[Samba] We need to change our AD domain

mathias dufresne infractory at gmail.com
Thu Aug 25 09:22:47 UTC 2016

We did that recently by building a new empty domain. Then we exported users
data in LDIF to get everything but passwords.
We don't bother with what follows because we were still in test and had
only few users/computers to re-join and because user's passwords can be
re-injected into AD from another LDAP tree.

Andrew wrote a patch to add a command "samba-tool domain clone" but I have
no idea if it is already included in 4.4.5 nor how it really works, I
haven't tested it.

Without changing domain' SID users will be considered as identical by
Windows clients (they rely on SID) and so you would avoid the need of
profile migration.

For computer accounts re-using SID could not be sufficient. Even if
"samba-tool domain clone" extracts passwords in a form you can re-use them,
it is still possible that Windows client' system is glue to old domain
name, it is possible that you really need to extract them from old domain
to join them the new one.

For GPO they are hosted into LDAP tree and into SysVol share. For file in
the share, no issue. For LDAP data you would have to extract the DB in LDIF
to inject them. And that's a tricky point into which I didn't yet dug

2016-08-24 5:40 GMT+02:00 John Gardeniers via samba <samba at lists.samba.org>:

> Hi All,
> As a result of a company restructure and name change we need to change our
> AD domain. I know that we can't change the AD domain name in Samba 4, so
> I'm looking at the smoothest way to migrate everything from one domain to
> another.
> Is there any (properly working) way we can export users, groups and
> policies from one domain and import them into another? I've spent a few
> months getting everything just the way we want it and would greatly prefer
> not to have to start from scratch. Incidentally, I don't care about the
> computer accounts, as they will be dealt with by the normal unjoin/rejoin
> process.
> Any tips, advice or warnings anyone cares to share about this process
> would be greatly appreciated.
> Thanks,
> John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list