[K12OSN] Active Directory - SMB/LDAP Switch

Jason Ingalls jingalls at ellsworthschools.org
Wed Jul 13 01:45:28 UTC 2005

I'm writing this e-mail to the list to serve as a heads up to other people who
might be looking to make this switch in the future. We switched from a Windows
2000 Active Directory setup that has been in place for ~4 years.

While I haven't done very much of any setup on the server end (most of this was
handled by Chuck Liebow) I played a large part in the deployment and bug fixing
in our environment. The switch from Active Directory to SMB/LDAP has taken us
the better part of two days, and this was even after extensive testing in our
"sandbox". It seemed like Murphy's law was in full effect while we made the
switch. We still have many machines to join to the new domain. At this point we
have secretary's and office staff ready to go.

Here are some of the stumbling blocks we encountered:

Check permissions on Windows servers before joining your new domain. Some of our
drives were configured so that only Domain Admins could access them. After
joining the new domain, the new domain admins didn't match up so I couldn't
access the drives. I ended up disjoining, and rejoing the old domain and took
ownership of the drives using an account local to the server so I could modify
permissions when I switched back.

For those people who are using Citrix and might be hesitant of making the switch
to SMB/LDAP (I certainly was), it works great! Citrix gave us no problems at
all. Before disjoining make sure that your servers local administrator account
has full administrative rights in the management console. Please note that you
should write down all the permissions on your published apps before changing
domains or you won't be able to see what they were before (show up as account

Write down your sharing and security information on server shares (show up as
account unknown after the switch).

Perhaps the most important lesson we learned was that the profile directory and
home directory MUST be different! What we decided to do was use roaming
profiles, but exclude the Desktop and My Documents directories from roaming to
cut down on logon/logoff time (by merging a .reg file via logon script). We
instead chose to use folder redirection (by merging a .reg file via logon
script) for those two folders. We thought (wrongly) that since these folders
would be exluded from roaming the redirected folders could live amongst the the
other profile directories. What this resulted in was files that would randomly
disappear from the Desktop and My Documents folders. Ultimately we stuck with
using folder redirection, but we redirected them to the home directory and put
the profiles in /home/profiles/username. This made me happier than putting the
profiles in the default location because we have a large partition for /home.

Overall I suppose the switch was well worth it. We'll see how things go now that
our users are going to begin using the system. I expect there will be several
minor issues that popup in the coming weeks, but I don't anticipate any show
stoppers. This will be our first experience using roaming profiles which is
exciting to me and I think it will provide our users with a much nicer overall
computing experience.

If anyone has any advice on how to handle laptop users in an environment such as
this I'd love to hear it. As it is, I think not joining them to the domain will
be the best answer. The laptops are often not connected to the network and I
think this would be a nightmare for a laptop user. I think they would work
better as standalone units with just a shortcut to their server space to
perform manual backups from time to time when they are connected to our
network. They shouldn't have a great need for roaming profiles since they have
the ability to take their computer with them.

Jason Ingalls
Ellsworth School Department
IT Specialist
207-667-4722 Ext. 5529
jingalls (at) ellsworthschools.org

This message was sent using IMP, the Internet Messaging Program.

More information about the K12OSN mailing list