Moving a domain
Richard Sharpe
rsharpe at richardsharpe.com
Mon Feb 3 15:55:47 GMT 2003
On Mon, 3 Feb 2003, Tom Alsberg wrote:
> > When smbd starts (and this includes at least 2.2.3, I believe, and beyond
> > to 3.0.x), it checks to see if there is a SID in the secrets file with the
> > key SECRET/SID/<UCNBNAME> where UCNBNAME is the uppercase NetBIOS name.
>
> You mean - the uppercase NetBIOS name of the server (where smbd runs)
> - right?
Yup
> > If one does not exist, it will create a new random SID, set the machine
> > SID to that, and then set the domain SID to that! If the SID changes, even
> > if you have preserved the trust accounts and their current passwords,
> > Windows will complain that the SID is inconsistent with what it had when
> > it joined.
>
> OK. But if I copy the SID file[s]?
If you copy the secrets file, you still need to make sure smbd runs with
the same NetBIOS name.
> > The SID for the old machine name is still in the secrets file, and you can
> > use tdbdump to find the keys, and thus the old machine name if you need
> > to.
>
> What do you mean by 'old machine name'? I most probably know the name
> of the machines which was previously acting as the server.
Yup.
> >
> > This is relevant to your questions below.
> >
> > > The question is - if any of you had experience, or theoretical facts
> > > and ideas of - would this work? For users who only use it as a file
> > > and print server, it most probably would. But as a domain controller
> > > - the clients remember a few things, and the server remembers a few
> > > things.
> > >
> > > The SID and secrets files should probably be copied... But then,
> > > should clients who are already in the domain be able to continue using
> > > it, without leaving and re-joining it?
> >
> > You probably only really need the secrets file and the smbpasswd or
> > whatever passwd database you are using for Windows accounts.
>
> OK... That's not a problem to preserve, I assume...
Correct.
> >
> > If the NetBIOS name changes, you have a couple of choices, as outlined at
> > www.richardsharpe.com.
>
> Well, I took a look at some of the information there... Useful
> advice...
> But anyway, I was speaking of the NetBIOS name not changing (nmbd will
> run with the -n flag to have the same NetBIOS name, no matter on what
> machine it is running).
That is good.
> > As soon as Samba 2.2.8 ships you will retrieve the old SID and
> > re-establish that as the machine SID for your Samba server and the
> > domain SID. You can already do that with the net command for Samba
> > 3.0.x.
>
> I didn't know Samba 3 had a net command... I'll look after it.
>
> Anyway, so now, after all - could you say - would it work?
> If I kill Samba on one machine, start it on another machine, with nmbd
> getting the same -n flag, and about the same configuration, and I copy
> the secret files - will log-ons to the domain (from machines that have
> already joined in the past) work without re-joining it? Would there
> be any other problem?
I expect you will be fine. However, I have not tried that.
> As I understand from your message, there should not be any problem.
> Is this right?
I think you will be OK. Let us know :-)
Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com
More information about the samba-technical
mailing list