[Samba] How to Migrate Samba AD from one server to another

Rowland Penny rpenny at samba.org
Sun Sep 11 17:20:00 UTC 2016

See inline comments:

On Sun, 11 Sep 2016 10:38:22 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> On 09/11/2016 01:23 AM, Rowland Penny via samba wrote:
> > On Sun, 11 Sep 2016 00:48:09 -0600
> > "Paul R. Ganci via samba" <samba at lists.samba.org> wrote:
> >> essentially do what I want? Basically clone the AD on another
> >> server. Then is it as easy as joining the new server to the domain
> >> and then demoting the old server? How do others do this task?
> > If you just want to replace a DC with another DC, then you only
> > need to add the new DC to the domain, let replication do its thing,
> > transfer any FSMO roles from the old DC to the new DC, demote old
> > DC and then turn off the old DC.
> Rowland, thanks for your reply. What you describe is pretty simple in 
> principle. It is the details about which I am confused. There are 3 
> aspects of a Samba 4 AD that have to be properly setup for the AD to 
> function correctly. Namely the Samba configuration, Kerberos and DNS.
> If any of these are incorrectly configured the AD will not function.
> So here are my questions regarding the details of what you describe.
> 0.) Backup up the old DC.

Well, yes, just in case.

> 1.) I assume two of the preparation steps would be to point the new
> DC DNS (/etc/resolv.conf) to the old DC server DNS

Possibly, it just needs to point to a DC in the domain, and if you only
have one.....

> and then take the 
> smb.conf configuration from the old DC and move to the new DC. 

No, definitely NO. The join will create a new one.

> 2.) After the preparation step in 1, is it sufficient to just issue
>  > samba-tool domain join mydom.example.com DC -Uadministrator 
> --realm=MYDOM.EXAMPLE.COM --dns-backend=BIND9_DLZ
> to get the AD added to the domain and replication to occur?

Yes, it will become just another DC.

> 3.) What will actually get replicated? From what I could sketch
> together from the web the DNS will be moved. I know how to handle
> that but are there any entries that have to be manually added as
> indicated from some web sites I have found?

Everything should get created except for a few dns objects and these
will get created the first time samba is started, but there is a gotcha,
it needs to use the computers kerberos ticket to do this, so you need
to change /etc/resolv.conf to point to itself before you start samba.
Once everything is correct and all dns objects exist, you can
reset /etc/resolv.conf.

> 4.) What about the kerberos configuration? Do I configure kerberos on 
> the new DC as it was on the old DC? Does that happen at step 1 and
> then do the samba-tool join or does replication take care of the
> keytab files and config?

You will need to create /etc/krb5.conf before running the join command,
it needs to look just like this:

	default_realm = <PUT YOUR REALM HERE>
	dns_lookup_realm = false
	dns_lookup_kdc = true

> 5.) Do I have to manually set the sysvol ACLs via:
>  > samba-tool ntacl sysvolreset
> as suggested by some sites?

Good point and something I missed, you will need to sync sysvol from
the old DC to the new one and then run 'samba-tool ntacl sysvolreset'
or you could use 'osync', see here for info:


> 6.) Transfer FSMO roles
> 7.) Demote old DC
> 8.) Anything else I am missing?

Not that I can think, but if I have missed anything, somebody is bound
to point it out ;-)


More information about the samba mailing list