[Samba] migrate DC from very old version of samba

[Rémi]

Hello,

I just found a network with a very old samba version running as ad-dc:
samba 4.1.6 on debian 7 !

The file server itself is a recent samba on Debian bookworm, but the
ad-dc is this beast. And amazingly it's still sort of working: users can
authenticate and access their files / printers, some GPOs do work,...

I just delivered a bunch of recent client computers, latest W11, and
they could join the domain, but they do not get their GPOs:

event 1097: Windows could not determine the computer account to enforce
Group Policy settings

I searched the eventlog, and I see that netlogon cannot authenticate the
computer to the domain (but it could join).

Event 3210: This computer could not authenticate with DCURL, a Windows
domain controller for domain DOMAINNAME, and therefore...

That's when I started to dig and discover the ancient beast.

>From what I read, it seems that old samba do not communicate well with
newer windows. So I guess I need a newer samba.

Question: as I'm not a very experienced samba admin, what's my best
course of action here ?

Upgrading that beast to a more recent debian would be time consuming and
error prone. I'm 5 releases behind, the samba is from backports at that
time, it also manages dns... the chances for disrupting network access
for the whole company are serious.

OTOH I can fire up a bookworm vm on another recent server, and install
bookworm-backport samba there.

And then what, just transfer the domain ? How do I do that ? Join as a
BDC, then transfer FSMO, stop samba on the old beast and it's done ?

Will this work and make win11 machines happy ?

There are traces of two older DCs in that ad, which are not there
anymore. Might that cause problem ? I can clean it up when samba is up
to date, but I'd like to be super prudent with that old thing.

Thanks,
-- 
Rémi