[Samba] Migration from NT4 to W2K3 AD

[Jonathan Johnson]

On 3/1/2006 7:09 AM, MJBarber at Hearst.com wrote:
> Are there any gotcha's.....
>  
>  
> I am currently using winbindd and very successfully integrating my Samba
> boxes with the NT4 domain structure.  The admin who is doing the migration
> (A corporate person not used to Linux at all) is already nervous about the
> migration since it involves Linux.
>  
> Usernames are not supposed to change..but, the authentication domain is
> going to be a completely new one.
>  
>
>   
If the domain is going to be a completely new one, let's hope that your
admin is using the Active Directory Migration Tool from Microsoft, as
that will make his job a whole lot easier. If the ADMT is used, it has
the ability to "preserve SID history" (an exercise for the reader to
find out what that means) which is helpful in some circumstances. Also,
the ADMT provides tools for migrating Windows workstations; those tools
migrate ACLs on shares and the filesystem, user rights, and move the
workstation to the new domain. Now on to the Linux/Samba portion of
things...

There is an inherent issue in migrating to a new domain: SIDs. They WILL
change. If you are using ACLs on your Linux filesystem, or if your Samba
server caches user account information from the domain controller, you
may run into issues there with the SID and with the user's logon domain
being the old one. Nevertheless, you'll have to disjoin the old domain
and rejoin the new one, updating your smb.conf, resolv.conf, hosts file,
etc. to reflect the new environment.

I have performed NT4/PDC-Win2k3/ADS migrations before (using ADMT), and
even Samba/PDC-Win2k3/ADS migrations using ADMT, but none of those
environments have included Samba/member servers, so this is uncharted
territory for me. It's probably something I need to learn about.

~Jonathan Johnson
Sutinen Consulting, Inc.
www.sutinen.com