9.2. Dissection and Discussion
The migration process takes a snapshot of information that is stored in the Windows NT4 registry-based accounts database. That information resides in the Security Account Manager (SAM) portion of the NT4 registry under keys called SAM and SECURITY.
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, that may not be a good idea from an administration perspective. Since the process involves going through a certain amount of disruptive activity anyhow, why not take this opportunity to review the structure of the network, how Windows clients are controlled and how they interact with the network environment.
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed have done little to keep the NT4 server environment up to date with more recent Windows releases, particularly Windows XP Professional. The migration provides opportunity to revise and update roaming profile deployment as well as folder redirection. Given that you must port the greater network configuration of this from the old NT4 server to the new Samba-3 server. Do not forget to validate the security descriptors in the profiles share as well as network logon scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this as a good time to update desktop systems also. In all, the extra effort should constitute no real disruption to users, but rather, with due diligence and care, should make their network experience a much happier one.
9.2.1. Technical Issues
Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic element. Many sites have asked for instructions regarding merging of multiple NT4 domains into one Samba-3 LDAP database. It seems that this is viewed as a significant added value compared with the alternative of migration to Windows Server 200x and Active Directory. The diagram in Figure 9.1 illustrates the effect of migration from a Windows NT4 domain to a Samba domain.
Figure 9.1. Schematic Explaining the net rpc vampire Process
If you want to merge multiple NT4 domain account databases into one Samba domain, you must now dump the contents of the first migration and edit it as appropriate. Now clean out (remove) the tdbsam backend file (passdb.tdb) or the LDAP database files. You must start each migration with a new database into which you merge your NT4 domains.
At this point, you are ready to perform the second migration, following the same steps as for the first. In other words, dump the database, edit it, and then you may merge the dump for the first and second migrations.
You must be careful. If you choose to migrate to an LDAP backend, your dump file now contains the full account information, including the domain SID. The domain SID for each of the two NT4 domains will be different. You must choose one and change the domain portion of the account SIDs so that all are the same.
If you choose to use a tdbsam (passdb.tdb) backend file, your best choice is to use pdbedit to export the contents of the tdbsam file into an smbpasswd data file. This automatically strips out all domain-specific information, such as logon hours, logon machines, logon script, profile path, as well as the domain SID. The resulting file can be easily merged with other migration attempts (each of which must start with a clean file). It should also be noted that all users who end up in the merged smbpasswd file must have an account in /etc/passwd. The resulting smbpasswd file may be exported or imported into either a tdbsam (passdb.tdb) or an LDAP backend.
9.2.2. Political Issues
The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3 domain may be seen by those who had power over them as a loss of prestige or a loss of power. The imposition of a single domain may even be seen as a threat. So in migrating and merging account databases, be consciously aware of the political fall-out in which you may find yourself entangled when key staff feel a loss of prestige.
The best advice that can be given to those who set out to merge NT4 domains into a single Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers greater network interoperability and manageability.