[Samba] Upgrading Samba 3 to Samba 4 with Active Directory at many sites

mathias dufresne infractory at gmail.com
Mon May 30 16:01:59 UTC 2016

Hi Luke,

What you want to do is several AD domains, one per geographical site, with
trust relationship between them?

Two things regarding that:
1° Samba 4 as AD is not yet able to perform trust relationships except for
full, bi-directional and transitive relationship. At least it is how I
understood the changelog from 4.3.0 and the following (where I see no
updates regarding trusts since 4.3.0, I could have missed some).
2° Microsoft itself advise to not use trust relationship as they are...
what they are. And of course they advise not to use trust relationship for
purely MS AD domains, as they speak only about MS stuff, not about Samba

According to that (and admitting I was right about 1°) I would avoid trust
relationship, just not using them.

So how would I do?
This means you change domain SID, I believe you can't re-use one because
you have several domains trusting each others, so several domain SIDs.
A - create an AD domain with Samba 4
B - Import everything from old domain to the new AD domain.
C - check all went well
D - prepare AD sites (one per geographical site)
E - add computers into the new AD domain

Now all re-joined machine to the new domain should be able to use your new

But what about application which use old DNS names SITEA.your.domain.tld or

I would just recreate them into AD DNS database, to keep compatibility with
application you can't change code (in companies there are always apps with
hardcoded stuffs, for we have something to complain perhaps).

Not changing domain SID (starting from one big domain)
A - create an AD domain with Samba 4 with old SID and
B - Import everything from old domain to the new AD domain. Be careful: you
will have to re-inject all user passwords, including computers' passwords
(for clients, to not re-join them)
C - check all went well -> changing DNS on some client you have a chance it
works: computer's registry contains the right SID, right one files are good
(SID does not change), the machine can log on the domain (if you have well
imported computer's password, there's a slighty chance it works...)
D - prepare AD sites (one per geographical site)

All that on a new domain to not take risk on the working one...

Hoping this helps, cheers,


2016-05-30 16:03 GMT+02:00 Luke Barone <lukebarone at gmail.com>:

> Just wondering if anyone is able to give some advice with this?
> On May 25, 2016 1:28 PM, "Luke Barone" <lukebarone at gmail.com> wrote:
> > First, background information. We are a large (geographically local)
> > organization with 50 sites, including our HQ. Each site has a Debian
> Server
> > running Samba in NT-Domain Controller mode. Each site is independant of
> the
> > next, but are all named <SITE>.example.com. The workstations are
> > connected, and working fine in our sites with the single servers.
> >
> > We had a recent network upgrade that now has every site with a 10.X.Y.Z
> > address. X is the site code, so each site is in the same
> > subnet, and we can see the networks from each site. Now is the time to
> > setup Active Directory, right?
> >
> > My goal is to create a forest, starting at the HQ (HQ.example.com)
> level,
> > and working down to each site (SITEA.example.com, SITEB.example.com,
> > etc). Our goal is to upgrade to Active Directory at each location, so as
> to
> > not lose any of the user data (username/passwords, group memberships,
> etc),
> > and then merge the AD Domains into a hierarchial forest, with each of the
> > techs responsible for the domain at their sites. We are hoping that it
> will
> > also allow us to have a user's primary DC (I know that term isn't use,
> but
> > let's say it's the site's main one) down, but still authenticate to
> another
> > trusted domain controller.
> >
> > Will Samba 4 allow us to do this? If so, is it simply a process of 1)
> > Upgrade role to Active Directory Domain Controller, 2) Use Active
> Directory
> > Sites and Services to link each of the 50 domains together? Or is there
> > more to it that we need to work on first?
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list