[Samba] How to Migrate Samba AD from one server to another

Paul R. Ganci ganci at nurdog.com
Sun Sep 11 16:38:22 UTC 2016

On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> On Sun, 11 Sep 2016 00:48:09 -0600
> "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
>> essentially do what I want? Basically clone the AD on another server.
>> Then is it as easy as joining the new server to the domain and then
>> demoting the old server? How do others do this task?
> If you just want to replace a DC with another DC, then you only need to
> add the new DC to the domain, let replication do its thing, transfer
> any FSMO roles from the old DC to the new DC, demote old DC and then
> turn off the old DC.
Rowland, thanks for your reply. What you describe is pretty simple in 
principle. It is the details about which I am confused. There are 3 
aspects of a Samba 4 AD that have to be properly setup for the AD to 
function correctly. Namely the Samba configuration, Kerberos and DNS. If 
any of these are incorrectly configured the AD will not function. So 
here are my questions regarding the details of what you describe.

0.) Backup up the old DC.

1.) I assume two of the preparation steps would be to point the new DC 
DNS (/etc/resolv.conf) to the old DC server DNS and then take the 
smb.conf configuration from the old DC and move to the new DC. Is that 

2.) After the preparation step in 1, is it sufficient to just issue

 > samba-tool domain join mydom.example.com DC -Uadministrator 
--realm=MYDOM.EXAMPLE.COM --dns-backend=BIND9_DLZ

to get the AD added to the domain and replication to occur?

3.) What will actually get replicated? From what I could sketch together 
from the web the DNS will be moved. I know how to handle that but are 
there any entries that have to be manually added as indicated from some 
web sites I have found?

4.) What about the kerberos configuration? Do I configure kerberos on 
the new DC as it was on the old DC? Does that happen at step 1 and then 
do the samba-tool join or does replication take care of the keytab files 
and config?

5.) Do I have to manually set the sysvol ACLs via:

 > samba-tool ntacl sysvolreset

as suggested by some sites?

6.) Transfer FSMO roles

7.) Demote old DC

8.) Anything else I am missing?

Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list