[Samba] We need to change our AD domain

Denis Cardon denis.cardon at tranquil-it-systems.fr
Tue Aug 30 14:00:58 UTC 2016

Hi Andrew,

>> As a result of a company restructure and name change we need to
>> change
>> our AD domain. I know that we can't change the AD domain name in
>> Samba
>> 4, so I'm looking at the smoothest way to migrate everything from
>> one
>> domain to another.
>> Is there any (properly working) way we can export users, groups and
>> policies from one domain and import them into another? I've spent a
>> few
>> months getting everything just the way we want it and would greatly
>> prefer not to have to start from scratch. Incidentally, I don't care
>> about the computer accounts, as they will be dealt with by the
>> normal
>> unjoin/rejoin process.
>> Any tips, advice or warnings anyone cares to share about this
>> process
>> would be greatly appreciated.
> This isn't something that Samba natively supports right now, and we
> don't even support doing it via the Windows tool, or export to Windows,
> because of various issues.
> I would love to add it if I could find a funder (it is the level of
> work that would need that, or the patient work of a community member
> over quite some time), because it won't be trivial.
> In the short term I would agree that preserving the domain GUID, SIDs
> and structure is the most critical part.
> The things I would most worry about are the krb5 salts for passwords,
> as these won't show up in a search but might make keeping passwords
> more difficult (embedded in supplementalCredentials).

I have never tried to directly extract krb5 hashes, but it seems to me 
that "pdbedit --set-nt-hash" with corresponding ntlm hash recreate the 
krb5 hash with RC4-HMAC the same way as the classicupgrade does. It 
makes it very easy to recreate the credentials (thanks to all those 
legacy auth mechanisms :-)



> Finding out exactly what changes in a Windows AD domain when you rename
> it would be a good place to start.  I honestly don't know how well it
> will go, but you could dump the whole thing to ldif with ldbdump on the
> backend files, and then do a pile of search and replace.  That might at
> least help pinpoint what other issues to look for.
> I hope this helps,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list