[Samba] DC Upgrade from 4.1.7 to 4.6.7

Rowland Penny rpenny at samba.org
Mon Aug 21 12:33:42 UTC 2017 

On Mon, 21 Aug 2017 15:52:01 +0400
HB via samba <samba at lists.samba.org> wrote:

> Hello all, 
> 
> Our Samba AD DC is running perfectly for years with the following
> basic setup (see smb.conf below) : 
>       - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
> sources) 
>       - internal DNS 
>       - this DC is also a Print Server 
>       - about 400 PC workstations (mainly win7 Pro / win10 Pro and
> some XP Pro), and about 300 users  
>       - several Synology NAS file servers joined as domain members 
> 
> Since 4.1.7 is quite old, I would like to upgrade to the last stable
> Samba 4.6.7. 
> I wonder what is the best way to make this upgrade without any risks
> to break the links between PCs and the domain in production. 
> 
> I see two alternatives : 
> 1) As described in Wiki > Updating_Samba :
>      Upgrade the running DC : 
> 	- Compile the last stable release 4.6.7
> 	- stop samba
> 	- install 4.6.7 over the 4.1.7 
> 	- make the Database Check and fix errors if any 
> 	- restart samba 
> In this alternative , would it be much careful to gradually upgrade
> to each major release after some tests between each (4.1.7 to 4.2
> then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
> Or install directly 4.6.7 over 4.1.7 should not cause any problem ?  
>   
> 2) Add a new DC :
> 	- create and add a new DC based on samba 4.6.7 (CentOS 7) to
> the domain 
> 	- transfer the FSMO roles from old 4.1.7 DC to the new DC (no
> incompatibility between 4.1 and 4.6 ?) 
> 	- replicate the sysvol dir to the new DC 
> 	
> 	after validation that everything is ok , either :
> 	- demote the old DC 
> 	- or upgrade the old DC to 4.6.7 also and keep it as
> secondary DC 
> 
> My questions are the following : 
> - Are my two alternatives correct ? Any comments are welcome .
> - Are there any problems I have to anticipate ? 
> - What would be your advices to make this upgrade the most secured
> way, knowing that the DC is in production and my absolute priority is
> to have no implication on the clients. I can schedule the operation
> out of worked hours, but I can't assume any interruption during the
> opened days.
> - The current DC is also a Print server, is there an easy way to
> change a DC to a simple Domain member (that keeps the print server
> role)? 
> 

Normally, both of your suggested ways would be valid, but, because of
the big jump between versions and the large amount of changes that
have occurred, I would tend to go with your second option and add a
new DC and then demote the old DC.

You cannot directly demote a DC to a Unix domain member, you would
have join it to the domain, so I would take this chance to update the
OS and then set up Samba etc as shown on the wiki.

I would also consider adding a second DC, just in case.

Rowland

More information about the samba mailing list