[Samba] Export users from samba4(PDC) to a new installation of samba4(PDC)?

Marc Muehlfeld mmuehlfeld at samba.org
Thu Oct 30 11:59:32 MDT 2014

Hello Brayan,

Am 30.10.2014 um 16:12 schrieb Brayan Vargas:
> ...so I installed another samba4 like pdc following this instructions
> (http://mark.orbum.net/2014/02/22/compiling-samba-4-on-debian-wheezy-
> active-directory-domain-controllers-ho/)...

OK. First of all: You are not talking about an PDC. You're talking about
a DC, what is something different.

PDC = The Primary Domain Controller of an NT4 domain
DC = A Domain Controller in an Active Directory forest

> ...using one of the new machines, and I want to migrate just the
> users and their passwords from the actual pdc to the new one.
> The domain have a lot of problems: clients are disconnecting from
> domain continuosly, many many errors logs of dns(Its not working,
> I configured a bind9 in another server), missing libraries, etc.
> It is a bad installation by the guy was before me, and
> the company got some good hardwares, ...

For an AD DC, it's not that easy like for an PDC to export everything,
because some of the attributes values are not just text values.

Currently I don't know a good way to export/import everything that is
important for Samba AD.

But here are some approaches:

1a) If it's a small domain with less users/groups/machine accounts,
think about starting from scratch. You have to re-create all
users/groups and join all machines to the new domain.

1b) Start from scratch. If you do a little scripting, you can export the
basic user accounts and additional attributes using ldapsearch or other
tools. Then script something around samba-tool, to recreate the accounts
and import the additional attributes again. But users are getting new
passwords and RIDs in that case. If you're having e. g. Windows services
with user/groups configured in ACLs, this got lost and have to be done

2) Join a new DC to the AD, transfer the FSMO roles and demote the old
one. Here you will hit a bug, we're currently having

3) Uninstall Samba and BIND, but keep the databases and SysVol. Then
install everything again (See the Wiki for documentation) and copy back
the databases.

Without knowing more of the installation and the problems, my prefered
ways would be 3, then 2.

No. 3 is it's something that can easily be tested, by copying whole the
installation to new host in a separated network and then doing the
changes. Plug in some clients to the test network and see how it works
and if the problems are gone.

> DC netbios name : PDC

One more advice: "PDC" is a bad name for an AD DC. Even if Active
Directory has something that is called "PDC emulator"
it's not the same than an NT4 PDC and this role can be transfered to any
other DC in your domain. So if you transfer this role to an other DC,
you're having this host left with a name, that indicates a function this
one doesn't own any more. ;-)


More information about the samba mailing list