Re: Connection to a SAMBA Active Directory
- From: "Paul Goldman" <paulgoldman1948@xxxxxxxxxxx>
- Date: Fri, 23 Jun 2006 15:49:24 GMT
Currently, we can't get the 2-way trust going, so there's no connection
between the 2 domains.
If we cannot get the trust going, I would install an Exchange server in a
separate Windows 2003 AD, manually create the users and give them passwords.
I would then install Outlook 2003 on each desktop (which is on a computer in
the OLD domain). When the user initally launches Outlook, Exchange would
prompt for the userid/password in the new AD domain.
My question is, how EXACTLY does a user in this environment change his
password on the new domain? You say that it can be done via Outlook. Where
exactly is that done??
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:Oii2TKmlGHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
They could logon to the domain via Outlook which would also allow them to
change their password.
How'd the name resolution and time sync come out? What did you do to
address those?
"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:0qGmg.3812$MF6.748@xxxxxxxxxxxxxxxxxxxxxxx
We are really stuck on the 2-way trust from the SAMBA side. Does anyone
know how to get the trust working?
If I can't get the trust to work, I don't think having the users in one
domain and the Exchange server in another domain will work. I can
manually build the Exchange accounts (there are only about 80 users), and
give the each a password, but I don't know if there's any way for the
users to change their Exchange password, since the don't ever logon to
the new AD domain. Am I missing something??
Also, if I can't get the trust to work, I don't think myh
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23IZU9mOkGHA.1324@xxxxxxxxxxxxxxxxxxxxxxx
Hmm...
Name resolution and time sync are going to be big things you need to
deal with. For starters, why are you creating single records? Consider
using stub zones or using a secondary server and replicating the zone to
the other environment - both ways. No need for A RR's etc.
Once that's done, keep in mind that shortname is likely something you'll
need. You may need to create a shortname record for BANDMERCH in his
zone. Setup your suffix search to include ca.xxx.net. Why? Not because
you have to, (DNS resolution should be enough for a realm trust and is
even preferred) but because you should be able to resolve all of both
domains with shortname style. Best to get it out of the way.
Time sync. I can't stress enough how important it is that both are
using the same time source.
Let me know where you end up after that. Pretty much, you want to treat
the samba domain as if it's a NT4 domain. First things first however.
Al
"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:b4kkg.1758$MF6.1451@xxxxxxxxxxxxxxxxxxxxxxx
Here's how I've decided to proceed. Please let me know your thoughts:
1. I built a new Windows 2003 Server in a brand new domain (bm.local).
2. I installed Exchange 2003 SP2 on the new server.
3. I have added a new zone to the Windows DNS pointing to the old dns
domain ca.xxx.net and added an A record pointing to the domain
controller "linus"
4. I am able to define a 2 way Realm trust using the Active Directory
Domains and Trusts tool.
5. The linux guy is having a problem with the trust on the other side.
Since I don't know how to do DNS stuff on the Linux side, I can't help
him. He put an A record in his DNS pointing to exchange.bm.local, and
he can ping, but he can't create a trust since the domain bm.local is
not defined. What type of record corresponds to the "new zone" concept
in the Windows world? Is there such a thing?
6. There is a bit of confusing on the SAMBA side. The DNS domain is
ca.xxx.net, but the Windows domain name (NT domain name) is bandmerch.
Since there is no .com or .local qualified, I cannot set up a trust
with BANDMERCH, but rather need to use the domain name ca.xxx.net.
I am able to manually create users in the new bm.local domain, and then
connect the Outloook clients to it (by manually entering the
bm\userid/password combo.
Has anyone been able to make the necessary modifications to the linux
dns and created a trust so that I can proceed??
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23qG%23BjojGHA.1552@xxxxxxxxxxxxxxxxxxxxxxx
That's likely true, although SAMBA will make it look it's just another
Winnt4 domain controller machine and does have some interactions with
Active Directory and has some LDAP (which in theory can hold whatever
schema it wants to); can be pretty slick actually. Newer versions of
Samba look even more like AD. Good enough to let some deployments
have mixed mode multi-functional etc domains/forests, etc, that
include some Active Directory components but not enough to deploy
Exchange. Exchange requires (requires; as in it is not an option
whether or not to include Active Directory) Active Directory. It's
recommended that it be native mode/DFL 2003, whatever the latest
marketing message is able to handle universal groups.
If you were to have a deployment that had an Active Directory DC that
held all the roles etc, and off that a sub-domain or child domain of
that parent that was SAMBA, I'm not sure anybody would care. Sure
it's not supported, but... But if you tried to have AD be in the SAMBA
domain, I'm thinking you'll run into the issues as John points out and
won't be able to deploy and maintain SAMBA in that domain. SAMBA's a
hack designed to let you run NT 4 style domains. It was updated,
but....
I don't think you're a moron (original poster) for what it's worth.
It's very confusing what will integrate and how. There's a ton of
documentation about all of this, but it's not typically very clear
especially coming from the direction and background you're coming
from. I suspect years from now somebody from Microsoft will come out
with a great set of bluebooks and say something along the lines of,
"Yeah, the documentation around this was horrible in the past. That's
all fixed in this 1.0 release of ...." Or something similar.
