[K12OSN] migrating machine accounts to new server
Brian Chivers
brian at portsmouth-college.ac.uk
Thu Aug 4 09:56:11 UTC 2005
rmcdaniel at indata.us wrote:
> Has anyone tried to migrate machine (computer) accounts from an old
> server to a new one? Is this possible? I hate to have to go around and
> have 500 xp boxes rejoin the new domain controller. I am replacing an
> older redhat server with a new one.
>
>
> Thanks,
>
> Ronald R. McDaniel
> Conecuh County Schools
> (251) 578-7073 x26
> (251) 230-0658 cell
> rmcdaniel at indata.us <mailto:rmcdaniel at indata.us>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
I tried (you might guess what's coming next) to migrate all my machine accounts from a Samba 2.2.x
system using smbpasswd backend to our new system.
I used the pdbedit command to transfer everything from the smbpasswd backend into the LDAP and it
looked OK but a test machine couldn't login, so I looked and it appeared that the even through I'd
set the SID the same on both server the last 5 digit's which I presume are the unique identifier for
the machine we different, after looking at the old system I thought I'd worked out that the last 5
digits were actually based on the machines account UID so I altered all the SID's stored in the LDAP
computers group to reflect this using a bit of scripting and one the test machine it seemed OK,
tried another machine and it seemed OK BUT when I rolledi t out across college (500 + Win2K boxes)
it all went to badly wrong.
The long and the short of it is that we're now visiting all the machines and rejoining them to the
domain !!!!
I think if your using the same backend eg old server = LDAP and new server = LDAP you'd be OK is you
did a dump of the LDAP and then imported it to the new server. You'd also have to set the SID's to
the same value on both servers. I'd be tempted to set this BEFORE I ran the installer script, that
way you don't have to alter anything in all the scripts such as smbldap-useradd etc. If you want to
know how to set the SID let me know, it's really really easy.
My advice if you can do this is to build the server, setup a isolated test network and TEST TEST
TEST with quite a few machine off your existing network, you can't have two servers on the same
network with identical SID's, not sure what would happen but I think it would be bad *grin*
Brian Chivers
Portsmouth College
---------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list