[Samba] DC Upgrade from 4.1.7 to 4.6.7

Allen Chen achen at harbourfrontcentre.com
Mon Aug 21 14:34:15 UTC 2017

I did a similar DC upgrade from 4.1.13 to 4.6.6(like your option 1, 
upgrade on existing AD servers, I have two, first upgrade on none-FSMO).
  and I don't have any issues with the DC upgrade itself.
But be careful with your member servers. After the upgrade, I have to 
change some default values on file servers:
1. samba 3.5.10 member server(rpm from CentOS 6.2) lost connection to 
samba 4.6.6 AD,
I have to add the following to fix the default values:
  client NTLMv2 auth = yes
  ntlm auth = No
  client ldap sasl wrapping = sign
   winbind use default domain = yes
2.  samba 3.6.23 member server(rpm from CentOS 6.8) and samba 4.6.6 need 
this change:
    winbind use default domain = yes
3. My TeraStation NAS storage server lost connection to samba 4.6.6 AD, 
I have to move it to a Samba 4.6.6 member server,
  and get rid of the TeraStation NAS storage server, too much headache 
with TeraStation. Setting up a samba 4.6.6 member server is easier.
  and you can control everything on the member server.
4. squid-cache proxy server cannot ldap to the new AD, I have to change 
it to ldaps(of cause some changes in /etc/openldap/ldap.conf).

My AD environment may be different from yours. I don't use and configure 
anything else on the DC(pretty standard from samba doc) ,
but you have printer server on it. It's better to test it, also test 
your Synology NAS servers with the new DC, but how? you may have support 
from Synology?


On 8/21/2017 8:33 AM, Rowland Penny via samba wrote:
> On Mon, 21 Aug 2017 15:52:01 +0400
> HB via samba <samba at lists.samba.org> wrote:
>> Hello all,
>> Our Samba AD DC is running perfectly for years with the following
>> basic setup (see smb.conf below) :
>>        - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
>> sources)
>>        - internal DNS
>>        - this DC is also a Print Server
>>        - about 400 PC workstations (mainly win7 Pro / win10 Pro and
>> some XP Pro), and about 300 users
>>        - several Synology NAS file servers joined as domain members
>> Since 4.1.7 is quite old, I would like to upgrade to the last stable
>> Samba 4.6.7.
>> I wonder what is the best way to make this upgrade without any risks
>> to break the links between PCs and the domain in production.
>> I see two alternatives :
>> 1) As described in Wiki > Updating_Samba :
>>       Upgrade the running DC :
>> 	- Compile the last stable release 4.6.7
>> 	- stop samba
>> 	- install 4.6.7 over the 4.1.7
>> 	- make the Database Check and fix errors if any
>> 	- restart samba
>> In this alternative , would it be much careful to gradually upgrade
>> to each major release after some tests between each (4.1.7 to 4.2
>> then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
>> Or install directly 4.6.7 over 4.1.7 should not cause any problem ?
>> 2) Add a new DC :
>> 	- create and add a new DC based on samba 4.6.7 (CentOS 7) to
>> the domain
>> 	- transfer the FSMO roles from old 4.1.7 DC to the new DC (no
>> incompatibility between 4.1 and 4.6 ?)
>> 	- replicate the sysvol dir to the new DC
>> 	after validation that everything is ok , either :
>> 	- demote the old DC
>> 	- or upgrade the old DC to 4.6.7 also and keep it as
>> secondary DC
>> My questions are the following :
>> - Are my two alternatives correct ? Any comments are welcome .
>> - Are there any problems I have to anticipate ?
>> - What would be your advices to make this upgrade the most secured
>> way, knowing that the DC is in production and my absolute priority is
>> to have no implication on the clients. I can schedule the operation
>> out of worked hours, but I can't assume any interruption during the
>> opened days.
>> - The current DC is also a Print server, is there an easy way to
>> change a DC to a simple Domain member (that keeps the print server
>> role)?
> Normally, both of your suggested ways would be valid, but, because of
> the big jump between versions and the large amount of changes that
> have occurred, I would tend to go with your second option and add a
> new DC and then demote the old DC.
> You cannot directly demote a DC to a Unix domain member, you would
> have join it to the domain, so I would take this chance to update the
> OS and then set up Samba etc as shown on the wiki.
> I would also consider adding a second DC, just in case.
> Rowland

Allen Chen
Network Administrator

Harbourfront Centre

235 Queens Quay West, Toronto, ON
M5J 2G8, Canada | harbourfrontcentre.com <http://www.harbourfrontcentre.com>
Office: +1 416 973 7973
Cell: +1 416 556 2493


More information about the samba mailing list