[Samba] Moving a PDC

Wed Nov 25 02:32:26 MST 2009

Hi Gaiseric.

Thanks for your input.

Gaiseric Vandal schrieb:
> RVNET\A and RVNET2\A will be completely separate users.    But unless the
> SID is stored with-in one files itself I would think it would be just a
> matter of changing the file permissions on the profile as you described.
>   

Yes, the fact that they are seperate users is clear (and requires the 
usage of chown here and there on the server). However, are there any 
common situations when the SID is stored somewhere and could make 
trouble after shutting the old server down?

> The windows 2003 Res Kit tools include a "moveuser" command that may help
> with the profile.    Once about a time I converted some machines from a
> Workgroup to a Domain model.  Previously, each computer had a local account
> for the primary user (and the server had to have an account for all the
> users.)  The move user command let me reallocate an "PC1/user1" profile to
> "DOMAIN/user1."  Although they were local profiles and not roaming.
>   

I had a look at the tool some days ago, but it required Win 2003 and 
didn't install on my machine.

> You would have to test this out with a test machine and account to be sure.
>   

Definitely.

> The other alternative would be to configure the new machine as BDC for the
> existing domain (since you already have the LDAP infrastructure in place),
> then at some point reverse the PDC and BDC roles.   The LDAP server would
> still be on the old server.  Once you dropped the old DC you could probably
> user pbedit -E  and pdbedit -I to dump the account data back to TDB.  
>   

I think I'll go with the "manual copy" but thanks for the hint.

> This may also be a time to look at moving to Samba 3.2 or 3.4  (maybe on
> Fedora) if you expect to support Win 7 machines. 
>   

Thanks for reminding me, the first Windows 7 systems will be in the 
network soon. I just upgraded to 3.4.3 using the sernet rpms and it 
seems to work fine.

Yours,
Dominik
>
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Dominik Rau
> Sent: Tuesday, November 24, 2009 5:25 PM
> To: samba at lists.samba.org
> Subject: [Samba] Moving a PDC
>
> Hi list.
>
> We're running a Debian Etch Server with Samba 3.0.24 as primary domain 
> controller for a XP dominated network. For various reasons, we're 
> migrating our server to a new machine running on Centos 5.4 (and Samba 
> 3.0.33). Additionally, I decided to get rid of our messy LDAP setup, as 
> it is quite a pain to use and IMHO overkill for our small software shop 
> (~15 machines / users), so I've set up the new system to work with 
> tdbsam instead.
>
> So basically, we currently got two fully working domain controllers in 
> our network, one serving RVNET (old) and the other RVNET2(new) , RVNET 
> with an ldap backend and users A,B,C... and the new RVNET2 with equally 
> named "plain" Linux/samba users-Users A, B, C.Adding new users to the 
> new domain works fine, adding new machines and storing profiles too.
>
> Now the question is: How do I move the profiles from the old machine to 
> the new one correctly? And how can I convince Windows XP to ignore the 
> fact, that user RVNET\A is now user RVNET2\A. My naive approach would be...
>
> * Make sure all users store their profiles on the server and log off.
> * Copy the contents of /samba/profiles from old to new machine and 
> adjust user right properly to local system users.
> *  Get in front of every machine, login as local administrator, move the 
> old Documents and Settings\A directory out of the way (not deleting, 
> just to be sure)
> * Leave the old and join the new domain, reboot.
> * Logon as RVNET2\A, fetching my "old" profile from the server and go on 
> doing my work as in the old domain.
>
> The fact that I might to have reset rights on the new machine (e.g. User 
> RVNET2\A might have administrator rights on  a particular machine) and 
> that my users must play with their home directories is not a big issue 
> in our small environment and acceptable. The big advantage in my opinion 
> would be that I can move one machine/user after another and it involves 
> only tools that I know.
>
> However, I googled quite a lot the last few days and found many posts 
> etc. about wrong SIDs in the registry, NTUSER.dat, getting in and out a 
> domain, various Windows tools for related tasks, but either it didn't 
> match my situation or the tools didn't work on my system, to expensive, 
> overkill etc. ...
>
> So, the bottomlineof all this: Does my approach work? Is it ok to do 
> what I just described (considering the fact that I accept to do some 
> administrative work on every machine)? If not, what else to consider / 
> change?
>
> Thanks a lot for your time,
> Dominik
>
>  
>
>   