Upgradeprovision notes

[Matthieu Patou]

Dear all,

I'm somehow feeling concerned with upgradeprovision and here are my 
plans to improve it:


1) Update DNS record using rebuild_zone.sh or something similar, as 
older provision might have broken zone somehow.
2) Update NTACLs and dirs in sysvol, as new GPO has been introduced in 
august by MDW but users with older provision do not have associated dirs 
and no acl on this dir as well and up to a few days provision didn't put 
ACL on sysvol files.
3) do a mostly clean SD update: for the moment upgrade provision is 
always replacing the SD in the upgraded provision by the one 
recalculated. The very first step is to limit this behavior to older 
than alpha11 provision as now people (I'm not totally happy with this 
cutof as alpha11 shipped with a bug that caused SD to be bogus on some 
configuration objects). T
hen I would like to check every object where the SD is different from 
the reference one and for each object that is found, check if its SD was 
obtained directly from the defaultSD + the SD of its parent or if the SD 
was modified afterhand.
4) Make upgradeprovision use one big transaction for the upgrade process
5) Honnor fSMORoleOwner so that upgradeprovision on a given host do not 
modify parts where the DC is the role owner
6) Make upgradeprovision not replace sam.ldb when provision > alpha10 
and do instead a search and replace in sam.ldb with basedn=""
7) Update provision so it can store an @PROVISION entry in sam.ldb to 
keep the trace of the last USN modified by (upgrade)provision
8) Use the the usn information, the replpropertymetadata, + the 
invocation id of the udpdated DC to see if should update attribute or 
not. The rule will be: originating_invocation_id== invocation_id_dc && 
originating_usn <= lastUSN modified by provision.

Let me know if you see something else to add or reorder.

Matthieu.