samba domain controller and users login profile

Posted on 2011-10-30
Medium Priority
Last Modified: 2012-05-12
Dear Experts:

Recently installed suse linux enterprise 11 and configured as samba domain controller with the ldap as password backend, now the in the LAN desktops and laptops are members or clients of windows 2003 AD.
My requirements:
Disjoin all the desktops and laptops from the Windows AD and join to the suse linux enterprise 11 samba domain controllers. But keeping their Documents and Settings of their local system as it is as msoutlook and data is available on their desktop and mydocuments .
Existing profile windows AD of all the users are of local profile as we have disabled the roaming profile due to the bandwidth consumption.
Now iam looking for the solution like retaining their local profile intact without any changes but join them to suse linux enterprise  samba pdc for this have created the user names same as windows AD user accounts.
Please help me how to achieve this also is this recommended or creating the new profile is recomenede. Please help. Thanks in advance.
Question by:D_wathi
LVL 31

Expert Comment

ID: 37052723
You have to transfer all the LDIF.  You will have to export from AD and import into LDAP server.

You have to carefully make a list of all the existing feature that active directory is providing.  You would implement each into LDAP server and see whether every features translates or not using Samba.

Next phase, after implementing would be testing using some dummy system.  Do as through testing as you can.  The "disjoin" would be the last step when you have tested and figured out how everything would work.  Make sure you know how to revert back if something doesn't work

Author Comment

ID: 37052738
Thanks for the reply, can you please provide me good how to dos to acheive this.
LVL 31

Assisted Solution

farzanj earned 664 total points
ID: 37052750
First step is to evaluate the feasibility.  I had some people questioning the usefulness of Samba as opposed to AD.  They said that with Samba you couldn't centralize user's access to all the software installed on the machine.  Do you want that?  I heard at that time that the then test version of Samba started doing that.  

This is just an example.  You need to know what exact features (all of them) that you would need on Samba and whether it would satisfy users or you would hear every one complaining.

If feasible then you can start doing some work.
Run your LDAP server.
Figure out how to import LDIF and any other tools/scripts available to automate the task.
Export LDIF from AD and import into LDAP
Import all features and with a laptop or dummy client test if it works as expected.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 16

Expert Comment

ID: 37059164
ldif can perhaps import the accounts, but that's probably the easy part (creating the accounts..). More of a pain will be migrating the user profiles because they will have to be migrated. Keeping the names the same will not help at all. You could try ADMT to migrate the profile, or you can just copy the My Docs, Desktop, Favourites to the new folder, or you can try to attach the new user account to the existing profile although this sometimes causes pain with permissions to the files.

How many users are you looking at doing this for?
what is the reason? I would seriously question why someone would migrate from Windows AD to Samba...sure it'll work but Samba is always behind in trying to add the features already present in AD. Especially If you have a multi-site domain I would really recommend against this....

Accepted Solution

ghodder earned 668 total points
ID: 37068182
All you need to do is update the permissions within each profile registry hive (NTUSER.DAT) as well as all files and directories within the profile to be owned by the new domain user account.

I have attached the instructions I created for performing these sorts of migrations. I've migrated many users on multiple domains this way and kept all their settings intact.

I would recommend creating a few test users in each domain first and run through it a few times to make sure you understand the process. The main thing you need to make sure you do is "take ownership" as the new domain user and apply it to all child objects, especially within the NTUSER.DAT otherwise it will be deleted and replaced with a fresh version. If that happens all registry settings will be lost and you will have to create a new profile for the user and will only be able to transfer files.
LVL 16

Assisted Solution

JammyPak earned 668 total points
ID: 37070942
you can do something similar in the profiles tool (Control Panel, System)

you can choose the 'old' profile, select 'copy to' and copy it on top of the new profile folder. Fill in the 'permitted to use' box to select the user name  from the new domain to make sure the permissions get set.

I've used that in the past, and generally it was good. Occasionally needed to manually take ownership of something and force the permissions.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question