[Samba] Samba AD DC domain upgrade wisdom

Andrew Bartlett abartlet at samba.org
Mon May 22 20:38:48 UTC 2023 

On Thu, 2023-05-18 at 09:52 +0100, Rowland Penny via samba wrote:
> AD is so easy to upgrade between major versions by adding new DC's, that 
> I would never upgrade in place. Minor upgrades i.e. 4.x.5 to 4.x.6 are 
> probably okay, but I would never go from i.e. 4.15.x to 4.16.x by 
> upgrading in place, it is, in my opinion, just not worth the risk.

The main reason we suggest adding the DCs is because:
 * In professional IT environments that build new VMs automatically,
the new DC is likely a new instance so increasing the number of DCs
during the upgrade
 * It encourages the surrounding OS to be upgraded
 * New DB features are automatically enabled (encrypted passwords,
sorted linked attributes)
 * Replication creates a new DB and reads the entire DB on the source,
so latent corruption is detected and indexes are rebuilt.
 * Migration to the LMDB backend is easily possible[1]

However, we have and maintain automated tests that confirm Samba can
read and use a database all the way back to Samba 4.0.0.

Most package-based users of Samba will just upgrade their Samba with
their OS and package upgrade, this is fine because:
 * Particularly since Samba 4.11 the DB format hasn't changed. 
 * When a new DC is not being created, a DC is removed during the
unjoin, reducing redundency
 * Even if the rejoin is perfectly successful, it creates disruption to
the network (DNS updates needed, existing Kerberos service tickets
invalidated).

The balance here has changed from the days around Samba 4.5 -> 4.12
when the DB format was being optimised. 

Finally, over time, the total number of DCs that have ever been in the
domain does leave metadata behind on each and every object, so one
would not want to automate unjoining and re-joining a domain with a
massive number of DCs for every minor release.

Some of this wisdom is written up here:
https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC

Andrew Bartlett

[1] This is still not the default, we should fix that, and for those
who really need it there is a script for in-place transition I should
finally merge some day
https://gitlab.com/samba-team/samba/-/merge_requests/2016

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list