[Samba] Converting classic domain to AD
gaiseric.vandal at gmail.com
Wed Nov 2 20:57:52 UTC 2016
I would like to convert my classic Samba (NT4 style) to Active
Directory. Since this is a classic domain, I have separate LDAP
server as a samba backend and a separate kerberos KDC for unix clients.
I would actually then like to migrate the DC role from Samba to
Using Windows 2008/2012 as the domain controller is the eventual goal
because of what I believe is better support for trusts, the ability to
support child domains (or be merged to another forest) , compatibility
with Exchange schema and the full group policy support.
The current Samba domain has two-way trusts with a Windows 2008 AD domain.
The samba wiki page (
The trust feature is experimental and has several limitations,
SID filtering rules are not applied
You cannot add users and groups of a trusted domain into domain
Older notes indicated that Samba AD trusts were only one way (I think
Samba AD domains can trust Windows AD domains but not vice versa) but
the current wiki page does not mention this limitation. The
"experimental" description makes me hesitant to trust it completely.
Moving to Samba as an AD server would also mean that I would get to
(have to) consolidate the separate LDAP and Kerberos servers into Samba.
It does appear that I can have Samba AD domain controllers and Windows
AD domain controllers in the same domain.
(https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) ) This
would presumably let me migrate my domain from classic to Samba AD, add
a Win 2008/2012 domain controller, make the Win DC the FSMO master and
demote the Samba AD server.
Actually, I will probably end up creating a new AD domain with windows
2008/2012 controllers, establish a trust with the classic domain, and
migrate users and computers to the new domain.
More information about the samba