[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions
Luis Peromarta
lperoma at icloud.com
Sun Jun 29 18:30:00 UTC 2025
Hi there.
The Oracle has already spoken, (@Rowland) I will give you some links:
This is what I would do:
First, there is a chance you may need to do this in 2 stages as 4.9 to 4.22 may be a bit too extreme.
0.- Back up both VMs, just in case.
1.- Do a good check on the DCs:
http://samba.bigbird.es/doku.php?id=samba:dc-maintenance
2.- Install and join new DC using Debian 12, you will need a new name for the machine:
http://samba.bigbird.es/doku.php?id=samba:aditional-dc
If you get errors with this join, chances are you may need to get an intermediate version (Debian 11 and Samba 4.13). If so, restore VMs from backup and try Debian 11.
3.- All going well you have now 3 DCs. Transfer the FSMO roles to the new one:
http://samba.bigbird.es/doku.php?id=samba:fsmo-roles
4.- Demote one of the older DCs:
http://samba.bigbird.es/doku.php?id=samba:demote-dc
5.- Install an additional new DC as (2)
6.- Demote the other, older DC as (4)
7.- Once all has been tested with Samba 4.17, upgrade to 4.22 using back ports:
Using back ports:
http://samba.bigbird.es/doku.php?id=samba:installing-from-backports
Uppgrade:
http://samba.bigbird.es/doku.php?id=samba:upgrade-sama
8.- Once all done, check you only have on entry for PDC Emulator role:
http://samba.bigbird.es/doku.php?id=samba:fsmo-roles
Note: If you are using "idmap_ldb:use rfc2307 = yes” I recommend you don’t.
http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
On 29 Jun 2025 at 18:31 +0100, Franta Hanzlík via samba <samba at lists.samba.org>, wrote:
> We are preparing to upgrade our two Samba AD DCs during this school
> holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema
> = 47 (Server 2008R2), there is one AD domain.
> We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to current
> Server 2019 or 2022.
>
> Can you please advise on the optimal upgrade procedure, and possibly
> give some general recommendations and warnings about possible issues?
>
> According to the Samba Wiki at
> https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
> , it seems that this procedure might work:
>
> - on FSMO DC, backup domain (samba-tool domain backup online ...)
>
> - demote non-FSMO DC (samba-tool domain demote ...), shutdown VM
>
> - run new VM with actual Samba-4.22.x DC installed, with same hostname,
> realm,... as had previously removed machine.
>
> - join to domain (samba-tool domain join ...)
>
> - start Samba and run AD replication status and Samba AD DC database
> check (samba-tool drs showrepl ... / samba-tool dbcheck ...)
>
> - transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
> (is it really needed? What about seizing a FSMO Role at the whole end?
> - but Wiki say FSMO transfer is recommeded before seizing)
>
> - demote former FSMO, stop Samba and shutdown this old VM
>
> - run another new VM with actual Samba-4.22.x DC prepared, with same
> hostname, realm,... as had previously removed former FSMO.
>
> - join it to AD, start Samba, check replication and DB status, maybe
> transfer FSMO here again..(or seize FSMO here?)
>
> - upgrade AD schema version (samba-tool domain schemaupgrade...) to
> value 88
>
>
> Apart from the fact that I am not sure that the above procedure is correct
> and optimal, there are still some ambiguities, e.g.:
>
> - already mentioned above - can there be no server FSMO role defined
> anywhere (during the upgrade)? (and then seizing if at final end)
>
> - Since Samba-4.9.5 supports a higher (but experimental) schema 69
> (Server 2012R2), wouldn't it be better to upgrade the AD schema to this
> level on the old DCs (and at end only do a schema upgrade 69 -> 88)?
> --
> I apologize for the possibly too amateurish questions, bad English, etc.
> Franta Hanzlík
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list