Web lists-archives.com

Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7

I did a similar DC upgrade from 4.1.13 to 4.6.6(like your option 1, upgrade on existing AD servers, I have two, first upgrade on none-FSMO).
 and I don't have any issues with the DC upgrade itself.
But be careful with your member servers. After the upgrade, I have to change some default values on file servers: 1. samba 3.5.10 member server(rpm from CentOS 6.2) lost connection to samba 4.6.6 AD,
I have to add the following to fix the default values:
 client NTLMv2 auth = yes
 ntlm auth = No
 client ldap sasl wrapping = sign
  winbind use default domain = yes
2. samba 3.6.23 member server(rpm from CentOS 6.8) and samba 4.6.6 need this change:
   winbind use default domain = yes
3. My TeraStation NAS storage server lost connection to samba 4.6.6 AD, I have to move it to a Samba 4.6.6 member server, and get rid of the TeraStation NAS storage server, too much headache with TeraStation. Setting up a samba 4.6.6 member server is easier.
 and you can control everything on the member server.
4. squid-cache proxy server cannot ldap to the new AD, I have to change it to ldaps(of cause some changes in /etc/openldap/ldap.conf).

My AD environment may be different from yours. I don't use and configure anything else on the DC(pretty standard from samba doc) , but you have printer server on it. It's better to test it, also test your Synology NAS servers with the new DC, but how? you may have support from Synology?


On 8/21/2017 8:33 AM, Rowland Penny via samba wrote:
On Mon, 21 Aug 2017 15:52:01 +0400
HB via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hello all,

Our Samba AD DC is running perfectly for years with the following
basic setup (see smb.conf below) :
       - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
       - internal DNS
       - this DC is also a Print Server
       - about 400 PC workstations (mainly win7 Pro / win10 Pro and
some XP Pro), and about 300 users
       - several Synology NAS file servers joined as domain members

Since 4.1.7 is quite old, I would like to upgrade to the last stable
Samba 4.6.7.
I wonder what is the best way to make this upgrade without any risks
to break the links between PCs and the domain in production.

I see two alternatives :
1) As described in Wiki > Updating_Samba :
      Upgrade the running DC :
	- Compile the last stable release 4.6.7
	- stop samba
	- install 4.6.7 over the 4.1.7
	- make the Database Check and fix errors if any
	- restart samba
In this alternative , would it be much careful to gradually upgrade
to each major release after some tests between each (4.1.7 to 4.2
then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
Or install directly 4.6.7 over 4.1.7 should not cause any problem ?
2) Add a new DC :
	- create and add a new DC based on samba 4.6.7 (CentOS 7) to
the domain
	- transfer the FSMO roles from old 4.1.7 DC to the new DC (no
incompatibility between 4.1 and 4.6 ?)
	- replicate the sysvol dir to the new DC
	after validation that everything is ok , either :
	- demote the old DC
	- or upgrade the old DC to 4.6.7 also and keep it as
secondary DC

My questions are the following :
- Are my two alternatives correct ? Any comments are welcome .
- Are there any problems I have to anticipate ?
- What would be your advices to make this upgrade the most secured
way, knowing that the DC is in production and my absolute priority is
to have no implication on the clients. I can schedule the operation
out of worked hours, but I can't assume any interruption during the
opened days.
- The current DC is also a Print server, is there an easy way to
change a DC to a simple Domain member (that keeps the print server

Normally, both of your suggested ways would be valid, but, because of
the big jump between versions and the large amount of changes that
have occurred, I would tend to go with your second option and add a
new DC and then demote the old DC.

You cannot directly demote a DC to a Unix domain member, you would
have join it to the domain, so I would take this chance to update the
OS and then set up Samba etc as shown on the wiki.

I would also consider adding a second DC, just in case.


Allen Chen
Network Administrator

Harbourfront Centre

235 Queens Quay West, Toronto, ON
M5J 2G8, Canada | harbourfrontcentre.com <http://www.harbourfrontcentre.com>
Office: +1 416 973 7973
Cell: +1 416 556 2493

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba