[Samba] Migration strategy

Travis Wenks travis at rosecitysolutions.com
Thu Nov 20 19:19:12 UTC 2025 

Can you lower the schema level to 2008 for the join then when you have removed the windows dc's upgrade the schema?
For example:
Downgrade Functional Levels to Windows Server 2008 R2

This allows Samba to join as a full writable DC but may disable some modern Windows AD features (e.g., certain group policy enhancements or authentication protocols). Only do this if your environment can tolerate it, and back up your AD first.
On the Windows DC:

Lower the domain functional level:textSet-ADDomainMode -Identity xyz.se -DomainMode Windows2008R2Domain
Lower the forest functional level:textSet-ADForestMode -Identity xyz.se -ForestMode Windows2008R2Forest

Verify the changes with the Get-ADDomain and Get-ADForest commands above.

On HP-SRV12, clean up any partial Samba state (you already started this—ensure all .ldb and .tdb files are removed from /var/lib/samba, /var/cache/samba, /run/samba, etc.).

Retry the join:textsamba-tool domain join xyz.se DC -U "XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
If successful, start Samba and verify replication with samba-tool drs showrepl.

Travis Wenks
Rose City Solutions
Owner
Phone 503.821.7000
Website rosecitysolutions.com
Email travis at rosecitysolutions.com


________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Anders Östling via samba <samba at lists.samba.org>
Sent: Thursday, November 20, 2025 8:49 AM
To: samba at lists.samba.org <samba at lists.samba.org>
Subject: Re: [Samba] Migration strategy

Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
happened. I started with cleaning up the ldb and tdb files in
/run/samba, /var/cache/samba, /var/lib/samba ...

1. Attempt to join the existing 2019 domain

root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
INFO 2025-11-20 17:38:45,883 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable
DC for domain 'xyz.se'
INFO 2025-11-20 17:38:45,991 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC
HP-SRV01.xyzse
Password for [XYZ\Administrator]:
INFO 2025-11-20 17:38:56,201 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is XYZ
INFO 2025-11-20 17:38:56,201 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
Adding CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
Adding CN=NTDS Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
Deleted CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
387, in _run
    return self.run(*args, **kwargs)
           ~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
    ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            site=site, netbios_name=netbios_name, targetdir=targetdir,
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ...<4 lines>...
            backend_store=backend_store,
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            backend_store_size=backend_store_size)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1634, in join_DC
    ctx.do_join()
    ~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1522, in do_join
    ctx.join_add_objects()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 667, in
join_add_objects
    ctx.join_add_ntdsdsa()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 592, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
    ~~~~~~~~~~~~~~^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 528, in DsAddEntry
    raise RuntimeError("DsAddEntry failed")

2. Attempt to upgrade the schema (although the join failed)

root at hp-srv12:/etc# samba-tool domain schemaupgrade --schema=2019
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: No such file or directory
Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No
such file or directory
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': No such file or directory

So here we are. Some files is required to exist in order to upgrade
the schema, but they does not - is that because the DC still has not
joined the domain?

/Anders

On Thu, Nov 20, 2025 at 3:46 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Thu, 20 Nov 2025 15:24:36 +0100
> Anders Östling via samba <samba at lists.samba.org> wrote:
>
> > HI Rowland
> >
> > I would love to keep the domain and just replace the DC's. But, as I
> > have asked before, adding a Samba DC to the current Windows (2019)
> > domain does not work for me since there are schema upgrades required,
> > and I cant upgrade the schema since the Samba has not joined the
> > domain yet. I think I referred to a chicken and egg dilemma a week
> > ago. Can you comment on that; how I add a fresh Samba ad-dc
> > installation to a domain that requires schema/function level 2016?
> >
>
> When you first join a DC, it doesn't have a schema, so there is nothing
> to upgrade, the schema is replicated in from the other DC in the join.
>
> As Samba now has the code to work with 2019, a join with the latest
> Samba may work.
> Have you tried cloning the DC with the FSMO roles, sandboxing it and
> attempting a join ?
> If it works, it will be a lot less work ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders Östling
+46 768 716 165 (Mobil)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list