Nethserve r7 to Ns8 Migration, With external AD

I would Like to migrate an existing Nethserver 7 Installation into a NS8 Server…

Source Server Specs: NS7.9, 16 GB RAM, 2 Cores, 500 Gb SSD, 100 Mbps
Destination Server Specs, Rocky Linux, 24 GB RAM< 300 GB NVME, 600 Mbps

Source Apps to Migrate,
MAil, Nextcloud, Webtop5, Webserver,

Ill Also install and throw In Sogo, to test Sogo NS7 to NS8 Migration because of this:
the Source Server uses an External AD account provider,

External Ad Server and Source Server are connected to each other Via VPN, for the AD communication,

reading the Migration guides here: NethServer 7 migration — NS8 documentation

its stated, the Destination server should also be able to reach the External AD server, if external account provider is to be used.

How do i connect to NEthserver 7 External AD from my NS8 new install, considering there are no VPN modules
ipsec is used currently between source and AD

Also, DO i have to add the Account Provider First before migration, or will the nigration tool import the external account provider.

To my understanding this means if your current NS7 uses an external account provider, thus the account provider is not running on your current NS7, then NS8 you be able to reach this external account provider too.

So has your current NS7 setup a account provider , AD or LDAP, installed?
EDIT: After your edit it became clear to me your NS7 has an external account provider…

Account provider

The NS7 account provider must be migrated after all other applications.

Hi @oneitonitram

I must say, your choice of a “test” migration is very realistic for a typical SME:

Three servers, all hosted at different sites, nothing in house is completly unrealistic for
almost any SME, except crazy freaks…

Option 1:

Since you can afford to have servers in three sites, you can also afford a forth, just to provide a VPN for this unrealistic scenario…
This server would only be rented for the shortest possible time.

Option 2:

First stop using the external AD, (moving AD functionality to the NS7), then use the migration “normally”…

Both aren’t hard to do…


Most people want to make their IT simpler, in one place, not all over the Internet. Maybe now you start to understand why…

My 2 cents

Yes you must configure the external account provider in NS8, the same way of NS7 otherwise the migration tool complains.

The docs is not clear. That’s true only for NS7 local account provider.

I am not looking at migrating the account provider, than one will continue to operate on the server that it currently is on, untilll and SSO module is made available,

all other Ns8 servers will continue to connect to the current ns7 Account provider.

atleast thats my thinking, least someone has a better idea.

And this is an actual migration case, so hope alot of learnings both for me, as well as the rest of the community, am not sure though how many have external ldap, in different locations.

If i need a fourth server to handle the migration, then by all means,
you mention this will only provider VPN, but how exactly does it fall into the picture and how could it be utilized. in this case

And why do you term this as an unrealistic scenario.

I believe many people in this community run external AD, or the server running AD, may not be the server running other apps.

if you mean because they are in different geographic locations, some are in the same geographic locations and sure thing others are not.

if i touch the current AD on the servers its on, alot of things are going to break, significantly, there are active users depending on the AD, as well as the SSO to authenticate to their services.

for this moment, only Mail and nextcloud would/ should be affected by the migration, because all other apps and services, are hosted on different servers, others dedicated, while others on the same server.

How do i connect to NS7 account provider, if the account provider is not directly exposed on the internet, but the existing ns7 instances are connecting to it via VPN

I know that’s not the case!

In a normal SME, the boss would announce a half day off for maintenence…

As you’re talking about a SME, these are technically your employees, so where is your problem?
Or are these actually clients, in a not supported multitenancy environment?

In english, this is simply called very bad network design…
You create a problem because you think it’s easy… Ha Ha!


My 2 cents

is there a solution is there not a solution?

WHy is it considered a bad design to host my NEthserver 7 AD in the cloud.

WHy is it considered a bad design to dedicate a Server for handling AD Only.

WHy is it considered a bad design to separate other nodes from the AD, or basically to deploy different another nethserver instances, that connect to the same Nethserver AD Node?

Isnt this the reason why NEthserver 8 was designed and built the way ot was built?

Also, How different is my design from, A company that deploys Nethserver AD on premise, and uses the same AD to authenticate to many NEthserver 7 instances, in the cloud, Hosting Publicly exposed services.

How again is it any different from an organization that has multiple branches, accros different regions, or countries, with Main AD server on a server in the main office, and other servers in other locations.

I AM SIMPLEY ASKING HOW DO I CONNECT A NS8 SERVER TO A NS7 SEERVER RUNNING AD without exposing the AD to the Open internet.,

the developers did not see merit in adding VPN to NS8, but was prioritised in Nethsecurity, though one of the use cases was for different Servers to be able to talk to each other over a VPN.

this in NS8 has been solved by cluster support and Built-in VPN support for the clusters, but


this is a real world use cases, i am trying to figure out how to solve to enable me complete my migration, i need Help, @Andy_Wismer i respect your experience on the field of AD, but i now have a real world case of NS8 migration i need to handle,

I am also aware you have successfully migrated an existing NS7 to Ns8, but it had built-in AD
if you can help or have ideas, please shoot,
if not, ill request the dev team to assist with ideas, or someone in the community who has an idea

if its not possible yet at the moment, Good news, NS8 is still RC, maybe its a missing function that can be added in a future release, or maybe there is a workaround to achieve migration.

