[Samba] migrate DC from very old version of samba

[Rowland Penny]

On Mon, 31 Mar 2025 13:51:17 +0200
Rémi via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I just found a network with a very old samba version running as ad-dc:
> samba 4.1.6 on debian 7 !

Yikes !!

> 
> The file server itself is a recent samba on Debian bookworm, but the
> ad-dc is this beast. And amazingly it's still sort of working: users
> can authenticate and access their files / printers, some GPOs do
> work,...
> 
> I just delivered a bunch of recent client computers, latest W11, and
> they could join the domain, but they do not get their GPOs:
> 
> event 1097: Windows could not determine the computer account to
> enforce Group Policy settings
> 
> I searched the eventlog, and I see that netlogon cannot authenticate
> the computer to the domain (but it could join).
> 
> Event 3210: This computer could not authenticate with DCURL, a Windows
> domain controller for domain DOMAINNAME, and therefore...
> 
> That's when I started to dig and discover the ancient beast.
> 
> From what I read, it seems that old samba do not communicate well with
> newer windows. So I guess I need a newer samba.
> 
> Question: as I'm not a very experienced samba admin, what's my best
> course of action here ?
> 
> Upgrading that beast to a more recent debian would be time consuming
> and error prone. I'm 5 releases behind, the samba is from backports
> at that time, it also manages dns... the chances for disrupting
> network access for the whole company are serious.
> 
> OTOH I can fire up a bookworm vm on another recent server, and install
> bookworm-backport samba there.

This may work, but you may have to it two stages, add a machine running
Debian buster, then bookworm.

> 
> And then what, just transfer the domain ? How do I do that ? Join as a
> BDC, then transfer FSMO, stop samba on the old beast and it's done ?

That is the easy bit, just joining another DC (not a BDC, that is
something else entirely) will replicate the domain. You will then need
to sync sysvol and idmap.ldb from the old DC to the new and also
transfer FSMO roles, then when you are sure everything is working okay,
demote the old DC and turn it off. You will also need to get the
clients to use the new DC as their nameserver.

> 
> Will this work and make win11 machines happy ?

As happy as win11 is ever going to be ;-)

> 
> There are traces of two older DCs in that ad, which are not there
> anymore. Might that cause problem ? I can clean it up when samba is up
> to date, but I'd like to be super prudent with that old thing.

You should be able to clean it up afterwards, but may have to do it
first. I do hope you are going to test all this on backups first.

Rowland