[Samba] Some hint on migration from a set of NT4 domains to an AD domain...

Denis Cardon dcardon at tranquil.it
Thu Aug 31 19:26:31 UTC 2017

Hi Marco,

> I've lurked (and posted) on that list by some month, getting many
> vaulable informations, but still i've many doubts.
> Most of my doubt i think came from the fact that 'AD' (generally) a is
> a very complex beast, and if samba in NT4 mode fit very well in a UNIX
> environment (and mind ;), samba in AD mode forced me to think in some
> ''microsoft way'. And i'm not used to.

Active Directory is not a simple beast, but the underlying tech and what 
it provides is not simple either. If you want to properly set up ldap, 
kerberos, dns in a multi-master replication scenario, it is not easy at 
all, and Samba AD make it really simple IMHO...

Nowadays, even for full linux client setup I prefer to have Samba AD and 
SMB connectivity.

> I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some
> set of NT4 domains, built in branch offices when, here in italy,
> connectivity was a chime, and so we never minded about ''account
> management''.
> Many users have now accounts on every domain, and password to manage.
> Every domain is LDAP-backed, and LDAP provide account and password info
> for other services, most notably email (every samba domain have a
> compelling email domain). I'm not using winbind (apart for native NTLM
> auth, freeradius and squid).
> Initially my plan was to move every domain in his AD domain, doing
> after that some sort of ''foresting''.

domain trust relationship is not yet fully supported, so AD forest are 
not yet for tomorrow.

> In this month, i've test-classicupgraded a domain (in a virtual
> environment) and start to play, most notably with schema extensions to
> keep all the email routing stuff.
> But after reading here by some month, and most notably after
> understanding that:
>  a) it is better to have the AD DC role in a machine on their own.

yes definitely

>  b) all my UID/GID are ''wrong'' (low), better have to be remapped.

yes, get rid of everything below 1000

>  c) i can still use domains, in an AD forest, but the simpliest things
>     is to manage different OU in a single domain

yes, even in MS AD scenario where forest are supported, it is 
recommended to consolidate your domains.

> I'm really thinking of throwing all my 4 domains, simply
> moving/importing users using sets of non-overlapping UID/GID, and
> moving users from old domains to OU.

if you have windows workstation, the main PITA during migration is the 
user profile migration. If you change the user SID, then the user will 
get a new shiny clean profile after migration.

So you can chose the domain with the largest number of users and keep 
that domain SID and the users SID in the new domain. You should 
re-inject password hashes to avoid re-issuing credentials.

For all the other users, they will have new sid, so you'll have to 
migrate also their profile. Actually the server side migration part is 
the fastest and easiest (Samba team is really doing a great job!). If 
you have a large number of user, your real pain will be on desktops and 
with business apps.



> Clearly, i've to do some more work (eg, prepare set of script to move
> files permission/ACL from old to new ACL; rejoin all workstation; ...),
> but i hope the result can be better.
> Someone have just done such a migration, or something like this?
> Thanks.

Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0)

More information about the samba mailing list