IF NS7 to NS8 migration tool utilises VPN to handle this migration, could a similar be there, or is it there for remote AD on NS7 as well

IF centos 7 was not EOL, and NS8 was not the next version, i would probably run the infra the same way for another 5 years,

please don’t mock me kindly, provide solution, I am learning as much as the other community members in this not so easy problem that seemingly i have created.

You created the issue, you solve it.

Bad design?
You can’t control even simple communication to the AD, first reason.
Other people, not you have physical access tp the server, second reason.

There are much more reasons.

Your issue doesn’t represent any SME environment I’ve heard of, and it’s not one I’d want to support.

I’ll ignore such non SME issues in future.
Plenty of users around with normal environments who have issues, and I’ll gladly help with these…

My 2 cents

if its not an SME issue, What does it represent.

WHat makes you think and assume its a non SME issue?

Because your users are most likely NOT your employees, they’re probably not even working for you.

That’s the REAL reason you do not want to touch the AD…

And you’re trying to “hide” this by claiming SME…

If your users are not your employees or co-workers, this is not a SME environment.

Simple enough…

But enough is enough for me, if a question is asked and evasion is all coming back, I’m not part of this game.

over and out


I will and cam BET you $1000 dollars that this is not the case. and infact they are my employees, and infact they are my users,

And as a matter of fact, that i am not hiding SME or anything, if you would to reclassify me as Enterprise or Coporate, please by All means do so.

so lets see who evades this now

I’m not interested in your exotic environment.


Last over and out!

1 Like

So is this not a feasible Migration at the moment for NS7 to NS8 or is it completely not a feasible Migration

@davidep do you have any takers on this?

I seem to have hit a Snug with my migration of NS7 to NS8, with the biggest hurdle being the external AD
As reported and requested here: NS8 migration - accounts provider? - Support - NethServer Community

For reasons i do not know yet, I seem notable to connect my NS8 Node(clusteradmin) to the NS7 AD provider.

I opted for the Simpelr Options, which truns out abit harder than i had in mind.

Expose the AD provider to the Internet on the firewall.
Allow connections from the Remote NS8 Node
Connect to the AD provider on ns7, so basically adding a new AD external provider on my NS8 node.

then begin the migration of the Apps on the other node, in the hope that they would be able to conenct to the AD.

2 Options
Since this is not currently possible, and even if i figure out the problem, its not and should not be a long term vaible option.

I have 2 Options to do.

  1. Implement a Wireguard Module In NS8, connect to the NS7 AD instance, that way they are talking on the same network. and Connect to AD.
  2. Create a new Server with NS8 in the localtion of the AD server, that way they have the same LAN conenction. Migrate the AD provider from NS7 to NS8, connect the destination node to the new NS8 AD provider, since they would be on the same cluster, and should talk to each other as local.

the problem with Option 2,

  • Have to build a VPN module(probably doable from my end)
  • HAve to ALso build and implement an SSO Module for NS8 that intergates wit the internal AD.

the problem with Option 1,
A VPN module for NS8 is required, not presently available
This is actually the easiest of the options

This is because, a significant number of solutions and apps being used, make use of SAML and OIDC to communicate.
the SSO mdoule (LLNG) is deployed on the same server with AD. and all other AD based connections are only through VPN, in this case IPsec

@davidep is it not possible, for the same Wireguard VPN that handles Migration, to be useful for standard connections between NS7 and NS8?

if not feasible then a standard vpn module for ns8 is required, and would make things easier, for the moment, till all is migrated to NS8.

IF a normal module for ns8 is create, that has wireguard, or somethign like wireguard easy wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI. (

Will connections to the module from NS7 wireguard module be automatically localhost?

Optionally, since the other conenctiosn are Ipsec based, and NS7 has Ipsec vpn, would implmenint gor installing this
hwdsl2/docker-ipsec-vpn-server: Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2 (

Automatically allow for Ns7 and ns8 conenctions, or are there special perissions required for vpn to work on NS8

Also, seems ipsec using the docker method requires username and password during authentication, where the ns7 instance does not have one.

1 Like


Instead of wasting everyone’s time with your exotic setup, why not do it the simple way?

Make a complete Backup of your AD.

Restore that Backup, eg on a local VM.
Create the new NS8 also as a local VM, in the same subnet you were using at the hosted site. (No change needed on that NS7 AD!).

Migrate the AD as first thing!

Restore the new NS8 where you need it. When it works, you can get SSO working witth AD.

There will be some downtime, but in migration, that’s almost inevitable!

Easy, doable solution!

My 2 cents

And you are right with your sentiments.

I can achieve the same without a local vm, still where the. Ad setver is hosted has those capacities.

Take note of this

1, All other servers, are NS7 based servers, so once I migrate the AD to NS8, those will still need to connect to the Ad of NS8 server. How will they communicate.

2, once I migrate the AD, to a NS8 instance, I would still need SSO. So, SSO module in NS8 required…

All available options not as simple.

I never said it would be simple…

My 2 cents