[Samba] SUCCESS: Samba 4.11.0RC4 replication with Windows2012R2 (schema 47 -> 69 upgrade)

Luc Lalonde Luc.Lalonde at polymtl.ca
Thu Sep 19 20:41:54 UTC 2019

Hello Tim,

I finally got around to testing your steps in a virtual environment.  
The schema upgrade was updated automatically as you predicted:

Here's are the two existing DC's:

DC1.foobar.org (Windows 2008R2)

DC2.foobar.org (Samba

New DC to join FOOBAR.ORG domain:

DC3.foobar.org (Windows 2012R2)

As you mentioned below, after having joined the schema upgrade should be
automatically migrated to version 69.  

I did make sure that all the FSMO roles + Global Catalog were moved to
the 2008R2 server (DC1) before proceeding.

On the Samba side (DC2) , the schema is updated to 69:

[root at roquefort ~]# /usr/local/samba/bin/ldbsearch -H
/usr/local/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=foobar,dc=org' -s base objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=foobar,DC=org
objectVersion: 69

# returned 1 records
# 1 entries
# 0 referrals

And on the new Windows 2012R2 (DC3) and on the Windows 2008R2 (DC1), I
am seeing schema 69:

PS C:\Users\administrator> Get-ADObject
(Get-ADRootDSE).schemaNamingContext -Property objectVersion

DistinguishedName : CN=Schema,CN=Configuration,DC=foobar,DC=org
Name              : Schema
ObjectClass       : dMD
ObjectGUID        : 3fa3d94d-3654-4bce-8062-359e1de3df50
objectVersion     : 69

I also checked replication status on the Windows and Linux sides.  
Everything seems to be running without errors.

So hooray!   Once 4.11.1 comes out, I'll migrate my AD environment to
get rid of 2008R2 servers and move them to 2012R2.  

My superstitious nature won't allow me to use *.*.0 releases in a
production environment ;-)

Thanks again for the great work!

Best regards, Luc.

On 2019-07-30 6:05 p.m., Tim Beale wrote:
> On 31/07/19 2:33 AM, Luc Lalonde wrote:
>> Here's my understanding of the workflow:
>>  1. Upgrade Samba DC's to version 4.11.x
>>  2. Promote domain to schema 69
>>  3. Transfer FSMO roles to Windows 2008R2 Server
>>  4. Join Windows 2012R2 Server to domain
>>  5. Delete Windows 2008R2 Server
> As you've already got a Windows 2008R2 DC in your network, when you
> join the 2012R2 DC it should automatically upgrade the schema. So this
> is probably the most reliable/easiest way for your setup:
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Transfer FSMO roles to Windows 2008R2 Server
> 3. Join Windows 2012R2 Server to domain (this should automatically
> promote domain to schema 69).
> 4. Delete Windows 2008R2 Server
> You could in theory use samba to upgrade the schema instead, which
> would avoid the need for the FSMO role transfers. However, given
> you've got 2 different Windows versions here, I think it's best here
> to let Windows sort out the interoperability. For reference, using
> Samba to do the schema upgrade would look like:
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Promote domain to schema 69 (using samba-tool domain schemaupgrade)
> 3. Join Windows 2012R2 Server to domain.
> However, this approach would be more useful for users that didn't
> already have a Windows 2008R2 DC in their network.
>> When I join the Windows 2012R2 Server to the domain, how do I make
>> sure that it doesn't try to upgrade the functional level to 2012R2?
> You have to manually raise the functional level. This shouldn't
> accidentally happen.
> https://support.microsoft.com/en-nz/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels
>> Do you know if 2012R2 functional level is planned for Samba 4.12.x ?
> Sadly, no. Unfortunately this is a significant undertaking (it
> requires a lot of Heimdal/FAST/Claims support work). Right now, we'd
> need some more funding to make this happen.
Luc Lalonde, analyste
Département de génie informatique:
École polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190919/ce475796/signature.sig>

More information about the samba mailing list