[Samba] DC Upgrade from 4.1.7 to 4.6.7

Rowland Penny rpenny at samba.org
Wed Aug 23 14:27:40 UTC 2017 

On Wed, 23 Aug 2017 17:20:22 +0400
HB via samba <samba at lists.samba.org> wrote:

> 
> > -----Message d'origine-----
> > De : samba [mailto:samba-bounces at lists.samba.org] De la part de
> > Rowland Penny via samba
> > Envoyé : lundi 21 août 2017 16:34
> > À : samba at lists.samba.org
> > Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7
> > 
> > On Mon, 21 Aug 2017 15:52:01 +0400
> > HB via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello all,
> > >
> > > Our Samba AD DC is running perfectly for years with the following
> > > basic setup (see smb.conf below) :
> > >       - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
> > > sources)
> > >       - internal DNS
> > >       - this DC is also a Print Server
> > >       - about 400 PC workstations (mainly win7 Pro / win10 Pro and
> > > some XP Pro), and about 300 users
> > >       - several Synology NAS file servers joined as domain members
> > >
> > > Since 4.1.7 is quite old, I would like to upgrade to the last
> > > stable Samba 4.6.7.
> > > I wonder what is the best way to make this upgrade without any
> > > risks to break the links between PCs and the domain in production.
> > >
> > > I see two alternatives :
> > > 1) As described in Wiki > Updating_Samba :
> > >      Upgrade the running DC :
> > > 	- Compile the last stable release 4.6.7
> > > 	- stop samba
> > > 	- install 4.6.7 over the 4.1.7
> > > 	- make the Database Check and fix errors if any
> > > 	- restart samba
> > > In this alternative , would it be much careful to gradually
> > > upgrade to each major release after some tests between each
> > > (4.1.7 to 4.2 then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
> > > Or install directly 4.6.7 over 4.1.7 should not cause any
> > > problem ?
> > >
> > > 2) Add a new DC :
> > > 	- create and add a new DC based on samba 4.6.7 (CentOS 7)
> > > to the domain
> > > 	- transfer the FSMO roles from old 4.1.7 DC to the new DC
> > > (no incompatibility between 4.1 and 4.6 ?)
> > > 	- replicate the sysvol dir to the new DC
> > >
> > > 	after validation that everything is ok , either :
> > > 	- demote the old DC
> > > 	- or upgrade the old DC to 4.6.7 also and keep it as
> > > secondary DC
> > >
> > > My questions are the following :
> > > - Are my two alternatives correct ? Any comments are welcome .
> > > - Are there any problems I have to anticipate ?
> > > - What would be your advices to make this upgrade the most secured
> > > way, knowing that the DC is in production and my absolute
> > > priority is to have no implication on the clients. I can schedule
> > > the operation out of worked hours, but I can't assume any
> > > interruption during the opened days.
> > > - The current DC is also a Print server, is there an easy way to
> > > change a DC to a simple Domain member (that keeps the print server
> > > role)?
> > >
> > 
> > Normally, both of your suggested ways would be valid, but, because
> > of the big jump between versions and the large amount of changes
> > that have occurred, I would tend to go with your second option and
> > add a new DC and then demote the old DC.
> > 
> > You cannot directly demote a DC to a Unix domain member, you would
> > have join it to the domain, so I would take this chance to update
> > the OS and then set up Samba etc as shown on the wiki.
> > 
> > I would also consider adding a second DC, just in case.
> > 
> > Rowland
> 
> Thanks Rowland for your advice.
> 
> In order to transform the old DC + Print Server to a member print
> server , I plan the following operations : 1- transfer the FSMO roles
> to the new DC New-DC# samba-tool fsmo transfer --role=all 
> 
> 2- demote the old DC 
> 	Old-DC# samba-tool demote -Uadministrator 
> 
> 3- stop the samba service 
> 
> 4- change smb.conf for a domain member 
> 
> 5- join the the domain 
> 	Old-DC# net ads join -Uadministrator 
> 
> 6- Start winbindd , smbd, nmbd services 
> 
> Am I correct ?  
> 
> Will I have to recreate printers and upload the printer drivers again
> or will all the print stuff remain from the old DC configuration? 
> 
> Thanks a lot.
> 
> 

This should work to get you a Unix domain member, not sure about the
printer stuff, it shouldn't get deleted and as long as smb.conf is
setup correctly, it should work, but YMMV

I would suggest you do two other things, change the hostname of the old
DC and its ipaddress.

Rowland

More information about the samba mailing list