Backing up and restoring a Samba domain

Renaming a Samba domain

Renaming a domain allows you to keep all the objects of a domain, as well as the SIDs and password hashes. In its current state, the domain renaming tool should only be used to reproduce a domain in a test environment. As of 2024-09-18, this feature has not yet been sufficiently tested for use in production.

Microsoft also provides a domain renaming tool, but it is not always very effective.

Since the goal here is to make a clone of the production domain for use in a test environment, we will not recover the password hashes (parameter --no-secrets). It will be necessary to provide both the new NetBIOS name and the new Kerberos name (DNS suffix).

It is important that the domain is clean in order to produce a good backup and ensure a good recovery. Therefore, a dbcheck should be run before the backup to make sure that the database does not contain any problematic objects. We will also run a sysvolcheck to check that there are no ACL or GPO issues on the SYSVOL (otherwise the backup may fail).

Renaming is done in two phases:

  • First we launch a samba-tool domain backup rename which will perform an online backup while modifying the domain name on each of the objects:

    samba-tool ntacl sysvolcheck
    samba-tool dbcheck --cross-ncs
    samba-tool domain backup rename testdomain testdomain.lan --server=srvads --target-dir=/root/backup_rename_20191107/
    
  • Then the domain is restored with a samba-tool domain backup restore on a machine that has been configured with the new DNS suffix:

    samba-tool domain backup restore --backup-file=/root/backup_rename/samba-backup-testdom.lan-2019-11-08T23-46-56.317881.tar.bz2 --targetdir=/var/lib/samba --newservername=srvads.testdom.lan --site="Default-First-Site-Name" --host-ip=192.168.10.10