[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

Rowland Penny rpenny at samba.org
Sun Jun 29 18:23:41 UTC 2025 

On Sun, 29 Jun 2025 19:11:47 +0200
Franta Hanzlík via samba <samba at lists.samba.org> wrote:

> We are preparing to upgrade our two Samba AD DCs during this school 
> holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema 
> = 47 (Server 2008R2), there is one AD domain.
> We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to
> current Server 2019 or 2022.
> 

I would suggest you upgrade to the highest samba version possible and
then upgrade on a regular basis, certainly sooner than your apparent
every five years or so.
 
> Can you please advise on the optimal upgrade procedure, and possibly 
> give some general recommendations and warnings about possible issues?
> 
> According to the Samba Wiki at 
>   https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
> , it seems that this procedure might work:
> 
> - on FSMO DC, backup domain (samba-tool domain backup online ...)

At this point, as you are using VMs, I would install a new VM and join
that as a DC, this will raise the schema version to 2012R2 (you can
raise it further later). Transfer the FSMO roles to this DC. You can
call this DC whatever you like, it is just a temporary DC to hold your
domain

> 
> - demote non-FSMO DC (samba-tool domain demote ...), shutdown VM
> 
> - run new VM with actual Samba-4.22.x DC installed, with same
> hostname, realm,... as had previously removed machine.
> 
> - join to domain (samba-tool domain join ...)
> 
> - start Samba and run AD replication status and Samba AD DC database 
>  check (samba-tool drs showrepl ... / samba-tool dbcheck ...)

Do this for all of your existing DCs (you could change everything if
you want, every DC will become a new DC, all that will be the same is
the hostname and IP).

> 
> - transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
>  (is it really needed? What about seizing a FSMO Role at the whole
> end?
>  - but Wiki say FSMO transfer is recommeded before seizing)

Seizing is a last resort method, in fact if you run the command without
the '--force' switch, it will attempt to transfer the roles first.

> 
> - demote former FSMO, stop Samba and shutdown this old VM
> 
> - run another new VM with actual Samba-4.22.x DC prepared, with same 
>   hostname, realm,... as had previously removed former FSMO.
> 
> - join it to AD, start Samba, check replication and DB status, maybe 
>   transfer FSMO here again..(or seize FSMO here?)

Once you have all the new DCs running correctly, transfer the FSMO
roles to whichever DC you like, just be aware that this does not make
it the 'pdc' or 'primary', all DCs are equal, it is just that some have
FSMO roles.

At this point, you can now demote and shutdown the temporary DC.

There is a possible gotcha though, when you transfer the PDC_Emulator
FSMO role, a new dns record could be created and there is nothing to
delete the old one. You have to manually delete it.

>  
> - upgrade AD schema version (samba-tool domain schemaupgrade...) to
>   value 88 
> 
> 
> Apart from the fact that I am not sure that the above procedure is
> correct and optimal, there are still some ambiguities, e.g.:
> 
> - already mentioned above - can there be no server FSMO role defined 
> anywhere (during the upgrade)? (and then seizing if at final end)

You must have FSMO roles assigned somewhere, or your domain will not
function correctly.

> 
> - Since Samba-4.9.5 supports a higher (but experimental) schema 69 
> (Server 2012R2), wouldn't it be better to upgrade the AD schema to
> this level on the old DCs (and at end only do a schema upgrade 69 ->
> 88)?

Just joining a later version of Samba will upgrade the schema to 69,
you then have to upgrade to 88 manually, but only when all DCs are
capable.

Rowland

More information about the samba mailing list