Web lists-archives.com

Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7




Hi Allen, 

Thanks you for your advices.
All my member servers or Synology NAS are at least Samba 4.4.13 , so I am confident it should be ok.

Henri

> -----Message d'origine-----
> De : samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] De la part de Allen
> Chen via samba
> Envoyé : lundi 21 août 2017 18:34
> À : samba@xxxxxxxxxxxxxxx
> Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7
> 
> I did a similar DC upgrade from 4.1.13 to 4.6.6(like your option 1, upgrade on
> existing AD servers, I have two, first upgrade on none-FSMO).
>   and I don't have any issues with the DC upgrade itself.
> But be careful with your member servers. After the upgrade, I have to
> change some default values on file servers:
> 1. samba 3.5.10 member server(rpm from CentOS 6.2) lost connection to
> samba 4.6.6 AD, I have to add the following to fix the default values:
>   client NTLMv2 auth = yes
>   ntlm auth = No
>   client ldap sasl wrapping = sign
>    winbind use default domain = yes
> 2.  samba 3.6.23 member server(rpm from CentOS 6.8) and samba 4.6.6 need
> this change:
>     winbind use default domain = yes
> 3. My TeraStation NAS storage server lost connection to samba 4.6.6 AD, I
> have to move it to a Samba 4.6.6 member server,
>   and get rid of the TeraStation NAS storage server, too much headache with
> TeraStation. Setting up a samba 4.6.6 member server is easier.
>   and you can control everything on the member server.
> 4. squid-cache proxy server cannot ldap to the new AD, I have to change it to
> ldaps(of cause some changes in /etc/openldap/ldap.conf).
> 
> My AD environment may be different from yours. I don't use and configure
> anything else on the DC(pretty standard from samba doc) , but you have
> printer server on it. It's better to test it, also test your Synology NAS servers
> with the new DC, but how? you may have support from Synology?
> 
> Allen
> 
> On 8/21/2017 8:33 AM, Rowland Penny via samba wrote:
> > On Mon, 21 Aug 2017 15:52:01 +0400
> > HB via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hello all,
> >>
> >> Our Samba AD DC is running perfectly for years with the following
> >> basic setup (see smb.conf below) :
> >>        - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
> >> sources)
> >>        - internal DNS
> >>        - this DC is also a Print Server
> >>        - about 400 PC workstations (mainly win7 Pro / win10 Pro and
> >> some XP Pro), and about 300 users
> >>        - several Synology NAS file servers joined as domain members
> >>
> >> Since 4.1.7 is quite old, I would like to upgrade to the last stable
> >> Samba 4.6.7.
> >> I wonder what is the best way to make this upgrade without any risks
> >> to break the links between PCs and the domain in production.
> >>
> >> I see two alternatives :
> >> 1) As described in Wiki > Updating_Samba :
> >>       Upgrade the running DC :
> >> 	- Compile the last stable release 4.6.7
> >> 	- stop samba
> >> 	- install 4.6.7 over the 4.1.7
> >> 	- make the Database Check and fix errors if any
> >> 	- restart samba
> >> In this alternative , would it be much careful to gradually upgrade
> >> to each major release after some tests between each (4.1.7 to 4.2
> >> then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
> >> Or install directly 4.6.7 over 4.1.7 should not cause any problem ?
> >>
> >> 2) Add a new DC :
> >> 	- create and add a new DC based on samba 4.6.7 (CentOS 7) to the
> >> domain
> >> 	- transfer the FSMO roles from old 4.1.7 DC to the new DC (no
> >> incompatibility between 4.1 and 4.6 ?)
> >> 	- replicate the sysvol dir to the new DC
> >>
> >> 	after validation that everything is ok , either :
> >> 	- demote the old DC
> >> 	- or upgrade the old DC to 4.6.7 also and keep it as secondary DC
> >>
> >> My questions are the following :
> >> - Are my two alternatives correct ? Any comments are welcome .
> >> - Are there any problems I have to anticipate ?
> >> - What would be your advices to make this upgrade the most secured
> >> way, knowing that the DC is in production and my absolute priority is
> >> to have no implication on the clients. I can schedule the operation
> >> out of worked hours, but I can't assume any interruption during the
> >> opened days.
> >> - The current DC is also a Print server, is there an easy way to
> >> change a DC to a simple Domain member (that keeps the print server
> >> role)?
> >>
> > Normally, both of your suggested ways would be valid, but, because of
> > the big jump between versions and the large amount of changes that
> > have occurred, I would tend to go with your second option and add a
> > new DC and then demote the old DC.
> >
> > You cannot directly demote a DC to a Unix domain member, you would
> > have join it to the domain, so I would take this chance to update the
> > OS and then set up Samba etc as shown on the wiki.
> >
> > I would also consider adding a second DC, just in case.
> >
> > Rowland
> >
> >
> 
> --
> Allen Chen
> Network Administrator
> IT
> 
> Harbourfront Centre
> 
> 235 Queens Quay West, Toronto, ON
> M5J 2G8, Canada | harbourfrontcentre.com
> <http://www.harbourfrontcentre.com>
> Office: +1 416 973 7973
> Cell: +1 416 556 2493
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba