[Samba] We need to change our AD domain
denis.cardon at tranquil-it-systems.fr
Tue Aug 30 14:00:58 UTC 2016
>> As a result of a company restructure and name change we need to
>> our AD domain. I know that we can't change the AD domain name in
>> 4, so I'm looking at the smoothest way to migrate everything from
>> domain to another.
>> Is there any (properly working) way we can export users, groups and
>> policies from one domain and import them into another? I've spent a
>> months getting everything just the way we want it and would greatly
>> prefer not to have to start from scratch. Incidentally, I don't care
>> about the computer accounts, as they will be dealt with by the
>> unjoin/rejoin process.
>> Any tips, advice or warnings anyone cares to share about this
>> would be greatly appreciated.
> This isn't something that Samba natively supports right now, and we
> don't even support doing it via the Windows tool, or export to Windows,
> because of various issues.
> I would love to add it if I could find a funder (it is the level of
> work that would need that, or the patient work of a community member
> over quite some time), because it won't be trivial.
> In the short term I would agree that preserving the domain GUID, SIDs
> and structure is the most critical part.
> The things I would most worry about are the krb5 salts for passwords,
> as these won't show up in a search but might make keeping passwords
> more difficult (embedded in supplementalCredentials).
I have never tried to directly extract krb5 hashes, but it seems to me
that "pdbedit --set-nt-hash" with corresponding ntlm hash recreate the
krb5 hash with RC4-HMAC the same way as the classicupgrade does. It
makes it very easy to recreate the credentials (thanks to all those
legacy auth mechanisms :-)
> Finding out exactly what changes in a Windows AD domain when you rename
> it would be a good place to start. I honestly don't know how well it
> will go, but you could dump the whole thing to ldif with ldbdump on the
> backend files, and then do a pile of search and replace. That might at
> least help pinpoint what other issues to look for.
> I hope this helps,
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 188.8.131.52.55
More information about the samba