[Samba] We need to change our AD domain

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue Aug 30 14:00:58 UTC 2016 

Hi Andrew,

>> As a result of a company restructure and name change we need to
>> change
>> our AD domain. I know that we can't change the AD domain name in
>> Samba
>> 4, so I'm looking at the smoothest way to migrate everything from
>> one
>> domain to another.
>>
>> Is there any (properly working) way we can export users, groups and
>> policies from one domain and import them into another? I've spent a
>> few
>> months getting everything just the way we want it and would greatly
>> prefer not to have to start from scratch. Incidentally, I don't care
>> about the computer accounts, as they will be dealt with by the
>> normal
>> unjoin/rejoin process.
>>
>> Any tips, advice or warnings anyone cares to share about this
>> process
>> would be greatly appreciated.
>
> This isn't something that Samba natively supports right now, and we
> don't even support doing it via the Windows tool, or export to Windows,
> because of various issues.
>
> I would love to add it if I could find a funder (it is the level of
> work that would need that, or the patient work of a community member
> over quite some time), because it won't be trivial.
>
> In the short term I would agree that preserving the domain GUID, SIDs
> and structure is the most critical part.
>
> The things I would most worry about are the krb5 salts for passwords,
> as these won't show up in a search but might make keeping passwords
> more difficult (embedded in supplementalCredentials).

I have never tried to directly extract krb5 hashes, but it seems to me 
that "pdbedit --set-nt-hash" with corresponding ntlm hash recreate the 
krb5 hash with RC4-HMAC the same way as the classicupgrade does. It 
makes it very easy to recreate the credentials (thanks to all those 
legacy auth mechanisms :-)

Cheers,

Denis



>
> Finding out exactly what changes in a Windows AD domain when you rename
> it would be a good place to start.  I honestly don't know how well it
> will go, but you could dump the whole thing to ldif with ldbdump on the
> backend files, and then do a pile of search and replace.  That might at
> least help pinpoint what other issues to look for.
>
> I hope this helps,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list