[K12OSN] migrating machine accounts to new server

Brian Chivers brian at portsmouth-college.ac.uk
Thu Aug 4 09:56:11 UTC 2005 

rmcdaniel at indata.us wrote:
> Has anyone tried to migrate machine (computer) accounts from an old 
> server to a new one?  Is this possible?  I hate to have to go around and 
> have 500 xp boxes rejoin the new domain controller.  I am replacing an 
> older redhat server with a new one.
>  
>  
> Thanks,
> 
> Ronald R. McDaniel
> Conecuh County Schools
> (251) 578-7073 x26
> (251) 230-0658 cell
> rmcdaniel at indata.us <mailto:rmcdaniel at indata.us>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

I tried (you might guess what's coming next) to migrate all my machine accounts from a Samba 2.2.x 
system using smbpasswd backend to our new system.

I used the pdbedit command to transfer everything from the smbpasswd backend into the LDAP and it 
looked OK but a test machine couldn't login, so I looked and it appeared that the even through I'd 
set the SID the same on both server the last 5 digit's which I presume are the unique identifier for 
the machine we different, after looking at the old system I thought I'd worked out that the last 5 
digits were actually based on the machines account UID so I altered all the SID's stored in the LDAP 
computers group to reflect this using a bit of scripting and one the test machine it seemed OK, 
tried another machine and it seemed OK BUT when I rolledi t out across college (500 + Win2K boxes) 
it all went to badly wrong.

The long and the short of it is that we're now visiting all the machines and rejoining them to the 
domain !!!!

I think if your using the same backend eg old server = LDAP and new server = LDAP you'd be OK is you 
did a dump of the LDAP and then imported it to the new server. You'd also have to set the SID's to 
the same value on both servers. I'd be tempted to set this BEFORE I ran the installer script, that 
way you don't have to alter anything in all the scripts such as smbldap-useradd etc. If you want to 
know how to set the SID let me know, it's really really easy.

My advice if you can do this is to build the server, setup a isolated test network and TEST TEST 
TEST with quite a few machine off your existing network, you can't have two servers on the same 
network with identical SID's, not sure what would happen but I think it would be bad *grin*

Brian Chivers
Portsmouth College

---------------------------------------------------------------
    The views expressed here are my own and not necessarily 
                the views of Portsmouth College

More information about the K12OSN mailing list