[Samba] Upgrading Samba AD without upgrading any DC

Stephen Brandli steve at brandli.com
Fri Feb 7 18:35:29 UTC 2025 

Roland,

Thank you for your answers.

To be clear, everything will be Bookworm when I'm done.

My question about upgrading a new DC rather than upgrading old ones is the "Upgrade a DC and join it to the domain again" process here: https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC, right?  You said it "raises the RID pools."  I don't know what that means.  But, the webpage suggests this process when upgrading between major versions.  You disagree?

If you still suggest the in-place upgrade process, do you expect things to work while, temporarily, one DC is running bookworm-backports while the others are still on bullseye?  (I can stop all client and file server machines on the domain during the upgrade.)

These are production DCs.  The latest, 4.21.3 is production quality, or should I install an earlier version?

And, I forgot to ask: We have two domains with an external trust.  Do you anticipate a problem with, temporarily, one domain being upgraded and the other not (still Bullseye)?

Again, I really appreciate your help.  This process is a little scary.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, February 7, 2025 9:43 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Upgrading Samba AD without upgrading any DC

On Fri, 7 Feb 2025 17:05:59 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:

> HI,
> 
> Really appreciate you guys!
> 
> Three questions:
> 
> First, I am installing new DCs using Bookworm's stable install.

That would get you Samba 4.17.12, but using bookworm-backports will get you 4.21.3 ( the latest version ).

>  The
> current DCs are running Bullseye (again using i's latest).  I don't 
> think upgrading a DC directly will be easy if I have to do it.

I upgraded Raspberry pi bullseye to Raspberry pi bookworm and it worked

>  (They
> run in containers on a Buster host.)

You really need to upgrade the host as well, buster LTS went EOL over six months ago.

>  Is it feasible/advisable to
> upgrade by installing a couple of new DCs, joining them to the domain, 
> and then retiring the older servers?

You can do that, but it raises the RID pools.

>  Or, would it be best
> that I install a DC on a Bullseye server that can be upgraded, join 
> the domain, and then upgrade that?
> 

You could do that, but use bookworm and skip the upgrading.

> Second, if things go wrong, can a backup of a Bullseye DC be installed 
> on a new Bookworm DC?  What type of backup would you recommend?
> 

I cannot recommend doing a backup of a DC, backing up the domain with
samba-tool is okay, but only use such a backup if you suffer a
catastrophic failure of all DCS.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list