Updates and additions.

(This used to be commit 9b35377f0cf5022519385a2b70237c05c7978158)

1 files changed, 208 insertions, 25 deletions

diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 3640c78942..6e40709081 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services).
 </para>
 
 <para>
-What are the features the Samba-3 can NOT provide?
+What are the features that Samba-3 can NOT provide?
 </para>
 
-<simplelist>
-    <member>Active Directory Server</member>
-    <member>Group Policy Objects (in Active Direcrtory)</member>
-    <member>Machine Policy objects</member>
-    <member>Logon Scripts in Active Directorty</member>
-    <member>Software Application and Access Controls in Active Directory</member>
-</simplelist>
+<itemizedlist>
+<listitem>
+	<para>Active Directory Server<para>
+</listitem>
+<listitem>
+	<para>Group Policy Objects (in Active Direcrtory)<para>
+</listitem>
+<listitem>
+	<para>Machine Policy objects<para>
+</listitem>
+<listitem>
+	<para>Logon Scripts in Active Directorty<para>
+</listitem>
+<listitem>
+	<para>Software Application and Access Controls in Active Directory<para>
+</listitem>
+</itemizedlist>
+
+<para>
+The features that Samba-3 DOES provide and that may be of compelling interest to your site
+includes:
+</para>
+
+<itemizedlist>
+<listitem>
+	<para>Lower Cost of Ownership</para>
+</listitem>
+<listitem>
+	<para>Global availability of support with no strings attached</para>
+</listitem>
+<listitem>
+	<para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para>
+</listitem>
+<listitem>
+	<para>Creation of on-the-fly logon scripts</para>
+</listitem>
+<listitem>
+	<para>Creation of on-the-fly Policy Files</para>
+</listitem>
+<listitem>
+	<para>Greater Stability, Reliability, Performance and Availability</para>
+</listitem>
+<listitem>
+	<para>Manageability via an ssh connection</para>
+</listitem>
+<listitem>
+	<para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para>
+</listitem>
+<listitem>
+	<para>Ability to implement a full single-signon architecture</para>
+</listitem>
+<listitem>
+	<para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para>
+</listitem>
+</itemizedlist>
+
+<para>
+Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
+considered. Users should be educated about changes they may experience so that the change will be a
+welcome one and not become an obstacle to the work they need to do. The following are some of the
+factors that will go into a successful migration:
+</para>
+
+<sect3>
+<title>Domain Layout</title>
+
+<para>
+Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
+a secondary controller), a domain member, or as a stand-alone server. The Windows network security
+domain context should be sized and scoped before implementation. Particular attention needs to be
+paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
+It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
+chooses to use an LDAP authentication backend then the same database can be used by several different
+domains. This means that in a complex organisation there can be a single LDAP database, that itself
+can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
+</para>
+
+<para>
+It is recommended that from a design perspective, the number of users per server, as well as the number
+of servers, per domain should be scaled according to needs and should also consider server capacity
+and network bandwidth.
+</para>
+
+<para>
+A physical network segment may house several domains, each of which may span multiple network segments.
+Where domains span routed network segments it is most advisable to consider and test the performance
+implications of the design and layout of a network. A Centrally located domain controller that is being
+designed to server mulitple route network segments may result in severe performance problems if the
+response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
+where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
+the local authentication and access control server.
+</para>
+</sect3>
+
+<sect3>
+<title>Server Share and Directory Layout</title>
+
+<para>
+There are few cardinal rules to effective network design that can be broken with impunity.
+The most important rule of effective network management is that simplicity is king in every
+well controlled network. Every part of the infrastructure must be managed, the more complex
+it is, the greater will be the demand of keeping systems secure and functional.
+</para>
+
+<para>
+The nature of the data that must be stored needs to be born in mind when deciding how many
+shares must be created. The physical disk space layout should also be taken into account
+when designing where share points will be created. Keep in mind that all data needs to be
+backed up, thus the simpler the disk layout the easier it will be to keep track of what must
+be backed up to tape or other off-line storage medium. Always plan and implement for minimum
+maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
+Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
+</para>
+
+<para>
+Users should be grouped according to data access control needs. File and directory access 
+is best controlled via group permissions and the use of the "sticky bit" on group controlled
+directories may substantially avoid file access complaints from samba share users.
+</para>
+
+<para>
+Many network administrators who are new to the game will attempt to use elaborate techniques
+to set access controls, on files, directories, shares, as well as in share definitions.
+There is the ever present danger that that administrator's successor will not understand the
+complex mess that has been inherited. Remember, apparent job security through complex design
+and implementation may ultimately cause loss of operations and downtime to users as the new
+administrator learns to untangle your web. Keep access controls simple and effective and
+make sure that users will never be interrupted by the stupidity of complexity.
+</para>
+</sect3>
+
+<sect3>
+<title>Logon Scripts</title>
+
+<para>
+Please refer to the section of this document on Advanced Network Adminsitration for information
+regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
+all users gain share and printer connections they need.
+</para>
+
+<para>
+Logon scripts can be created on-the-fly so that all commands executed are specific to the
+rights and privilidges granted to the user. The preferred controls should be affected through
+group membership so that group information can be used to custom create a logong script using
+the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share.
+</para>
+
+<para>
+Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled
+user environment. In any case you may wish to do a google search for logon script process controls.
+In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
+deals with how to add printers without user intervention via the logon script process.
+</para>
+</sect3>
+
+<sect3>
+<title>Profile Migration/Creation</title>
+
+<para>
+User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
+Management.
+</para>
+
+<para>
+Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows
+the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
+to be changed to the SID of the Samba-3 domain.
+</para>
+</sect3>
+
+<sect3>
+<title>User and Group Accounts</title>
+
+<para>
+It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
+ attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
+groups that are present on the MS Windows NT4 domain <ephasis>AND</emphasis> to connect these to
+suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
+should migrate painlessly.
+</para>
+</sect3>
 
