[Samba] We need to change our AD domain

mathias dufresne infractory at gmail.com
Mon Aug 29 12:45:15 UTC 2016

In short: I don't have any process to follow as I did it as it came without
taking too much notes. The whole process took days, it is not exactly a
trivial one.

I have extracted user information using ldbsearch (or ldapsearch, no real
matter I think). Here you get part of user objects (password, at least, is
lost) and this must again filtered (objectGUID must not be in LDIF during
injection if my memory works well today, so you would remove it)

I've extracted OUs too as they must be created before they are filled with
users, groups and computers.

Finally extracting groups was the last point. I expect you will have to
create first all groups and then you will be able to add members to these
groups. Creating all group empty first is important to avoid sorting
groups, to avoid trying to create a group with some member which is a

For GPO, as they are spread across LDAP tree (a lot spread or a few, no
idea) I decided not to extract them but to recreate them.
In fact we have two kind of GPO: some which are unique, some which are the
same on different containers. For unique GPOs the simpler was to recreate
them manually.
For duplicated GPO (ex: add gr_adm_01 to builtin\administrators on all
machines into OU=computers_01, which can be repeated a lot of times) a
script was written, mixing Linux scripting and Powershell (dirty isn't it?
Since I did play more with Powershell and I expect it comes with necessary
tools to create GPO (unique or multiple) in a nice way.

Sorry not to help more...

2016-08-29 11:48 GMT+02:00 Andrew Bartlett via samba <samba at lists.samba.org>

> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
> > Hi All,
> >
> > As a result of a company restructure and name change we need to
> > change
> > our AD domain. I know that we can't change the AD domain name in
> > Samba
> > 4, so I'm looking at the smoothest way to migrate everything from
> > one
> > domain to another.
> >
> > Is there any (properly working) way we can export users, groups and
> > policies from one domain and import them into another? I've spent a
> > few
> > months getting everything just the way we want it and would greatly
> > prefer not to have to start from scratch. Incidentally, I don't care
> > about the computer accounts, as they will be dealt with by the
> > normal
> > unjoin/rejoin process.
> >
> > Any tips, advice or warnings anyone cares to share about this
> > process
> > would be greatly appreciated.
> This isn't something that Samba natively supports right now, and we
> don't even support doing it via the Windows tool, or export to Windows,
> because of various issues.
> I would love to add it if I could find a funder (it is the level of
> work that would need that, or the patient work of a community member
> over quite some time), because it won't be trivial.
> In the short term I would agree that preserving the domain GUID, SIDs
> and structure is the most critical part.
> The things I would most worry about are the krb5 salts for passwords,
> as these won't show up in a search but might make keeping passwords
> more difficult (embedded in supplementalCredentials).
> Finding out exactly what changes in a Windows AD domain when you rename
> it would be a good place to start.  I honestly don't know how well it
> will go, but you could dump the whole thing to ldif with ldbdump on the
> backend files, and then do a pile of search and replace.  That might at
> least help pinpoint what other issues to look for.
> I hope this helps,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list