[Samba] We need to change our AD domain

Andrew Bartlett abartlet at samba.org
Mon Aug 29 09:48:43 UTC 2016 

On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
> Hi All,
> 
> As a result of a company restructure and name change we need to
> change 
> our AD domain. I know that we can't change the AD domain name in
> Samba 
> 4, so I'm looking at the smoothest way to migrate everything from
> one 
> domain to another.
> 
> Is there any (properly working) way we can export users, groups and 
> policies from one domain and import them into another? I've spent a
> few 
> months getting everything just the way we want it and would greatly 
> prefer not to have to start from scratch. Incidentally, I don't care 
> about the computer accounts, as they will be dealt with by the
> normal 
> unjoin/rejoin process.
> 
> Any tips, advice or warnings anyone cares to share about this
> process 
> would be greatly appreciated.

This isn't something that Samba natively supports right now, and we
don't even support doing it via the Windows tool, or export to Windows,
because of various issues.

I would love to add it if I could find a funder (it is the level of
work that would need that, or the patient work of a community member
over quite some time), because it won't be trivial.

In the short term I would agree that preserving the domain GUID, SIDs
and structure is the most critical part.

The things I would most worry about are the krb5 salts for passwords,
as these won't show up in a search but might make keeping passwords
more difficult (embedded in supplementalCredentials).  

Finding out exactly what changes in a Windows AD domain when you rename
it would be a good place to start.  I honestly don't know how well it
will go, but you could dump the whole thing to ldif with ldbdump on the
backend files, and then do a pile of search and replace.  That might at
least help pinpoint what other issues to look for.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list