samba - Feb 2023 - How to backup data from an installation in order to restore them in a new one?

Hello.

--- Situation ---

I am about to install a new Samba suite (version 4.17.5) on a new Debian 
Bullseye machine (B).
I currently have a Samba suite (version is 4.13.2-Debian), with 
BIND9_DLZ DNS back end, running on another machine (A).

On machine (A):
- I created users using the "samba-tool user create" command,
- I added computers using the "samba-tool dns add" command,
- I added DNS zones using the "samba-tool dns zonecreate" command.
I don't have neither a lot of users nor a lot of machines nor a lot of 
DNS zones.
That's pretty much all the specific data I "populated" the Samba
suite with.

On the new machine (B), contrary to machine (A), I would like to use the 
Samba internal DNS back end.
Machine (A) is destined to be "revoked": there will be no Samba suite 
running on it in the end.

--- Problem ---

These users and computers, created on machine (A), have SIDs (objectSid) 
attached that I would like to keep in the new installation on machine (B).

--- Questions ---

I think that these data are stored in "sam.ldb" and maybe
"idmap.ldb".
What files can I backup from the current installation (A) to be able to 
restore them in the new one (B)?
Are there also ".tdb" files to backup?
Is there a documentation that explains how data are stored?

Is the fact that I am going to use the Samba internal DNS back end (by 
running the "samba-tool domain provision --dns-backend=SAMBA_INTERNAL 
[...]" command)
instead of the BIND9_DLZ DNS back end, problematic in this case where I 
would like to restore the data in the new installation?
Will I have to first migrate the DNS back end from BIND9_DLZ to internal 
on machine (A)
(like what is explained here: 
https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC#Changing_From_the_BIND9_DLZ_Back_End_to_the_Samba_Internal_DNS_Server)?

Please tell me all the files I should backup from the current 
installation or how I should proceed.
Also, maybe the files from machine (A) have to be "upgraded" for
machine
(B) since Samba version is going to change from 4.13.2 to 4.17.5?

Thanks and best regards.
--
L?a

On 14/02/2023 15:26, Lm Loge via samba wrote:
> Hello.
> 
> --- Situation ---
> 
> I am about to install a new Samba suite (version 4.17.5) on a new Debian 
> Bullseye machine (B).
> I currently have a Samba suite (version is 4.13.2-Debian), with 
> BIND9_DLZ DNS back end, running on another machine (A).
> 
> On machine (A):
> - I created users using the "samba-tool user create" command,
> - I added computers using the "samba-tool dns add" command,
> - I added DNS zones using the "samba-tool dns zonecreate"
command.
> I don't have neither a lot of users nor a lot of machines nor a lot of 
> DNS zones.
> That's pretty much all the specific data I "populated" the
Samba suite
> with.
> 
> On the new machine (B), contrary to machine (A), I would like to use the 
> Samba internal DNS back end.
> Machine (A) is destined to be "revoked": there will be no Samba
suite
> running on it in the end.
The word is 'demoted', not 'revoked'.
> 
> --- Problem ---
> 
> These users and computers, created on machine (A), have SIDs (objectSid) 
> attached that I would like to keep in the new installation on machine (B).
> 
> --- Questions ---
> 
> I think that these data are stored in "sam.ldb" and maybe
"idmap.ldb".
> What files can I backup from the current installation (A) to be able to 
> restore them in the new one (B)?
> Are there also ".tdb" files to backup?
> Is there a documentation that explains how data are stored?
> 
> Is the fact that I am going to use the Samba internal DNS back end (by 
> running the "samba-tool domain provision --dns-backend=SAMBA_INTERNAL 
> [...]" command)
That is the default, so you do not need the
'--dns-backend=SAMBA_INTERNAL'
> instead of the BIND9_DLZ DNS back end, problematic in this case where I 
> would like to restore the data in the new installation?
> Will I have to first migrate the DNS back end from BIND9_DLZ to internal 
> on machine (A)
> (like what is explained here: 
>
https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC#Changing_From_the_BIND9_DLZ_Back_End_to_the_Samba_Internal_DNS_Server)?
> 
> Please tell me all the files I should backup from the current 
> installation 
Absolutely none, well not for your problem, but backing up the domain in 
case of a catastrophic failure is always a good idea.
> or how I should proceed.
You do not want to provision a new domain, you want to join a second DC 
to your domain, transfer all the FSMO roles to the new DC and then 
demote the old one, that will get you to where you think you want to be. 
However, I would do it a bit differently. I would try and fix whatever 
is wrong with your Bind9 setup and then add a second DC, or I would 
change to the internal dns server on the old DC and then add a second 
DC. You really should run more than one DC.
> Also, maybe the files from machine (A) have to be "upgraded" for
machine
> (B) since Samba version is going to change from 4.13.2 to 4.17.5?
No

Rowland

Hello.

I appreciate the advice and maybe "revoked" is not an appropriate
word,
so I will use another one:
Machine (A) is going to be "shut down forever".

Do my questions deserve another answer given that clarification?

And, by the way, I have two DCs (a "provisioned" one and a
"joined" one).
The two DCs will be "shut down forever" and replaced by two new DCs.
(Don't worry about the waste: I have the two new machines already 
available around.)

Thank you and best regards,
--
L?a