[Samba] Samba 4 Admt to other Domain Windows Server 2008

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue May 21 02:46:15 MDT 2013

If I were in your position, to keep things simple I would first transfer
or seize all FSMO roles to the Windows DC, copy SYSVOL over to it as
well (Samba doesn't auto-sync it) and then take the Samba DC offline;
don't know if you did so already.

However, I believe that if you're still having problems after that
you'll really have to ask Microsoft, as an ADMT migration between two
domains running exclusively Windows DCs is no Samba problem anymore.

But just to give you a starting point: a quick googling with your error
message points me to the following discussion:

Perhaps you're having a permissions problem? My own experiences with
ADMT are such that it really takes a moment to set all the relevant
permissions & group memberships properly or else things won't work.

Pekka L.J. Jalkanen

On 21.5.2013 9:33, wong lmark wrote:
> I had added the Windows 08 DC in Samba 4 domain. But I cannot migrate
> the SID when I tick "Migrate User SID", it will show "Could not verify
> auditing and TcpipClientSupport on domains. Will not be able to migrate
> Sid's."
> 2013/5/21 Pekka L.J. Jalkanen <pekka.jalkanen at vihreat.fi
> <mailto:pekka.jalkanen at vihreat.fi>>
>     On 21.5.2013 6:56, Andrew Bartlett wrote:
>     > On Tue, 2013-05-21 at 11:19 +0800, wong lmark wrote:
>     >> Hi,
>     >>
>     >> I have a Samba 4 domain created and now I need to transfer all
>     users and
>     >> groups to other Windows 2008 Domain.
>     >> How can I use the ADMT?
>     >
>     > Why do you want to use ADMT?
>     >
>     > If you just need to move to Windows, then just join a Windows DC
>     to the
>     > Samba domain as DC, transfer the FSMO roles, and then offline the
>     Samba
>     > DC.
>     Also, it is good to note that even if you can't avoid ADMT (in the case
>     you must migrate your users to another _existing_ domain) you'd still
>     need to do as Andrew says and add a Windows DC to the _source_ domain
>     first, because the target domain needs to be trusted by the source for
>     ADMT to work at all.
>     While Samba can be trusted by others, it currently cannot itself trust
>     other domains, so ADMT simply cannot work without a Windows DC in the
>     source.
>     Pekka L.J. Jalkanen
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list