[Samba] Re: Migrating domain from Samba 3 to Windows 2003 (here's
how to do it)
jon at sutinen.com
Wed Jun 15 15:08:35 GMT 2005
Ben S. wrote:
>I saw your post in the linux.samba newsgroups with the above topic heading.
>Looking through the posts I could not see any replies.
>We also have a customer with the exact same requirements, and I though that
>I would quickly ping you to see if you had any luck with migration.
>Any experiences of suggestion are appreciated in advance,
Yes, I successfully migrated from Samba 3 to Windows 2003. I used the
Active Directory Migration Tool from Microsoft; it's on the Windows
Server 2003 CD (I don't remember exactly where, but look for ADMT).
There are a few things that will make the ADMT fail, so be aware of them:
1) Set up a DNS server that's authoritative for your new 2003 domain
(this will typically be in the first domain controller, but doesn't have
to be). Then in your servers' and workstations' TCP/IP configuration,
add it as the first DNS server. Also, make sure that "DNS suffix for
this connection" is blank. This setting is in the advanced TCP/IP
properties DNS tab; in 98, in the DNS tab, leave the domain blank. If
it's not blank, things will fail.
2) Migrate user accounts before migrating machine accounts. You will be
able to preserve SID history, so that users will have the same rights as
before. Migrating from Samba to 2003, you won't be able to migrate
passwords as you would if you were running an NT domain to begin with.
3) The domain "administrator" passwords of the old and new domain, and
the local administrator passwords of the workstations MUST be the same.
This is not required for user migration, but machine account migration
will fail if they are not.
4) Disable any firewalls (inc. the Windows firewall) on any workstations
that will be migrated.
5) ADMT supports test modes. Always test before running, and resolve any
issues before proceeding! Note that a test will ALWAYS fail, because it
can't actually migrate the accounts yet. You'll have to look for other
errors besides these.
6) When migrating machine accounts, file security can be updated on the
migrated workstations to match the new domain IF you chose to preserve
SID history. This means your user profiles will also be migrated. If you
manually create user accounts without migration, SID history will not be
preserved and file security won't be migrated; you'll have to manually
do it at the workstation after the migration.
Here's a link to a post I made on the subject:
Good luck. It won't be painless, but in general, the process went
smoother than I had hoped for. The first time I did it was actually a
Windows NT4 to Windows 2003 domain migration, and including
troubleshooting (learning the above) took about four hours for 13
workstations and one domain controller. Knowing the above, it probably
would have taken only two hours. Later on, I successfully migrated a
domain from Samba 3 to Windows 2003. The ADMT also seems to work for
migrating to/from Small Business Server domains, which do not support
Sutinen Consulting, Inc.
More information about the samba