[Samba] Migration strategy

Travis Wenks travis at rosecitysolutions.com
Thu Nov 20 22:08:31 UTC 2025 

You’re very welcome. Best of luck!


Travis Wenks
Rose City Solutions
travis at rosecitysolutions.com
503-821-7000

> On Nov 20, 2025, at 1:22 PM, Anders Östling <anders.ostling at gmail.com> wrote:
> 
> Travis,
> 
> I finally made it work after moving FSMO roles from Windows server B
> to A and downgrading the forest and domain (on A). Replication looks
> fine, have checked on both Windows and Samba side. So I will leave it
> as it is for now. If all is good in a few days, I will (after
> snapshotting all 3 nodes) raise the schema level again, starting on
> the Windows side.
> The reason I moved the FSMO roles was that the join operation only
> found server A. Before moving the roles, I shutdown A thinking that B
> would step forward. It didn't, the join failed with "No writable DC
> found". So I fired up A and rerun the join, now with success.
> 
> Thank you for pushing me!
> /Anders
> 
>> On Thu, Nov 20, 2025 at 8:55 PM Anders Östling <anders.ostling at gmail.com> wrote:
>> 
>> Travis, this might be a way to go forward. I don't think we are using
>> any "modern AD features" since those DC's have been with us since
>> 2012.
>> Do I need to lower the functional level on both Windows DC's before
>> joining the Samba DC?
>> /Anders
>> 
>>> On Thu, Nov 20, 2025 at 8:19 PM Travis Wenks
>>> <travis at rosecitysolutions.com> wrote:
>>> 
>>> Can you lower the schema level to 2008 for the join then when you have removed the windows dc's upgrade the schema?
>>> For example:
>>> Downgrade Functional Levels to Windows Server 2008 R2
>>> 
>>> This allows Samba to join as a full writable DC but may disable some modern Windows AD features (e.g., certain group policy enhancements or authentication protocols). Only do this if your environment can tolerate it, and back up your AD first.
>>> On the Windows DC:
>>> 
>>> Lower the domain functional level:textSet-ADDomainMode -Identity xyz.se -DomainMode Windows2008R2Domain
>>> Lower the forest functional level:textSet-ADForestMode -Identity xyz.se -ForestMode Windows2008R2Forest
>>> 
>>> Verify the changes with the Get-ADDomain and Get-ADForest commands above.
>>> 
>>> On HP-SRV12, clean up any partial Samba state (you already started this—ensure all .ldb and .tdb files are removed from /var/lib/samba, /var/cache/samba, /run/samba, etc.).
>>> 
>>> Retry the join:textsamba-tool domain join xyz.se DC -U "XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
>>> If successful, start Samba and verify replication with samba-tool drs showrepl.
>>> 
>>> Travis Wenks
>>> Rose City Solutions
>>> Owner
>>> Phone 503.821.7000
>>> Website rosecitysolutions.com
>>> Email travis at rosecitysolutions.com
>>> 
>>> 
>>> ________________________________
>>> From: samba <samba-bounces at lists.samba.org> on behalf of Anders Östling via samba <samba at lists.samba.org>
>>> Sent: Thursday, November 20, 2025 8:49 AM
>>> To: samba at lists.samba.org <samba at lists.samba.org>
>>> Subject: Re: [Samba] Migration strategy
>>> 
>>> Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
>>> happened. I started with cleaning up the ldb and tdb files in
>>> /run/samba, /var/cache/samba, /var/lib/samba ...
>>> 
>>> 1. Attempt to join the existing 2019 domain
>>> 
>>> root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
>>> "XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
>>> INFO 2025-11-20 17:38:45,883 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable
>>> DC for domain 'xyz.se'
>>> INFO 2025-11-20 17:38:45,991 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
>>> HP-SRV01.xyzse
>>> Password for [XYZ\Administrator]:
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is XYZ
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
>>> Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Adding CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> Adding CN=NTDS Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>> Join failed - cleaning up
>>> Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Deleted CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> ERROR(runtime): uncaught exception - DsAddEntry failed
>>>  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
>>> 387, in _run
>>>    return self.run(*args, **kwargs)
>>>           ~~~~~~~~^^^^^^^^^^^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
>>> line 128, in run
>>>    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
>>>    ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            site=site, netbios_name=netbios_name, targetdir=targetdir,
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>    ...<4 lines>...
>>>            backend_store=backend_store,
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            backend_store_size=backend_store_size)
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py", line 1634, in join_DC
>>>    ctx.do_join()
>>>    ~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py", line 1522, in do_join
>>>    ctx.join_add_objects()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py", line 667, in
>>> join_add_objects
>>>    ctx.join_add_ntdsdsa()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py", line 592, in
>>> join_add_ntdsdsa
>>>    ctx.DsAddEntry([rec])
>>>    ~~~~~~~~~~~~~~^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py", line 528, in DsAddEntry
>>>    raise RuntimeError("DsAddEntry failed")
>>> 
>>> 2. Attempt to upgrade the schema (although the join failed)
>>> 
>>> root at hp-srv12:/etc# samba-tool domain schemaupgrade --schema=2019
>>> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
>>> file /var/lib/samba/private/sam.ldb: No such file or directory
>>> Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or directory
>>> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
>>> backend 'tdb': Unable to open tdb '/var/lib/samba/private/sam.ldb': No
>>> such file or directory
>>> ERROR(ldb): uncaught exception - Unable to open tdb
>>> '/var/lib/samba/private/sam.ldb': No such file or directory
>>> 
>>> So here we are. Some files is required to exist in order to upgrade
>>> the schema, but they does not - is that because the DC still has not
>>> joined the domain?
>>> 
>>> /Anders
>>> 
>>> On Thu, Nov 20, 2025 at 3:46 PM Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> 
>>>> On Thu, 20 Nov 2025 15:24:36 +0100
>>>> Anders Östling via samba <samba at lists.samba.org> wrote:
>>>> 
>>>>> HI Rowland
>>>>> 
>>>>> I would love to keep the domain and just replace the DC's. But, as I
>>>>> have asked before, adding a Samba DC to the current Windows (2019)
>>>>> domain does not work for me since there are schema upgrades required,
>>>>> and I cant upgrade the schema since the Samba has not joined the
>>>>> domain yet. I think I referred to a chicken and egg dilemma a week
>>>>> ago. Can you comment on that; how I add a fresh Samba ad-dc
>>>>> installation to a domain that requires schema/function level 2016?
>>>>> 
>>>> 
>>>> When you first join a DC, it doesn't have a schema, so there is nothing
>>>> to upgrade, the schema is replicated in from the other DC in the join.
>>>> 
>>>> As Samba now has the code to work with 2019, a join with the latest
>>>> Samba may work.
>>>> Have you tried cloning the DC with the FSMO roles, sandboxing it and
>>>> attempting a join ?
>>>> If it works, it will be a lot less work ;-)
>>>> 
>>>> Rowland
>>>> 
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> ------ -------------------- 8 ------------------ ------
>>> "A wise man once told me - Any idiot can do backups, but it takes a
>>> genius to successfully restore"
>>> 
>>> Anders Östling
>>> +46 768 716 165 (Mobil)
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>> 
>> --
>> ------ -------------------- 8 ------------------ ------
>> "A wise man once told me - Any idiot can do backups, but it takes a
>> genius to successfully restore"
>> 
>> Anders Östling
>> +46 768 716 165 (Mobil)
> 
> 
> 
> --
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
> 
> Anders Östling
> +46 768 716 165 (Mobil)

More information about the samba mailing list