[Samba] DC Upgrade from 4.1.7 to 4.6.7

HB hb.transfert at gmail.com
Mon Aug 21 11:52:01 UTC 2017 

Hello all, 

Our Samba AD DC is running perfectly for years with the following basic
setup (see smb.conf below) : 
      - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from sources) 
      - internal DNS 
      - this DC is also a Print Server 
      - about 400 PC workstations (mainly win7 Pro / win10 Pro and some XP
Pro), and about 300 users  
      - several Synology NAS file servers joined as domain members 

Since 4.1.7 is quite old, I would like to upgrade to the last stable Samba
4.6.7. 
I wonder what is the best way to make this upgrade without any risks to
break the links between PCs and the domain in production. 

I see two alternatives : 
1) As described in Wiki > Updating_Samba :
     Upgrade the running DC : 
	- Compile the last stable release 4.6.7
	- stop samba
	- install 4.6.7 over the 4.1.7 
	- make the Database Check and fix errors if any 
	- restart samba 
In this alternative , would it be much careful to gradually upgrade to each
major release after some tests between each (4.1.7 to 4.2 then 4.2 to 4.3 ,
... , then 4.5 to 4.6) ?
Or install directly 4.6.7 over 4.1.7 should not cause any problem ?  
  
2) Add a new DC :
	- create and add a new DC based on samba 4.6.7 (CentOS 7) to the
domain 
	- transfer the FSMO roles from old 4.1.7 DC to the new DC (no
incompatibility between 4.1 and 4.6 ?) 
	- replicate the sysvol dir to the new DC 
	
	after validation that everything is ok , either :
	- demote the old DC 
	- or upgrade the old DC to 4.6.7 also and keep it as secondary DC 

My questions are the following : 
- Are my two alternatives correct ? Any comments are welcome .
- Are there any problems I have to anticipate ? 
- What would be your advices to make this upgrade the most secured way,
knowing that the DC is in production and my absolute priority is to have no
implication on the clients. I can schedule the operation out of worked
hours, but I can't assume any interruption during the opened days.
- The current DC is also a Print server, is there an easy way to change a DC
to a simple Domain member (that keeps the print server role)? 

Here is my smb.conf of the currently running DC :  
# Global parameters
[global]
        log level = 1
        max log size = 100000
        workgroup = MYDOM
        server string = Serveur MYDOM
        realm = MYDOM.MYCOMP.FR
        netbios name = DC1
        server role = active directory domain controller
        dns forwarder = 123.123.123.1
        idmap_ldb:use rfc2307 = yes

        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        load printers = no

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/mydom.mycomp.fr/scripts
        read only = No
        browseable = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        browseable = No

[printers]
        path = /var/spool/samba
        comment = Public Printers
        printable = yes
        printing = cups

[print$]
        path = /home/samba/Printer_drivers
        comment = Printer Drivers
        writeable = yes

Many thanks in advance for any advice.

Henri

More information about the samba mailing list