I've lurked (and posted) on that list by some month, getting many
vaulable informations, but still i've many doubts.

Most of my doubt i think came from the fact that 'AD' (generally) a is
a very complex beast, and if samba in NT4 mode fit very well in a UNIX
environment (and mind ;), samba in AD mode forced me to think in some
''microsoft way'. And i'm not used to.

I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some
set of NT4 domains, built in branch offices when, here in italy,
connectivity was a chime, and so we never minded about ''account
Many users have now accounts on every domain, and password to manage.

Every domain is LDAP-backed, and LDAP provide account and password info
for other services, most notably email (every samba domain have a
compelling email domain). I'm not using winbind (apart for native NTLM
auth, freeradius and squid).

Initially my plan was to move every domain in his AD domain, doing
after that some sort of ''foresting''.
In this month, i've test-classicupgraded a domain (in a virtual
environment) and start to play, most notably with schema extensions to
keep all the email routing stuff.

But after reading here by some month, and most notably after
understanding that:

 a) it is better to have the AD DC role in a machine on their own.

 b) all my UID/GID are ''wrong'' (low), better have to be remapped.

 c) i can still use domains, in an AD forest, but the simpliest things
    is to manage different OU in a single domain

I'm really thinking of throwing all my 4 domains, simply
moving/importing users using sets of non-overlapping UID/GID, and
moving users from old domains to OU.

Clearly, i've to do some more work (eg, prepare set of script to move
files permission/ACL from old to new ACL; rejoin all workstation; ...),
but i hope the result can be better.

Someone have just done such a migration, or something like this?


