[Samba] Migration of 2 samba3 PDC+OpenLDAP in one new Samba4 AD

Marc Muehlfeld mmuehlfeld at samba.org
Wed Apr 8 12:04:02 MDT 2015

Hello Pierre,

Am 08.04.2015 um 17:25 schrieb BRIEC, Pierre:
> On Site1, the machines accounts are specifics, same for the Users and
> Groups except 1 group that is common with Site2 (The Teachers).
> Today, each site is independant,
> Now, i would like a create a new domain Samba4 AD whith all machines and
> users from site1 and site2 together.
> Then, i would make a replication between the two sites, and add one RODC
> server on each site

RODC support isn't completely working yet. You shouldn't use it atm.

> How can i proceed? The migration tool from samba3 is working fine on each
> site (tested on isolated network)
> Can someone give me some hints about this. I would be happy if the
> migration could be transparent for the machines account, as 90% of the
> Users are deleted in July (i'm IT manager in a school)

AD trust are currently not fully implemented. If they were, then you 
chould do the classicupgrade on both domains, create a trust, move 
everything into one domain and demote the other.

Because you can't do it that way, you could upgrade the domain which has 
more objects (user, machines, groups) and join the workstations from the 
other site to it and recreate the users. You can write a script to 
export the users on the second site and create them with samba-tool.

What kind of IDmapping are you using on the member servers in the 
domains? If the member servers are pulling the UIDs/GIDs from LDAP and 
the ID ranges don't overlap with the other domain, then you could really 
recreate the users with a script running over an export. This prevents 
you from loosing ownership on files.

For more details/ideas, you have to give some more information about the 
two backends.


More information about the samba mailing list