samba - Nov 2025 - Migration strategy

I am in the process of setting up a new AD based on only Samba
servers. The current domain has a number of Samba file servers and 2
windows dc's that are going to be retired.

The accounts and groups in the new AD will have the same names (but
new SID's) and be created directly in the new domain. What I need to
figure out is how I can migrate data on the file servers to the new
servers without bringing with me the old ACL's. All directories and
files are owned by specific groups in the current domain.  Therefore I
need to find a way to copy (rsync,robocopy, tar, ...) the directory
trees to the new servers.

What would be the correct way to do this? I.e end up with a directory
tree where the files have "NEW-AD\Owner-group" instead of
"S-RANDOM-SID" as owner.

/Anders

On Thu, 20 Nov 2025 12:19:18 +0100
Anders ?stling via samba <samba at lists.samba.org> wrote:
> I am in the process of setting up a new AD based on only Samba
> servers. The current domain has a number of Samba file servers and 2
> windows dc's that are going to be retired.
Do you have to create a new domain ?
Would it be possible to join a Samba DC and then transfer the FSMO
roles to that and then demote the Windows DCs ?
> 
> The accounts and groups in the new AD will have the same names (but
> new SID's) and be created directly in the new domain. What I need to
> figure out is how I can migrate data on the file servers to the new
> servers without bringing with me the old ACL's. All directories and
> files are owned by specific groups in the current domain.  Therefore I
> need to find a way to copy (rsync,robocopy, tar, ...) the directory
> trees to the new servers.
> 
> What would be the correct way to do this? I.e end up with a directory
> tree where the files have "NEW-AD\Owner-group" instead of
> "S-RANDOM-SID" as owner.
> 
> /Anders
> 
I do not know of any 'magical' way of doing this, you will have to
script around moving the data and then renaming the user & group
ownership.

Rowland

Hi Anders,
I think rsync could help. From the man page:

The preservation of ownership will associate matching names by default, 
but may fall back to using the ID number in some circumstances (see also 
the --numeric-ids option for a full discussion).

If the names are the same it should work. But I have not tried this. You 
should not use "-X, --xattrs preserve extended attributes" because as 
far as I know that is where Samba stores the Windows ACLs and they 
contain the old SID.

Regards

Christian



Am 20.11.25 um 12:19 schrieb Anders ?stling via samba:
> I am in the process of setting up a new AD based on only Samba
> servers. The current domain has a number of Samba file servers and 2
> windows dc's that are going to be retired.
> 
> The accounts and groups in the new AD will have the same names (but
> new SID's) and be created directly in the new domain. What I need to
> figure out is how I can migrate data on the file servers to the new
> servers without bringing with me the old ACL's. All directories and
> files are owned by specific groups in the current domain.  Therefore I
> need to find a way to copy (rsync,robocopy, tar, ...) the directory
> trees to the new servers.
> 
> What would be the correct way to do this? I.e end up with a directory
> tree where the files have "NEW-AD\Owner-group" instead of
> "S-RANDOM-SID" as owner.
> 
> /Anders
>