Tuesday, May 19, 2009

Migrating roaming profiles to new Samba PDC

When the time has come to replace your existing DC (Domain Controller), you probably will use new hardware and reinstall your Linux OS next to your old DC. I decided to use an other domain name as well. And while I was reinstalling I decided to use ldap with Samba.

After the installation, I was able to join the computers to the new domain. But than I realized, I would have to recreate all user roaming profiles. This would take a lot off time because all user specific program configurations would be lost.

So On the internet I found a way to just "migrate" the existing roaming profiles to the new domain. It isn't really migrating, but more changing the "old" roaming profile's permissions to suite the new domain.

I will summary the steps to follow, but you should read Morgan Simonsen's Homepage so you can follow the exact list of actions you have to take.

1. you have to join the computer to the new domain
2. login in with your new account in the new domain, so a profile is created
3. logout, restart and login as an administrator with domain privileges
4. copy the old profile folder into the new one and reset permissions
5. logout and login with the new account

Morgan states:

These are the items in the old profile that you lose access to from the new user:
Data that is protected by the Data Protection API (DPAPI)
DPAPI helps protect the following items:
o Web page credentials (for example, passwords)
o File share credentials
o Private keys associated with EFS, S/MIME, and other certificates
o Program data that is protected by using the CryptProtectData() function