Re: Connection to a SAMBA Active Directory

They could logon to the domain via Outlook which would also allow them to
change their password.

How'd the name resolution and time sync come out? What did you do to address
those?

"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:0qGmg.3812$MF6.748@xxxxxxxxxxxxxxxxxxxxxxx
We are really stuck on the 2-way trust from the SAMBA side. Does anyone
know how to get the trust working?

If I can't get the trust to work, I don't think having the users in one
domain and the Exchange server in another domain will work. I can manually
build the Exchange accounts (there are only about 80 users), and give the
each a password, but I don't know if there's any way for the users to
change their Exchange password, since the don't ever logon to the new AD
domain. Am I missing something??

Also, if I can't get the trust to work, I don't think myh
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23IZU9mOkGHA.1324@xxxxxxxxxxxxxxxxxxxxxxx
Hmm...
Name resolution and time sync are going to be big things you need to deal
with. For starters, why are you creating single records? Consider using
stub zones or using a secondary server and replicating the zone to the
other environment - both ways. No need for A RR's etc.

Once that's done, keep in mind that shortname is likely something you'll
need. You may need to create a shortname record for BANDMERCH in his
zone. Setup your suffix search to include ca.xxx.net. Why? Not because
you have to, (DNS resolution should be enough for a realm trust and is
even preferred) but because you should be able to resolve all of both
domains with shortname style. Best to get it out of the way.

Time sync. I can't stress enough how important it is that both are using
the same time source.

Let me know where you end up after that. Pretty much, you want to treat
the samba domain as if it's a NT4 domain. First things first however.

Al

"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:b4kkg.1758$MF6.1451@xxxxxxxxxxxxxxxxxxxxxxx
Here's how I've decided to proceed. Please let me know your thoughts:

1. I built a new Windows 2003 Server in a brand new domain (bm.local).
2. I installed Exchange 2003 SP2 on the new server.
3. I have added a new zone to the Windows DNS pointing to the old dns
domain ca.xxx.net and added an A record pointing to the domain
controller "linus"
4. I am able to define a 2 way Realm trust using the Active Directory
Domains and Trusts tool.
5. The linux guy is having a problem with the trust on the other side.
Since I don't know how to do DNS stuff on the Linux side, I can't help
him. He put an A record in his DNS pointing to exchange.bm.local, and he
can ping, but he can't create a trust since the domain bm.local is not
defined. What type of record corresponds to the "new zone" concept in
the Windows world? Is there such a thing?
6. There is a bit of confusing on the SAMBA side. The DNS domain is
ca.xxx.net, but the Windows domain name (NT domain name) is bandmerch.
Since there is no .com or .local qualified, I cannot set up a trust with
BANDMERCH, but rather need to use the domain name ca.xxx.net.

I am able to manually create users in the new bm.local domain, and then
connect the Outloook clients to it (by manually entering the
bm\userid/password combo.

Has anyone been able to make the necessary modifications to the linux
dns and created a trust so that I can proceed??

"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23qG%23BjojGHA.1552@xxxxxxxxxxxxxxxxxxxxxxx
That's likely true, although SAMBA will make it look it's just another
Winnt4 domain controller machine and does have some interactions with
Active Directory and has some LDAP (which in theory can hold whatever
schema it wants to); can be pretty slick actually. Newer versions of
Samba look even more like AD. Good enough to let some deployments have
mixed mode multi-functional etc domains/forests, etc, that include some
Active Directory components but not enough to deploy Exchange. Exchange
requires (requires; as in it is not an option whether or not to include
Active Directory) Active Directory. It's recommended that it be native
mode/DFL 2003, whatever the latest marketing message is able to handle
universal groups.

If you were to have a deployment that had an Active Directory DC that
held all the roles etc, and off that a sub-domain or child domain of
that parent that was SAMBA, I'm not sure anybody would care. Sure it's
not supported, but... But if you tried to have AD be in the SAMBA
domain, I'm thinking you'll run into the issues as John points out and
won't be able to deploy and maintain SAMBA in that domain. SAMBA's a
hack designed to let you run NT 4 style domains. It was updated,
but....

I don't think you're a moron (original poster) for what it's worth.
It's very confusing what will integrate and how. There's a ton of
documentation about all of this, but it's not typically very clear
especially coming from the direction and background you're coming from.
I suspect years from now somebody from Microsoft will come out with a
great set of bluebooks and say something along the lines of, "Yeah, the
documentation around this was horrible in the past. That's all fixed in
this 1.0 release of ...." Or something similar.

Here's an example of the confusion that gets caused, "
A more scalable domain control authentication backend option might use
Microsoft Active Directory or an LDAP-based backend. Samba-3 provides
for both options as a domain member server. As a PDC, Samba-3 is not
able to provide an exact alternative to the functionality that is
available with Active Directory. Samba-3 can provide a scalable
LDAP-based PDC/BDC solution. " Clear right? I got that from
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html#id2524167

In the end, you'll have deploy Active Directory. You would be best
served to use a fresh installation-and-migration approach vs. trying to
install in the same SAMBA domain. It's a little more work yes.
However, it allows for your clients to learn the product (they think
they know now I'm sure, but then, why bother with you? :) and it allows
for a clean start. Believe me, with Exchange and Active Directory,
you'll want that especially in an environment where they're likely to
be hostile towards Microsoft products at some level or at the very
least, wary and wondering why they are told to deploy it.

