Moving a domain

Richard Sharpe rsharpe at richardsharpe.com
Mon Feb 3 15:55:47 GMT 2003 

On Mon, 3 Feb 2003, Tom Alsberg wrote:

> > When smbd starts (and this includes at least 2.2.3, I believe, and beyond 
> > to 3.0.x), it checks to see if there is a SID in the secrets file with the 
> > key SECRET/SID/<UCNBNAME> where UCNBNAME is the uppercase NetBIOS name.
> 
> You mean - the uppercase NetBIOS name of the server (where smbd runs)
> - right?

Yup
 
> > If one does not exist, it will create a new random SID, set the machine 
> > SID to that, and then set the domain SID to that! If the SID changes, even 
> > if you have preserved the trust accounts and their current passwords, 
> > Windows will complain that the SID is inconsistent with what it had when 
> > it joined.
> 
> OK.  But if I copy the SID file[s]?

If you copy the secrets file, you still need to make sure smbd runs with 
the same NetBIOS name.

> > The SID for the old machine name is still in the secrets file, and you can 
> > use tdbdump to find the keys, and thus the old machine name if you need 
> > to.
> 
> What do you mean by 'old machine name'?  I most probably know the name
> of the machines which was previously acting as the server.

Yup.

> > 
> > This is relevant to your questions below.
> >  
> > > The question is - if any of you had experience, or theoretical facts
> > > and ideas of - would this work?  For users who only use it as a file
> > > and print server, it most probably would.  But as a domain controller
> > > - the clients remember a few things, and the server remembers a few
> > > things.
> > > 
> > > The SID and secrets files should probably be copied...  But then,
> > > should clients who are already in the domain be able to continue using
> > > it, without leaving and re-joining it?
> > 
> > You probably only really need the secrets file and the smbpasswd or 
> > whatever passwd database you are using for Windows accounts.
> 
> OK...  That's not a problem to preserve, I assume...

Correct.

> > 
> > If the NetBIOS name changes, you have a couple of choices, as outlined at 
> > www.richardsharpe.com.
> 
> Well, I took a look at some of the information there...  Useful
> advice...
> But anyway, I was speaking of the NetBIOS name not changing (nmbd will
> run with the -n flag to have the same NetBIOS name, no matter on what
> machine it is running).

That is good.

> > As soon as Samba 2.2.8 ships you will retrieve the old SID and
> > re-establish that as the machine SID for your Samba server and  the
> > domain SID. You can already do that with the net command for Samba
> > 3.0.x.
> 
> I didn't know Samba 3 had a net command...  I'll look after it.
> 
> Anyway, so now, after all - could you say - would it work?
> If I kill Samba on one machine, start it on another machine, with nmbd
> getting the same -n flag, and about the same configuration, and I copy
> the secret files - will log-ons to the domain (from machines that have
> already joined in the past) work without re-joining it?  Would there
> be any other problem?

I expect you will be fine. However, I have not tried that.

> As I understand from your message, there should not be any problem.
> Is this right?

I think you will be OK. Let us know :-)

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com

More information about the samba-technical mailing list