[Samba] We need to change our AD domain
denis.cardon at tranquil-it-systems.fr
Tue Aug 30 08:23:21 UTC 2016
> I understand that Samba doesn't support domain renaming, which is why
> I'm looking for a way to export the data from one domain and import it
> into a new one. Passwords and machine accounts are not a problem and can
> be ignored for this exercise. The key things I need to copy across are
> user accounts and groups, as they would be an absolute pain in the rear
> end to redo from scratch.
Samba may miss a few pieces, but its FOSS nature and the python
scripting libraries make it a wonderful tools for all AD automation. I'd
say that it more versatil than MSAD once you accept to look into the
guts of the beast.
For our daily work, we have a bunch of in-house scripts for domain
management, among others domain rename. For rename, one way of going is
to create a new domain with the same domain SID, then recreate all the
user/group/machines entries, pipe in the old object SID (so that user
profiles are kept during migration), then pipe in the nt hash password
with pdbedit --set-nt-hash.
We have done dozens of migration/merge this year using this method among
others, going from samba3 PDC, samba4 AD, and MSAD from 2003 up to
2012R2. It even works with a 2012R2 forest level using clone-dc-database
option to get all the data you need, then pipe all the data in the new
So yes, it can be done, you just have to roll up the sleeves, fire up
your favorite editor and get your python straight :-)
> Machine accounts will be dealt with by the required unjoin/rejoin
> process. If a forced password change is the only thing users complain
> about I'll consider the migration a great success.
> Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively
> simple and painless. Surely there's a way to go from one Samba 4 AD
> domain to another. Sure it would be nice to have a domain rename
> supported natively but of all the things that still need to be done in
> Samba 4's implementation of AD I don't believe it should be a high
> Domain renames are a fact of life in many organisations, so I figure
> somebody on this list has probably done it already and I would be
> grateful if they could share the details of how they went about it. I'm
> not looking for a magic wand, merely some guidance.
> On 29/08/16 19:48, Andrew Bartlett via samba wrote:
>> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
>>> Hi All,
>>> As a result of a company restructure and name change we need to
>>> our AD domain. I know that we can't change the AD domain name in
>>> 4, so I'm looking at the smoothest way to migrate everything from
>>> domain to another.
>>> Is there any (properly working) way we can export users, groups and
>>> policies from one domain and import them into another? I've spent a
>>> months getting everything just the way we want it and would greatly
>>> prefer not to have to start from scratch. Incidentally, I don't care
>>> about the computer accounts, as they will be dealt with by the
>>> unjoin/rejoin process.
>>> Any tips, advice or warnings anyone cares to share about this
>>> would be greatly appreciated.
>> This isn't something that Samba natively supports right now, and we
>> don't even support doing it via the Windows tool, or export to Windows,
>> because of various issues.
>> I would love to add it if I could find a funder (it is the level of
>> work that would need that, or the patient work of a community member
>> over quite some time), because it won't be trivial.
>> In the short term I would agree that preserving the domain GUID, SIDs
>> and structure is the most critical part.
>> The things I would most worry about are the krb5 salts for passwords,
>> as these won't show up in a search but might make keeping passwords
>> more difficult (embedded in supplementalCredentials).
>> Finding out exactly what changes in a Windows AD domain when you rename
>> it would be a good place to start. I honestly don't know how well it
>> will go, but you could dump the whole thing to ldif with ldbdump on the
>> backend files, and then do a pile of search and replace. That might at
>> least help pinpoint what other issues to look for.
>> I hope this helps,
>> Andrew Bartlett
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 220.127.116.11.55
More information about the samba