[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Rowland Penny rpenny at samba.org
Wed Nov 23 19:13:05 UTC 2022

On 23/11/2022 18:49, Juan Ignacio via samba wrote:
> Thanks Luis and Kris
> I already transferred the FSMO roles to the new DC with the commands you
> sent me; I have checked and they have been transferred successfully.
> Was good that someone mentioned something about FSMO roles, otherwise I
> would have passed it on completely.
> Thanks for the links you sent me, I was able to understand more about FSMO
> roles, this was really necessary to do before demoting the old server.

Not really, if you had demoted the DC holding the FSMO roles, this would 
not have been a disaster, it wouldn't have helped, but it wouldn't have 
been a disaster. You would have been able to 'seize' the roles to 
another DC.

> At the moment I would only have to solve some issues and confusion with a
> member fileserver.
> One of the member file servers have this on smb.conf
>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999

Are you sure that there aren't any other 'idmap config' lines ?

I would have expected lines for your DOMAIN

>>          username map = /usr/local/samba/etc/user.map

Self compiled version of Samba ?
That line is to map Administrator to root.

> If i remember correctly  we used this ranges because de old acdc who also
> works as file server didnt have any of that lines and the uid and gid
> numbers was really long, when i installed the member server we used that to
> make it work better-

A DC uses either the xidNumber attributes found in idmap.ldb (numbers in 
the 3000000 range) or any uidNumber & gidNumber found in AD (provided 
'idmap_ldb:use rfc2307  = yes' is set in the DC's smb.conf
> I dont know if now, after sync the idmap.ldb from the old ad-dc to the new
> ad-dc we will have the same long uid and gid. (Is not really important
> because the new ad-dc will not work as file server but anyway)

The whole idea behind syncing idmap.ldb between DC's is to ensure that 
they all use the ID's.

> Maybe it would have been better transferred the idmap of the member server
> to the new ad-dc, or not because it is using information stored on the old
> ad-dc.

It doesn't work like that, Unix domain members get their ID's from the 
DC's. Provide that you use the same basic smb.conf on all Unix domain 
members, you will always get the same ID's and they will be different to 
a DC.

> On the member file server i can look owners with names instead of uid and
> gid.

You should be able to do this on a DC as well.

> I think Rowland know a lot about this because he help me on that thing long
> time ago..

Anything I can do to help.


More information about the samba mailing list