[Samba] Moving a PDC

Tue Nov 24 17:54:44 MST 2009

RVNET\A and RVNET2\A will be completely separate users.    But unless the
SID is stored with-in one files itself I would think it would be just a
matter of changing the file permissions on the profile as you described.

The windows 2003 Res Kit tools include a "moveuser" command that may help
with the profile.    Once about a time I converted some machines from a
Workgroup to a Domain model.  Previously, each computer had a local account
for the primary user (and the server had to have an account for all the
users.)  The move user command let me reallocate an "PC1/user1" profile to
"DOMAIN/user1."  Although they were local profiles and not roaming.

You would have to test this out with a test machine and account to be sure.

The other alternative would be to configure the new machine as BDC for the
existing domain (since you already have the LDAP infrastructure in place),
then at some point reverse the PDC and BDC roles.   The LDAP server would
still be on the old server.  Once you dropped the old DC you could probably
user pbedit -E  and pdbedit -I to dump the account data back to TDB.  

This may also be a time to look at moving to Samba 3.2 or 3.4  (maybe on
Fedora) if you expect to support Win 7 machines. 

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Dominik Rau
Sent: Tuesday, November 24, 2009 5:25 PM
To: samba at lists.samba.org
Subject: [Samba] Moving a PDC

Hi list.

We're running a Debian Etch Server with Samba 3.0.24 as primary domain 
controller for a XP dominated network. For various reasons, we're 
migrating our server to a new machine running on Centos 5.4 (and Samba 
3.0.33). Additionally, I decided to get rid of our messy LDAP setup, as 
it is quite a pain to use and IMHO overkill for our small software shop 
(~15 machines / users), so I've set up the new system to work with 
tdbsam instead.

So basically, we currently got two fully working domain controllers in 
our network, one serving RVNET (old) and the other RVNET2(new) , RVNET 
with an ldap backend and users A,B,C... and the new RVNET2 with equally 
named "plain" Linux/samba users-Users A, B, C.Adding new users to the 
new domain works fine, adding new machines and storing profiles too.

Now the question is: How do I move the profiles from the old machine to 
the new one correctly? And how can I convince Windows XP to ignore the 
fact, that user RVNET\A is now user RVNET2\A. My naive approach would be...

* Make sure all users store their profiles on the server and log off.
* Copy the contents of /samba/profiles from old to new machine and 
adjust user right properly to local system users.
*  Get in front of every machine, login as local administrator, move the 
old Documents and Settings\A directory out of the way (not deleting, 
just to be sure)
* Leave the old and join the new domain, reboot.
* Logon as RVNET2\A, fetching my "old" profile from the server and go on 
doing my work as in the old domain.

The fact that I might to have reset rights on the new machine (e.g. User 
RVNET2\A might have administrator rights on  a particular machine) and 
that my users must play with their home directories is not a big issue 
in our small environment and acceptable. The big advantage in my opinion 
would be that I can move one machine/user after another and it involves 
only tools that I know.

However, I googled quite a lot the last few days and found many posts 
etc. about wrong SIDs in the registry, NTUSER.dat, getting in and out a 
domain, various Windows tools for related tasks, but either it didn't 
match my situation or the tools didn't work on my system, to expensive, 
overkill etc. ...

So, the bottomlineof all this: Does my approach work? Is it ok to do 
what I just described (considering the fact that I accept to do some 
administrative work on every machine)? If not, what else to consider / 
change?

Thanks a lot for your time,
Dominik

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba