[Samba] Migrating domain from Samba 3 to Windows 2003

Jonathan Johnson jon at sutinen.com
Sat Feb 12 22:40:01 GMT 2005 

At the risk of being called a turncoat and traitor in Sambaland, I ask, 
"how do I migrate from a Samba 3 domain to a Windows 2003 Active 
Directory domain?"

A customer has determined that they wish to use the groupware features 
of Microsoft Exchange. They already have the licenses they need, so 
there's no point in convincing them that Samba will be cheaper or that 
some Linux-based solution will work. This of course requires Active 
Directory (although I would not be surprised if a subscriber to this 
list proves me wrong), and by extension, migrating their existing Samba 
3 domain.

Of course, it would be easy to just create a new domain. Since this 
customer has only 6 machine accounts and 7-10 user accounts, it's not a 
big deal to recreate them. However, one must remember that creating new 
users in a new domain means that user profiles will be "lost" since the 
profile (read: NTUSER.DAT) is tied to the SID of the user. New domain = 
new SIDs. It's possible but tedious and risky with unpredictable results 
(due to permissions, again tied to the SID) to migrate user profiles. A 
domain migration would be much smoother, if possible, especially for an 
administrator dealing with hundreds or thousands of user and machine 
accounts.

Here is how I imagine doing it. The customer has two new servers 
(hardware), one of which will be a replacement for the existing Samba 
box (which handles file storage and sharing), the other of which will be 
the Windows 2003 AD server.

I will make a copy of the existing Samba 3 domain to one new box, and 
install Windows 2003 in the other new box. These boxes will be at this 
point disconnected from the production network, leaving it intact and 
unchanged for now. This lets us make mistakes on the new systems without 
affecting their production network.

Configure the Samba server so it looks like an NT 4 server (how?).

Join the Windows 2003 server as a member server to the Samba 3 domain.

Run the Active Directory installation wizard to migrate the domain, 
elevating the Windows 2003 server to an Active Directory server.

Take the Samba 3 server offline, rebuild it, joining it to the new 
W2K3/AD domain as a simple file server.

Any reason this won't work? Your experiences? Your wisdom?

One final question: Can Exchange 2003 be made to authenticate against a 
Samba domain? I would expect not, since a Samba domain is mostly an NT4 
equivalent and Exchange 2003 requires a domain at least at AD2000 
functional level. Maybe AD2003 functional level.

~Jonathan Johnson
Sutinen Consulting, Inc.
jon at sutinen.com

More information about the samba mailing list