Here's an example of the confusion that gets caused, "
A more scalable domain control authentication backend option might use
Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
for both options as a domain member server. As a PDC, Samba-3 is not
able to provide an exact alternative to the functionality that is
available with Active Directory. Samba-3 can provide a scalable
LDAP-based PDC/BDC solution. " Clear right? I got that from
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html#id2524167
In the end, you'll have deploy Active Directory. You would be best
served to use a fresh installation-and-migration approach vs. trying
to install in the same SAMBA domain. It's a little more work yes.
However, it allows for your clients to learn the product (they think
they know now I'm sure, but then, why bother with you? :) and it
allows for a clean start. Believe me, with Exchange and Active
Directory, you'll want that especially in an environment where they're
likely to be hostile towards Microsoft products at some level or at
the very least, wary and wondering why they are told to deploy it.
A domain trusted domain might work, but I'd strongly suggest they just
consider one for simplicity sake. And be sure to recommend that they
deploy at least two DC/GC's! The use of Centrify or Vintella software
might ease the integration somewhat as well.
Good luck.
Al
"John Fullbright [MVP]" <fjohn@donotspamnetappdotcom> wrote in message
news:ejn9YsRjGHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
I suspect it's the ldap server that ships with Linux and other
eunuchs. You often see it in combination with sendmail.
Not a chance.
"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:VQDig.10186$Z67.790@xxxxxxxxxxxxxxxxxxxxxxx
Sorry to sound like such a moron, but I've never heard of this
environment. I'm strictly a Windows person.
Are you saying that you don't think I can add into that environment
a 2nd domain controller on a real Windows box and have it replicate?
And then change the schema via ForestPre and DomainPrep?
Thanks.
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:egyx4eAjGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Wow. Such a contradiction in terms it's really hard to know where
to begin. There is no such thing as a SAMBA active directory.
SAMBA is an emulator and as such will emulate to the best of its
ability. It will be deficient in some areas.
I would not suggest to the client that this is OK. Far from it
because if you get it to work (doubtful) you'll leave them in an
awkward state where they can't get support. Exchange is only
supported on Active Directory. That's it. Nothing else. Not ADAM,
not LDAP, but Active Directory.
That said, you *might* have some luck with option 4: create a new
AD forest, deploy Exchange into it and allow them to logon by
presenting credentials at logon to the mailbox data. RPC/HTTP is a
likely protocol to explore.
The reverse could also be done, and by that I mean migrate their
workstations, servers, mac's, and nix boxes to the AD and then
install Exchange in there.
Al
"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:oIiig.10090$Z67.5300@xxxxxxxxxxxxxxxxxxxxxxx
I have a new client who wants me to install an Exchange server in
their infrastructure. They currently have a simulated AD using
Samba to front end a Linux-based LDAP directory. They have about 50
XP Pro workstations that log into the domain. There are also 2
Windows member servers in the domain. In addition, they have about
5 Macs and 10 Linux desktop machines.
Does anyone have experience in this area. Will I be able to
install an Exchange server in the existing infrastructure? I
figure I have 3 options.
1. Install Windows 2003 Server. Join the existing domain. Install
AD on the new Windows 2003 Server. See if it replicates. Try to
install Exchange 2003 Server. If the domainprep and forestprep
work, then everything should be OK (theoretically).
2. If the above fails, install Windows 2003 Server, create a new
domain. See if I can create a 2-way trust between the SAMBA domain
and the new domain. If that works, then proceed with Exchange
installation and migrate accounts over via ADMT.
3. If 2 fails, install Windows 2003 Server, create a new domain.
Create new accounts on new domain either manually or via LDIF
export from existing LDAP. Have users give new domain credentials
when they launch Outlook or Outlook Web Access.
Am I on the right track? Does anyone have any different or better
ideas?
Thanks.
.
- Follow-Ups:
- Re: Connection to a SAMBA Active Directory
- From: Al Mulnick
- Re: Connection to a SAMBA Active Directory
- References:
- Connection to a SAMBA Active Directory
- From: Paul Goldman
- Re: Connection to a SAMBA Active Directory
- From: Al Mulnick
- Re: Connection to a SAMBA Active Directory
- From: Paul Goldman
- Re: Connection to a SAMBA Active Directory
- From: John Fullbright [MVP]
- Re: Connection to a SAMBA Active Directory
- From: Al Mulnick
- Re: Connection to a SAMBA Active Directory
- From: Paul Goldman
- Re: Connection to a SAMBA Active Directory
- From: Al Mulnick
- Re: Connection to a SAMBA Active Directory
- From: Paul Goldman
- Re: Connection to a SAMBA Active Directory
- From: Al Mulnick
- Connection to a SAMBA Active Directory
- Prev by Date: Re: Server Activesync
- Next by Date: Re: Exchange 2000 to 2003 mail routing not working
- Previous by thread: Re: Connection to a SAMBA Active Directory
- Next by thread: Re: Connection to a SAMBA Active Directory
- Index(es):
Relevant Pages
|
