[Samba] Upgrading Samba AD without upgrading any DC

Rowland Penny rpenny at samba.org
Fri Feb 7 19:53:25 UTC 2025 

On Fri, 7 Feb 2025 18:35:29 +0000
Stephen Brandli <steve at brandli.com> wrote:

> Roland,
> 
> Thank you for your answers.
> 
> To be clear, everything will be Bookworm when I'm done.
> 
> My question about upgrading a new DC rather than upgrading old ones
> is the "Upgrade a DC and join it to the domain again" process here:
> https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC, right?  You
> said it "raises the RID pools."  I don't know what that means.  But,
> the webpage suggests this process when upgrading between major
> versions.  You disagree?

First 'RID pool': When a DC creates an object in AD it gives it a RID
(The last part of the SID), each DC has its own pool of RIDS to use,
hence 'RID pool'. If the DC uses up all of its allocated RIDs, the DC
with the RidAllocationMaster FSMO role updates its pool.

If you upgrade a DC, it will keep its existing RID pool, but if you add
a new DC, it gets a new RID pool and if you do that often enough, you
can exhaust the global RID pool, try reading this:

https://techcommunity.microsoft.com/blog/askds/managing-rid-pool-depletion/399736

Either way to update/upgrade Samba will work and as you upgrade each DC
individually, you can test upgrading via upgrading the OS first,
remember that as long as you have a working DC, you have a working AD
domain, you can always forcibly demote a dead DC.
 
> 
> If you still suggest the in-place upgrade process, do you expect
> things to work while, temporarily, one DC is running
> bookworm-backports while the others are still on bullseye? 

Yes

> (I can
> stop all client and file server machines on the domain during the
> upgrade.)

No need to do that.

> 
> These are production DCs.  The latest, 4.21.3 is production quality,
> or should I install an earlier version?

Every version that Samba releases is production quality, every version
goes through the same tests. I am not saying that there will be no bugs
(show me any software that doesn't have any bugs), just that as
far as it is possible to know, there aren't any glaring bugs.

Like any software, you should test major upgrades of Samba before
putting it into production.
 
> 
> And, I forgot to ask: We have two domains with an external trust.  Do
> you anticipate a problem with, temporarily, one domain being upgraded
> and the other not (still Bullseye)?

This shouldn't be a problem.

> 
> Again, I really appreciate your help.  This process is a little scary.

Is that why you have waited so long before upgrading ? It is easier if
you upgrade on a regular basis, but not much harder now.

Rowland

More information about the samba mailing list