[Samba] We need to change our AD domain

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue Aug 30 08:23:21 UTC 2016 

Hi John,

> I understand that Samba doesn't support domain renaming, which is why
> I'm looking for a way to export the data from one domain and import it
> into a new one. Passwords and machine accounts are not a problem and can
> be ignored for this exercise. The key things I need to copy across are
> user accounts and groups, as they would be an absolute pain in the rear
> end to redo from scratch.

Samba may miss a few pieces, but its FOSS nature and the python 
scripting libraries make it a wonderful tools for all AD automation. I'd 
say that it more versatil than MSAD once you accept to look into the 
guts of the beast.

For our daily work, we have a bunch of in-house scripts for domain 
management, among others domain rename. For rename, one way of going is 
to create a new domain with the same domain SID, then recreate all the 
user/group/machines entries, pipe in the old object SID (so that user 
profiles are kept during migration), then pipe in the nt hash password 
with pdbedit --set-nt-hash.

We have done dozens of migration/merge this year using this method among 
others, going from samba3 PDC, samba4 AD, and MSAD from 2003 up to 
2012R2. It even works with a 2012R2 forest level using clone-dc-database 
option to get all the data you need, then pipe all the data in the new 
s4 domain!

So yes, it can be done, you just have to roll up the sleeves, fire up 
your favorite editor and get your python straight :-)

Cheers,

Denis

> Machine accounts will be dealt with by the required unjoin/rejoin
> process. If a forced password change is the only thing users complain
> about I'll consider the migration a great success.
>
> Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively
> simple and painless. Surely there's a way to go from one Samba 4 AD
> domain to another. Sure it would be nice to have a domain rename
> supported natively but of all the things that still need to be done in
> Samba 4's implementation of AD I don't believe it should be a high
> priority.
>
> Domain renames are a fact of life in many organisations, so I figure
> somebody on this list has probably done it already and I would be
> grateful if they could share the details of how they went about it. I'm
> not looking for a magic wand, merely some guidance.
>
> regards,
> John
>
>
> On 29/08/16 19:48, Andrew Bartlett via samba wrote:
>> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
>>> Hi All,
>>>
>>> As a result of a company restructure and name change we need to
>>> change
>>> our AD domain. I know that we can't change the AD domain name in
>>> Samba
>>> 4, so I'm looking at the smoothest way to migrate everything from
>>> one
>>> domain to another.
>>>
>>> Is there any (properly working) way we can export users, groups and
>>> policies from one domain and import them into another? I've spent a
>>> few
>>> months getting everything just the way we want it and would greatly
>>> prefer not to have to start from scratch. Incidentally, I don't care
>>> about the computer accounts, as they will be dealt with by the
>>> normal
>>> unjoin/rejoin process.
>>>
>>> Any tips, advice or warnings anyone cares to share about this
>>> process
>>> would be greatly appreciated.
>> This isn't something that Samba natively supports right now, and we
>> don't even support doing it via the Windows tool, or export to Windows,
>> because of various issues.
>>
>> I would love to add it if I could find a funder (it is the level of
>> work that would need that, or the patient work of a community member
>> over quite some time), because it won't be trivial.
>>
>> In the short term I would agree that preserving the domain GUID, SIDs
>> and structure is the most critical part.
>>
>> The things I would most worry about are the krb5 salts for passwords,
>> as these won't show up in a search but might make keeping passwords
>> more difficult (embedded in supplementalCredentials).
>>
>> Finding out exactly what changes in a Windows AD domain when you rename
>> it would be a good place to start.  I honestly don't know how well it
>> will go, but you could dump the whole thing to ldif with ldbdump on the
>> backend files, and then do a pile of search and replace.  That might at
>> least help pinpoint what other issues to look for.
>>
>> I hope this helps,
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list