[Samba] DC Upgrade from 4.1.7 to 4.6.7
achen at harbourfrontcentre.com
Mon Aug 21 14:34:15 UTC 2017
I did a similar DC upgrade from 4.1.13 to 4.6.6(like your option 1,
upgrade on existing AD servers, I have two, first upgrade on none-FSMO).
and I don't have any issues with the DC upgrade itself.
But be careful with your member servers. After the upgrade, I have to
change some default values on file servers:
1. samba 3.5.10 member server(rpm from CentOS 6.2) lost connection to
samba 4.6.6 AD,
I have to add the following to fix the default values:
client NTLMv2 auth = yes
ntlm auth = No
client ldap sasl wrapping = sign
winbind use default domain = yes
2. samba 3.6.23 member server(rpm from CentOS 6.8) and samba 4.6.6 need
winbind use default domain = yes
3. My TeraStation NAS storage server lost connection to samba 4.6.6 AD,
I have to move it to a Samba 4.6.6 member server,
and get rid of the TeraStation NAS storage server, too much headache
with TeraStation. Setting up a samba 4.6.6 member server is easier.
and you can control everything on the member server.
4. squid-cache proxy server cannot ldap to the new AD, I have to change
it to ldaps(of cause some changes in /etc/openldap/ldap.conf).
My AD environment may be different from yours. I don't use and configure
anything else on the DC(pretty standard from samba doc) ,
but you have printer server on it. It's better to test it, also test
your Synology NAS servers with the new DC, but how? you may have support
On 8/21/2017 8:33 AM, Rowland Penny via samba wrote:
> On Mon, 21 Aug 2017 15:52:01 +0400
> HB via samba <samba at lists.samba.org> wrote:
>> Hello all,
>> Our Samba AD DC is running perfectly for years with the following
>> basic setup (see smb.conf below) :
>> - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
>> - internal DNS
>> - this DC is also a Print Server
>> - about 400 PC workstations (mainly win7 Pro / win10 Pro and
>> some XP Pro), and about 300 users
>> - several Synology NAS file servers joined as domain members
>> Since 4.1.7 is quite old, I would like to upgrade to the last stable
>> Samba 4.6.7.
>> I wonder what is the best way to make this upgrade without any risks
>> to break the links between PCs and the domain in production.
>> I see two alternatives :
>> 1) As described in Wiki > Updating_Samba :
>> Upgrade the running DC :
>> - Compile the last stable release 4.6.7
>> - stop samba
>> - install 4.6.7 over the 4.1.7
>> - make the Database Check and fix errors if any
>> - restart samba
>> In this alternative , would it be much careful to gradually upgrade
>> to each major release after some tests between each (4.1.7 to 4.2
>> then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
>> Or install directly 4.6.7 over 4.1.7 should not cause any problem ?
>> 2) Add a new DC :
>> - create and add a new DC based on samba 4.6.7 (CentOS 7) to
>> the domain
>> - transfer the FSMO roles from old 4.1.7 DC to the new DC (no
>> incompatibility between 4.1 and 4.6 ?)
>> - replicate the sysvol dir to the new DC
>> after validation that everything is ok , either :
>> - demote the old DC
>> - or upgrade the old DC to 4.6.7 also and keep it as
>> secondary DC
>> My questions are the following :
>> - Are my two alternatives correct ? Any comments are welcome .
>> - Are there any problems I have to anticipate ?
>> - What would be your advices to make this upgrade the most secured
>> way, knowing that the DC is in production and my absolute priority is
>> to have no implication on the clients. I can schedule the operation
>> out of worked hours, but I can't assume any interruption during the
>> opened days.
>> - The current DC is also a Print server, is there an easy way to
>> change a DC to a simple Domain member (that keeps the print server
> Normally, both of your suggested ways would be valid, but, because of
> the big jump between versions and the large amount of changes that
> have occurred, I would tend to go with your second option and add a
> new DC and then demote the old DC.
> You cannot directly demote a DC to a Unix domain member, you would
> have join it to the domain, so I would take this chance to update the
> OS and then set up Samba etc as shown on the wiki.
> I would also consider adding a second DC, just in case.
235 Queens Quay West, Toronto, ON
M5J 2G8, Canada | harbourfrontcentre.com <http://www.harbourfrontcentre.com>
Office: +1 416 973 7973
Cell: +1 416 556 2493
More information about the samba