[Samba] Converting classic domain to AD

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Nov 2 20:57:52 UTC 2016

I would like to convert my classic Samba (NT4 style) to Active 
Directory.     Since this is a classic domain,  I have separate LDAP 
server as a samba backend and a separate kerberos KDC for unix clients. 
     I would actually then like to migrate the DC role from Samba to 
Windows 2008/2012.

Using Windows 2008/2012 as the domain controller is the eventual goal 
because of what I believe is better support for trusts,  the ability to 
support child domains (or be merged to another forest) , compatibility 
with Exchange schema and the full group policy support.

The current Samba domain has two-way trusts with a Windows 2008 AD domain.

The samba wiki page ( 

         The trust feature is experimental and has several limitations, 
such as:
         SID filtering rules are not applied
         You cannot add users and groups of a trusted domain into domain 

Older notes indicated that Samba AD trusts were only one way (I think 
Samba AD domains can trust Windows AD domains but not vice versa)  but  
the current wiki page does not mention this limitation.     The 
"experimental" description makes me hesitant to trust it completely.

Moving to Samba as an AD server would also mean that I would get to 
(have to) consolidate the separate LDAP and Kerberos servers into Samba.

It does appear that I can have Samba AD domain controllers and Windows 
AD domain controllers in the same domain. 
(https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) ) This 
would presumably let me migrate my domain from classic to Samba AD, add 
a Win 2008/2012 domain controller, make the Win DC the FSMO master and 
demote the Samba AD server.

Actually, I will probably end up creating a new AD domain with windows 
2008/2012 controllers, establish a trust with the classic domain, and 
migrate users and computers to the new domain.


More information about the samba mailing list