[Samba] We need to change our AD domain

John Gardeniers jgardeniers at objectmastery.com
Mon Aug 29 21:35:32 UTC 2016

Hi Andrew,

I understand that Samba doesn't support domain renaming, which is why 
I'm looking for a way to export the data from one domain and import it 
into a new one. Passwords and machine accounts are not a problem and can 
be ignored for this exercise. The key things I need to copy across are 
user accounts and groups, as they would be an absolute pain in the rear 
end to redo from scratch.

Machine accounts will be dealt with by the required unjoin/rejoin 
process. If a forced password change is the only thing users complain 
about I'll consider the migration a great success.

Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively 
simple and painless. Surely there's a way to go from one Samba 4 AD 
domain to another. Sure it would be nice to have a domain rename 
supported natively but of all the things that still need to be done in 
Samba 4's implementation of AD I don't believe it should be a high priority.

Domain renames are a fact of life in many organisations, so I figure 
somebody on this list has probably done it already and I would be 
grateful if they could share the details of how they went about it. I'm 
not looking for a magic wand, merely some guidance.


On 29/08/16 19:48, Andrew Bartlett via samba wrote:
> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
>> Hi All,
>> As a result of a company restructure and name change we need to
>> change
>> our AD domain. I know that we can't change the AD domain name in
>> Samba
>> 4, so I'm looking at the smoothest way to migrate everything from
>> one
>> domain to another.
>> Is there any (properly working) way we can export users, groups and
>> policies from one domain and import them into another? I've spent a
>> few
>> months getting everything just the way we want it and would greatly
>> prefer not to have to start from scratch. Incidentally, I don't care
>> about the computer accounts, as they will be dealt with by the
>> normal
>> unjoin/rejoin process.
>> Any tips, advice or warnings anyone cares to share about this
>> process
>> would be greatly appreciated.
> This isn't something that Samba natively supports right now, and we
> don't even support doing it via the Windows tool, or export to Windows,
> because of various issues.
> I would love to add it if I could find a funder (it is the level of
> work that would need that, or the patient work of a community member
> over quite some time), because it won't be trivial.
> In the short term I would agree that preserving the domain GUID, SIDs
> and structure is the most critical part.
> The things I would most worry about are the krb5 salts for passwords,
> as these won't show up in a search but might make keeping passwords
> more difficult (embedded in supplementalCredentials).
> Finding out exactly what changes in a Windows AD domain when you rename
> it would be a good place to start.  I honestly don't know how well it
> will go, but you could dump the whole thing to ldif with ldbdump on the
> backend files, and then do a pile of search and replace.  That might at
> least help pinpoint what other issues to look for.
> I hope this helps,
> Andrew Bartlett
> -- 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list