[Samba] How to backup data from an installation in order to restore them in a new one?

Rowland Penny rpenny at samba.org
Tue Feb 14 15:54:18 UTC 2023

On 14/02/2023 15:26, Lm Loge via samba wrote:
> Hello.
> --- Situation ---
> I am about to install a new Samba suite (version 4.17.5) on a new Debian 
> Bullseye machine (B).
> I currently have a Samba suite (version is 4.13.2-Debian), with 
> BIND9_DLZ DNS back end, running on another machine (A).
> On machine (A):
> - I created users using the "samba-tool user create" command,
> - I added computers using the "samba-tool dns add" command,
> - I added DNS zones using the "samba-tool dns zonecreate" command.
> I don't have neither a lot of users nor a lot of machines nor a lot of 
> DNS zones.
> That's pretty much all the specific data I "populated" the Samba suite 
> with.
> On the new machine (B), contrary to machine (A), I would like to use the 
> Samba internal DNS back end.
> Machine (A) is destined to be "revoked": there will be no Samba suite 
> running on it in the end.

The word is 'demoted', not 'revoked'.

> --- Problem ---
> These users and computers, created on machine (A), have SIDs (objectSid) 
> attached that I would like to keep in the new installation on machine (B).
> --- Questions ---
> I think that these data are stored in "sam.ldb" and maybe "idmap.ldb".
> What files can I backup from the current installation (A) to be able to 
> restore them in the new one (B)?
> Are there also ".tdb" files to backup?
> Is there a documentation that explains how data are stored?
> Is the fact that I am going to use the Samba internal DNS back end (by 
> running the "samba-tool domain provision --dns-backend=SAMBA_INTERNAL 
> [...]" command)

That is the default, so you do not need the '--dns-backend=SAMBA_INTERNAL'

> instead of the BIND9_DLZ DNS back end, problematic in this case where I 
> would like to restore the data in the new installation?
> Will I have to first migrate the DNS back end from BIND9_DLZ to internal 
> on machine (A)
> (like what is explained here: 
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC#Changing_From_the_BIND9_DLZ_Back_End_to_the_Samba_Internal_DNS_Server)?
> Please tell me all the files I should backup from the current 
> installation 

Absolutely none, well not for your problem, but backing up the domain in 
case of a catastrophic failure is always a good idea.

> or how I should proceed.

You do not want to provision a new domain, you want to join a second DC 
to your domain, transfer all the FSMO roles to the new DC and then 
demote the old one, that will get you to where you think you want to be. 
However, I would do it a bit differently. I would try and fix whatever 
is wrong with your Bind9 setup and then add a second DC, or I would 
change to the internal dns server on the old DC and then add a second 
DC. You really should run more than one DC.

> Also, maybe the files from machine (A) have to be "upgraded" for machine 
> (B) since Samba version is going to change from 4.13.2 to 4.17.5?



More information about the samba mailing list