A domain trusted domain might work, but I'd strongly suggest they just
consider one for simplicity sake. And be sure to recommend that they
deploy at least two DC/GC's! The use of Centrify or Vintella software
might ease the integration somewhat as well.

Good luck.

Al

"John Fullbright [MVP]" <fjohn@donotspamnetappdotcom> wrote in message
news:ejn9YsRjGHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
I suspect it's the ldap server that ships with Linux and other eunuchs.
You often see it in combination with sendmail.

Not a chance.


"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:VQDig.10186$Z67.790@xxxxxxxxxxxxxxxxxxxxxxx
Sorry to sound like such a moron, but I've never heard of this
environment. I'm strictly a Windows person.

Are you saying that you don't think I can add into that environment a
2nd domain controller on a real Windows box and have it replicate?
And then change the schema via ForestPre and DomainPrep?

Thanks.
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:egyx4eAjGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Wow. Such a contradiction in terms it's really hard to know where
to begin. There is no such thing as a SAMBA active directory. SAMBA
is an emulator and as such will emulate to the best of its ability.
It will be deficient in some areas.

I would not suggest to the client that this is OK. Far from it
because if you get it to work (doubtful) you'll leave them in an
awkward state where they can't get support. Exchange is only
supported on Active Directory. That's it. Nothing else. Not ADAM,
not LDAP, but Active Directory.

That said, you *might* have some luck with option 4: create a new AD
forest, deploy Exchange into it and allow them to logon by
presenting credentials at logon to the mailbox data. RPC/HTTP is a
likely protocol to explore.

The reverse could also be done, and by that I mean migrate their
workstations, servers, mac's, and nix boxes to the AD and then
install Exchange in there.

Al




"Paul Goldman" <paulgoldman1948@xxxxxxxxxxx> wrote in message
news:oIiig.10090$Z67.5300@xxxxxxxxxxxxxxxxxxxxxxx
I have a new client who wants me to install an Exchange server in
their infrastructure. They currently have a simulated AD using Samba
to front end a Linux-based LDAP directory. They have about 50 XP Pro
workstations that log into the domain. There are also 2 Windows
member servers in the domain. In addition, they have about 5 Macs
and 10 Linux desktop machines.

Does anyone have experience in this area. Will I be able to install
an Exchange server in the existing infrastructure? I figure I have
3 options.

1. Install Windows 2003 Server. Join the existing domain. Install
AD on the new Windows 2003 Server. See if it replicates. Try to
install Exchange 2003 Server. If the domainprep and forestprep
work, then everything should be OK (theoretically).

2. If the above fails, install Windows 2003 Server, create a new
domain. See if I can create a 2-way trust between the SAMBA domain
and the new domain. If that works, then proceed with Exchange
installation and migrate accounts over via ADMT.

3. If 2 fails, install Windows 2003 Server, create a new domain.
Create new accounts on new domain either manually or via LDIF
export from existing LDAP. Have users give new domain credentials
when they launch Outlook or Outlook Web Access.

Am I on the right track? Does anyone have any different or better
ideas?

Thanks.
























.

Relevant Pages

  • Re: Connection to a SAMBA Active Directory
    ... Keep in mind that you're trying to setup a NT4 style trust ... if you setup the Exchange as a resource forest model, ... domain and the Exchange server in another domain will work. ... I am able to define a 2 way Realm trust using the Active Directory ...
    (microsoft.public.exchange.connectivity)
  • RE: DNS and Active Directory
    ... Where do set the 'OS level' in samba. ... I want the Samba server to be my master browser. ... Now I am setting up Active Directory, flying by the seat of my ... All my DNS servers are Linux based. ...
    (RedHat)
  • Re: Connection to a SAMBA Active Directory
    ... I built a new Windows 2003 Server in a brand new domain. ... I am able to define a 2 way Realm trust using the Active Directory ... There is a bit of confusing on the SAMBA side. ...
    (microsoft.public.exchange.connectivity)
  • Re: Home Network Dilemma
    ... You must understand Active Directory first, in order to implement Exchange. ... Matter of fact, Exchange must alter Active Directory prior to installation, to accomodate the changes. ... On top of that, an understanding of DNS is required, because AD will not work if DNS is not implemented properly for its internal use only, and on top of that, an understanding of DNS on the internet is required in order to manipulate public records so others in the world can 'find' your mail server on your network. ...
    (microsoft.public.windows.server.networking)
  • Re: Connection to a SAMBA Active Directory
    ... We are really stuck on the 2-way trust from the SAMBA side. ... domain and the Exchange server in another domain will work. ... I am able to define a 2 way Realm trust using the Active Directory ...
    (microsoft.public.exchange.connectivity)