[Samba] Re: Migrating domain from Samba 3 to Windows 2003 (here's how to do it)

Jonathan Johnson jon at sutinen.com
Wed Jun 15 15:08:35 GMT 2005

Ben S. wrote:

>Hi Jonathan,
>I saw your post in the linux.samba newsgroups with the above topic heading.
>Looking through the posts I could not see any replies.
>We also have a customer with the exact same requirements, and I though that
>I would quickly ping you to see if you had any luck with migration.
>Any experiences of suggestion are appreciated in advance,
Yes, I successfully migrated from Samba 3 to Windows 2003. I used the 
Active Directory Migration Tool from Microsoft; it's on the Windows 
Server 2003 CD (I don't remember exactly where, but look for ADMT).

There are a few things that will make the ADMT fail, so be aware of them:

1) Set up a DNS server that's authoritative for your new 2003 domain 
(this will typically be in the first domain controller, but doesn't have 
to be). Then in your servers' and workstations' TCP/IP configuration, 
add it as the first DNS server. Also, make sure that "DNS suffix for 
this connection" is blank. This setting is in the advanced TCP/IP 
properties DNS tab; in 98, in the DNS tab, leave the domain blank. If 
it's not blank, things will fail.

2) Migrate user accounts before migrating machine accounts. You will be 
able to preserve SID history, so that users will have the same rights as 
before. Migrating from Samba to 2003, you won't be able to migrate 
passwords as you would if you were running an NT domain to begin with.

3) The domain "administrator" passwords of the old and new domain, and 
the local administrator passwords of the workstations MUST be the same. 
This is not required for user migration, but machine account migration 
will fail if they are not.

4) Disable any firewalls (inc. the Windows firewall) on any workstations 
that will be migrated.

5) ADMT supports test modes. Always test before running, and resolve any 
issues before proceeding! Note that a test will ALWAYS fail, because it 
can't actually migrate the accounts yet. You'll have to look for other 
errors besides these.

6) When migrating machine accounts, file security can be updated on the 
migrated workstations to match the new domain IF you chose to preserve 
SID history. This means your user profiles will also be migrated. If you 
manually create user accounts without migration, SID history will not be 
preserved and file security won't be migrated; you'll have to manually 
do it at the workstation after the migration.

Here's a link to a post I made on the subject: 

Good luck. It won't be painless, but in general, the process went 
smoother than I had hoped for. The first time I did it was actually a 
Windows NT4 to Windows 2003 domain migration, and including 
troubleshooting (learning the above) took about four hours for 13 
workstations and one domain controller. Knowing the above, it probably 
would have taken only two hours. Later on, I successfully migrated a 
domain from Samba 3 to Windows 2003. The ADMT also seems to work for 
migrating to/from Small Business Server domains, which do not support 

--Jon Johnson
Sutinen Consulting, Inc.

More information about the samba mailing list