[Samba] No good way to migrate 4.1 on Server A to 4.7.6 on New Server B

Glenn Bergeron glenn at gbitservices.ca
Sun Nov 25 23:04:05 UTC 2018

Hi Rowland,

The old server is Debian 3.2.101-1 running a compiled-from-source Samba 4.1.0. The new server I'm trying to migrate to is Ubuntu Server 18.04LTS, running a package-installed (apt) Samba 4.7.7.

Old server name: isofs
New server name: isofs2



	netbios name = ISOFS2
	realm = ISO.PRIVATE
	server role = active directory domain controller
	workgroup = ISO
	ldap server require strong auth = no #Was required for FSMO transfer from old server
	dns forwarder =
	vfs objects = acl_xattr
	map acl inherit = yes
	hide dot files = yes
	store dos attributes = yes
	idmap_ldb:use rfc2307 = yes
	mangled names = no
	oplocks = no

	path = /var/lib/samba/sysvol/iso.private/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

Where it's at now:

- FSMO transferred to new server. I used Migrate, not Seize, as I hope I can roll back to the original server if I can't get things working on the new server by Monday morning.
- GPO manually rsync'd to new server. 
- "samba-tool ntacl sysvolreset" then run on new server, as well as "samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes".
- Old server demoted via "samba-tool domain demote -Uadministrator"
- Based on your comment below re: DNS updating, I just ran "samba_dnsupdate" on the both old and new servers. It returned "No DNS updates needed".

What's happening:

Errors in log.samba on new server:

  Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:[49152,seal,krb5,target_hostname=d4c15af5-dfd5-4650-95de-c354a7256d15._msdcs.iso.private,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=] NT_STATUS_UNSUCCESSFUL
On Windows:

Can only log into DOMAIN\administrator. I can run "Active Directory Users and Computers", add a new user. But cannot log in as a user. Get error "The trust relationship between this workstation and the primary domain failed".

RSAT: Group Policy Management says is can't contact the domain controller.


On 2018-11-25, 5:23 AM, "Rowland Penny" <rpenny at samba.org> wrote:

    On Sun, 25 Nov 2018 04:29:26 -0500
    Glenn Bergeron via samba <samba at lists.samba.org> wrote:
    > After many, many, many hours of trying, and lots of research both on
    > this list, the Samba Wiki and elsewhere, I think I’ve finally come to
    > the conclusion that there is no way to seamlessly migrate between
    > servers.
    > Backing up and restoring (using samba_backup) doesn’t work.
    > Permissions hell with Windows.
    The old samba_backup script wasn't very good and there wasn't actually
    a restore script. The latest Samba versions have a new way of backing
    up and restoring Samba through samba-tools.
    > Joining the new 4.7.7 server to the old 4.1 DC server, waiting for
    > replication, then demoting the old server doesn’t work. It’s missing
    > all the GPO files, RSAT utils either don’t work or barely work (no
    > computer accounts listed for example), and workstations have their
    > System Events log filled with not being able to find or connect to
    > the domain server, DCOM errors relating to permissions, etc. 
    When you join a new DC, quite a lot of the required DNS records are not
    created until you restart Samba or until samba_dnsupdate runs.
    As for the GPO problems, They will not be on the new DC until you copy
    them there, this is because Sysvol is not replicated between DC's
    > I’m trying to not have to tell all the users that they’re going to
    > have whole new Windows profiles and lose all their settings, because
    > I can’t port anything and I have to start the AD server from scratch.
    > Hasn’t anyone done this with any success? And if so, why isn’t there
    > a solid document somewhere? I’m sorry I sound frustrated, but I’m at
    > my limit with this what should have been a simple migration from old
    > dying server to new server.
    I am sure that this has been done successfully, otherwise this list
    would have been full of posts similar to yours.
    Samba is a rapidly changing target and part of your problem could be
    the large jump between your versions, 4.1 to 4.7
    What OS are you using ?

More information about the samba mailing list