Backing up and restoring a Samba domain
Renaming a Samba domain
Renaming a domain allows you to keep all the objects of a domain, as well as the SIDs and password hashes. In its current state, the domain renaming tool should only be used to reproduce a domain in a test environment. As of 2024-12-18, this feature has not yet been sufficiently tested for use in production.
Microsoft also provides a domain renaming tool, but it is not always very effective.
Since the goal here is to make a clone of the production domain for use in a test environment, we will not recover the password hashes (parameter --no-secrets
).
It will be necessary to provide both the new NetBIOS name and the new Kerberos name (DNS suffix).
It is important that the domain is clean in order to produce a good backup and ensure a good recovery. Therefore, a dbcheck should be run before the backup to make sure that the database does not contain any problematic objects.
We will also run a sysvolcheck to check that there are no ACL or GPO issues on the SYSVOL
(otherwise the backup may fail).
Renaming is done in two phases:
First we launch a samba-tool domain backup rename which will perform an online backup while modifying the domain name on each of the objects:
samba-tool ntacl sysvolcheck samba-tool dbcheck --cross-ncs samba-tool domain backup rename testdomain testdomain.lan --server=srvads --target-dir=/root/backup_rename_20191107/
Then the domain is restored with a samba-tool domain backup restore on a machine that has been configured with the new DNS suffix:
samba-tool domain backup restore --backup-file=/root/backup_rename/samba-backup-testdom.lan-2019-11-08T23-46-56.317881.tar.bz2 --targetdir=/var/lib/samba --newservername=srvads.testdom.lan --site="Default-First-Site-Name" --host-ip=192.168.10.10