 </sect2>
+
 <sect2>
 <title>Steps In Migration Process</title>
 
 <para>
 This is not a definitive ste-by-step process yet - just a place holder so the info 
 is not lost.
+</para>
 
-1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+<itemizedlist>
+<listitem><para>
+You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+</para></listitem>
 
-2. Samba-3 set up as a DC with netlogon share, profile share, etc.
+<listitem><para>
+Samba-3 set up as a DC with netlogon share, profile share, etc.
+</para></listitem>
+</itemizedlist>
 
-3. Process:
-	a. Create a BDC account for the samba server using NT Server Manager
+<para><programlisting>
+Process:
+	Create a BDC account for the samba server using NT Server Manager
 		- Samba must NOT be running
 
-	b. rpcclient NT4PDC -U Administrator%passwd
+	rpcclient NT4PDC -U Administrator%passwd
 		lsaquery
 
 		Note the SID returned by step b.
 
-	c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
+	net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
 
 		Note the SID in step c.
 
-	d. net getlocalsid
+	net getlocalsid
 
 		Note the SID, now check that all three SIDS reported are the same!
 
-	e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
+	net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
 
-	f. net rpc vampire -S NT4PDC -U administrator%passwd
+	net rpc vampire -S NT4PDC -U administrator%passwd
 
-	g. pdbedit -l
+	pdbedit -l
 
 		Note - did the users migrate?
 
-	h. initGrps.sh DOMNAME
+	initGrps.sh DOMNAME
 
-	i. smbgroupedit -v
+	smbgroupedit -v
 
 		Now check that all groups are recognised
 
-	j. net rpc campire -S NT4PDC -U administrator%passwd
+	net rpc campire -S NT4PDC -U administrator%passwd
 
-	k. pdbedit -lv
+	pdbedit -lv
 
 		Note - check that all group membership has been migrated.
+</programlisting></para>
 
-
+<para>
 Now it is time to migrate all the profiles, then migrate all policy files.
-
-Moe later.
+More later.
 </para>
 
 </sect2>