Automation scripts for migrating a Windows AD file share to a Samba-based Linux VM on Proxmox, with AD domain integration.

Features

• Automated VM creation on Proxmox with cloud-init
• Thin-provisioned storage for data disk
• Full AD domain integration via Samba/Winbind
• Robocopy-based data migration preserving permissions
• Configurable via .env file (secrets kept out of git)

Prerequisites

• Proxmox VE host with local-lvm storage
• Active Directory domain with accessible Domain Controllers
• Network connectivity between Proxmox host, new VM, and AD DCs
• Domain admin credentials for joining

The installer uses Ubuntu 24.04 cloud images and automatically handles cloud-init password authentication quirks.

Quick Start

One-Liner Install (Recommended)

Run this on your Proxmox host for an interactive guided setup:

bash -c "$(wget -qLO - https://raw.githubusercontent.com/solomonneas/samba-ad-migration/main/samba-ad.sh)"

This will:

• Prompt for all configuration (domain, IPs, VM specs)
• Create and start the VM automatically
• Configure storage, hostname, DNS, and Samba
• Leave you with one final step: domain join (requires AD admin credentials)

---

Manual Installation

Click to expand manual steps

1. Clone and Configure

git clone https://github.com/solomonneas/samba-ad-migration.git
cd samba-ad-migration
cp .env.example .env
# Edit .env with your environment values
nano .env

2. Create VM (on Proxmox host)

# Copy scripts to Proxmox host
scp -r . root@proxmox:/root/fileserver/

# SSH to Proxmox and run
ssh root@proxmox
cd /root/fileserver
chmod +x scripts/*.sh
./scripts/00-create-vm.sh

Configure cloud-init credentials:

qm set <VMID> --ciuser ubuntu --cipassword 'your-password'
# OR use SSH key
qm set <VMID> --sshkeys ~/.ssh/authorized_keys

Start the VM:

qm start <VMID>

3. Configure VM (SSH to new VM)

Copy the scripts to the VM and run in order:

# From your workstation
scp -r . ubuntu@<VM_IP>:~/fileserver/

# SSH to VM
ssh ubuntu@<VM_IP>
cd ~/fileserver
chmod +x scripts/*.sh
sudo ./scripts/01-setup-storage.sh
sudo ./scripts/02-prepare-os.sh
sudo ./scripts/03-install-samba.sh
sudo ./scripts/04-join-domain.sh

4. Migrate Data (from Windows)

Run the PowerShell script from a Windows machine with access to both the old and new shares:

# Preview what will be copied
.\scripts\05-migrate-data.ps1 -WhatIf

# Run the actual migration
.\scripts\05-migrate-data.ps1 -Source "E:\OldFileShare" -ServerName "prox-fileserv"

Script Overview

Script	Run On	Purpose
samba-ad.sh	Proxmox host	One-liner installer - interactive guided setup
00-create-vm.sh	Proxmox host	Creates VM with OS and data disks
01-setup-storage.sh	New VM	Formats and mounts data disk
02-prepare-os.sh	New VM	Sets hostname, DNS, NTP
03-install-samba.sh	New VM	Installs Samba, generates configs
04-join-domain.sh	New VM	Joins AD domain, sets permissions
05-migrate-data.ps1	Windows	Robocopy migration
06-harden-security.sh	New VM	SNMP monitoring, audit logging, SMB3 hardening

Configuration Reference

Key settings in .env:

Variable	Description	Example
DOMAIN_SHORT	NetBIOS domain name	CONTOSO
DOMAIN_REALM	Kerberos realm (FQDN, uppercase)	CONTOSO.LOCAL
DC_PRIMARY	Primary DC IP	10.0.0.10
DC_SECONDARY	Secondary DC IP (optional)	10.0.0.11
VM_NAME	Hostname for new server	prox-fileserv
VM_IP	Static IP for VM	10.0.0.50
SHARE_PATH	Mount point for data	/srv/fileshare
SHARE_NAME	SMB share name	Shared

Verification Checklist

After deployment, verify:

• VM boots and has network connectivity
• Data disk mounted at configured path (df -h)
• Time synced with DC (chronyc tracking)
• Domain join successful (wbinfo -t)
• Can resolve domain users (getent passwd administrator)
• Share accessible from Windows: \\<VM_NAME>\<SHARE_NAME>
• Domain Users can create/edit files
• Data migration completes without errors

Troubleshooting

Cannot resolve domain

Check DNS configuration:

resolvectl status
nslookup <domain>

Time sync issues

Kerberos requires time within 5 minutes of DC:

chronyc tracking
chronyc sources

Domain join fails

# Test Kerberos
kinit [email protected]
klist

# Check connectivity to DC
nc -zv <DC_IP> 389
nc -zv <DC_IP> 88

Users not resolving after join

# Restart winbind
systemctl restart winbind

# Check winbind status
wbinfo -t
wbinfo -u

APT lock during setup

If running scripts manually and cloud-init is still installing packages:

# Wait for cloud-init to finish
cloud-init status --wait

# Then run your scripts

Share not accessible

# Test Samba config
testparm

# Check Samba status
systemctl status smbd
smbclient -L localhost -U%

Post-Migration

After successful migration:

1. Update DNS/DHCP to point clients to new server
2. Configure backup solution for new server
3. Monitor for access issues during transition period
4. Decommission old file server after validation

Client Drive Mapping

Map drives to the new Samba shares on all domain workstations. Two options:

Option A: GPO Login Script (simple)

Create map-drives.bat and assign via Group Policy (User Config > Policies > Windows Settings > Scripts > Logon):

@echo off
:: Map X: drive - Department Files
net use X: /delete /yes 2>nul
net use X: \\fileserv\Department /persistent:yes

:: Map Y: drive - Shared Resources
net use Y: /delete /yes 2>nul
net use Y: \\fileserv\Shared /persistent:yes

Option B: Group Policy Preferences Drive Maps (granular)

Configure in Group Policy Management (User Config > Preferences > Windows Settings > Drive Maps):

Drive	Action	Location	Targeting
X:	Replace	\\fileserv\Department	Security Group: Domain Users
Y:	Replace	\\fileserv\Shared	Security Group: Domain Users

GPO Drive Maps support item-level targeting, so you can map different drives per security group, OU, or machine type. Login scripts are simpler to debug but less flexible.

Run gpupdate /force on a client to test, or wait for the next policy refresh cycle (~90 minutes).

License

MIT