned system allows for a flexible and safe re-activation of the original AD server in case of time shortage or unforeseeable obstacles.
- Installation of an UCS domain with the same DNS domain and Kerberos Realm as the AD domain. A UCS DC Master needs to be installed as the first UCS system. The UCS systems need to have unique hostnames and unique IPv4 addesses. The first system installed with Samba 4 / Active Directory support needs to have an IP-Address in the subnet of the Active Directory domain controller used for takeover.
- Activation of the "Administrator" account in the AD server
- Deactivation of user access to the AD domain.
- Deactivation of services in the AD domain that deliver data, such as mail servers.
The last two points ensure that the cloned system does not gather data that might be lost in the case of re-activation of the original AD server.
The activation of the "Administrator" account on the AD server is recommended because this account has all the required rights to copy the GPO sysvol files in phase II of the process. This can be achieved by means of the "Active Directory Users and Computers" tool or by running the following two commands:
net user administrator /active:yes net user administrator <password>
where "<password>" needs to be replaced by the actual password. To simplify matters it is recommended to set the same password for the Administrator account on AD server as the corresponding account in the UCS domain. In case different passwords are used, the password that was set last, will be the one that is finally vaid after the takeover process (timestamps are compared).
All settings in Samba 4 on the UCS domain controllers will be removed by the Univention AD Takeover and replaced by the settings of the Active Directory domain. The takeover will be initiated on the UCS domain controller that runs the S4 Connector. By default this is the fist UCS DC that was installed with Samba 4 / Active Directory services. In most cases this will be the UCS DC Master. During the takeover process Samba 4 must only run on this UCS System. On all other UCS DCs Samba 4 needs to be stopped. This is important to avoid data corruption by mixing directory data taken over from Active Directory with Samba 4 directory data replicated from other UCS domain controllers. Finally, after the AD takeover is finished, all other UCS domain controllers offering Samba 4 / Active Directory services will need to be re-joined.
AD Takeover Phase I
The takeover needs to be initiated on the UCS domain controller that runs the S4 Connector. By default this is the fist UCS DC that was installed with Samba 4 / Active Directory services. In most cases this will be the UCS DC Master. During the takeover process Samba 4 must only run on this UCS System. On all other UCS DCs Samba 4 must be stopped.
The takeover process is initiated from the command line by running
univention-ad-takeover <IP of the AD server>
The script will try authenticated LDAP-access to the given AD server IP. Without any additional options it will ask for the password of the "Administrator" account on the AD server. By adding the "-U" option a different member account of the Active Directory "Domain Admins" group can be used in this phase.
In phase I of the process the script
- ensures accessability of the AD domain controller
- Advances the system time of the UCS system to the system time of the Active Directory domain controller in case they difeer by more that 4 minutes.
- joins the UCS DC into the AD domain
- starts Samba 4 and the S4-Connector to replicate the AD objects into the UCS OpenLDAP backend that is used for web driven domain administration.
- finally reports success of phase I and gives intructions for phase II
The script reports progress to the console screen output and logs additional detailed information to a logfile (/var/log/univention/ad-takeover.log).
AD Takeover Phase II
With the completion of phase I the UCS DC now copied all users, groups and computers of the AD domain. This is required for the correct takeover of permissions of the files and directories the will be copied in phase II. This phase requires the Administrator to log onto the Active Directory domain controller and type in a single command line to copy the Group Policy files from the AD sysvol share to the UCS sysvol share. For convenience the univention-ad-takeover script prints this command line to the screen at the end of phase I:
robocopy /mir /sec /z \\ADDCName\sysvol \\UCSDCName\\sysvol
It may be necessary to install the required robocopy tool, which is part of the Windows Server 2003 Resource Kit Tools.
After successful completion of this step, it is necessary to finally turn off all AD domain controllers of the AD domain
AD Takeover Phase III
After completing phase II by switching off the AD server, the Administrator returns to the command line of the UCS domain controller, where the univention-ad-takeover kept waiting to continue with phase III. After confirmation of the command line prompt, the univention-ad-takeover script ensures that the AD server is not accessible any longer. This is important, because the script will claim all FSMO roles for the UCS domain controller to finalize the AD takeover process.
In phase III of the process the script
- takes over the name of the Active Directory domain controller as an alias in the UCS DNS server
- configures the IP address of the Active Directory domain controller as a virtual ethernet interface
- performs some clean up, e.g. removal of the domain controller account and related objects in the Samba 4 SAM account database.
- claims all FSMO roles for the UCS domain controller
- finally restarts Samba 4 and DNS server
Post Takeover Tasks
After completion of the AD Takeover script the following steps are required:
- In case there have been more than one Active Directory domain controller in the original Active Directory domain, remove all their accounts from the UCS OpenLDAP. This may be done by means of the Univention Management Console.
- Re-join all other UCS domain controllers that are running Samba 4
- reboot all windows client systems.
- In case there have been more than one Active Directory domain controller in the original Active Directory domain, remove all their accounts from the Samba 4 SAM database. This may be done by logging on to a migrated Windows client as domain Administrator and running the "Active Directory Users and Computers" tool.
After that it is recommended to perform thorough tests with the Windows client systems, e.g.
- login to a migrated client as a migrated user
- login to a migrated client as UCS Domain Administrator
- access to Samba 4 with the "Active Directory Users and Computers" tool
- start of the Windows Group Policy Managment Console (GPMC)
- join of a new windows client
- creation of a new UCS user and login to a windows client