Web lists-archives.com

Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7




On Sat, 26 Aug 2017 11:28:00 +0400
HB via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > -----Message d'origine-----
> > De : samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] De la part de
> > Rowland Penny via samba
> > Envoyé : lundi 21 août 2017 16:34
> > À : samba@xxxxxxxxxxxxxxx
> > Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7
> > 
> > On Mon, 21 Aug 2017 15:52:01 +0400
> > HB via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > 
> > > Hello all,
> > >
> > > Our Samba AD DC is running perfectly for years with the following
> > > basic setup (see smb.conf below) :
> > >       - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from
> > > sources)
> > >       - internal DNS
> > >       - this DC is also a Print Server
> > >       - about 400 PC workstations (mainly win7 Pro / win10 Pro and
> > > some XP Pro), and about 300 users
> > >       - several Synology NAS file servers joined as domain members
> > >
> > > Since 4.1.7 is quite old, I would like to upgrade to the last
> > > stable Samba 4.6.7.
> > > I wonder what is the best way to make this upgrade without any
> > > risks to break the links between PCs and the domain in production.
> > >
> > > I see two alternatives :
> > > 1) As described in Wiki > Updating_Samba :
> > >      Upgrade the running DC :
> > > 	- Compile the last stable release 4.6.7
> > > 	- stop samba
> > > 	- install 4.6.7 over the 4.1.7
> > > 	- make the Database Check and fix errors if any
> > > 	- restart samba
> > > In this alternative , would it be much careful to gradually
> > > upgrade to each major release after some tests between each
> > > (4.1.7 to 4.2 then 4.2 to 4.3 , ... , then 4.5 to 4.6) ?
> > > Or install directly 4.6.7 over 4.1.7 should not cause any
> > > problem ?
> > >
> > > 2) Add a new DC :
> > > 	- create and add a new DC based on samba 4.6.7 (CentOS 7)
> > > to the domain
> > > 	- transfer the FSMO roles from old 4.1.7 DC to the new DC
> > > (no incompatibility between 4.1 and 4.6 ?)
> > > 	- replicate the sysvol dir to the new DC
> > >
> > > 	after validation that everything is ok , either :
> > > 	- demote the old DC
> > > 	- or upgrade the old DC to 4.6.7 also and keep it as
> > > secondary DC
> > >
> > > My questions are the following :
> > > - Are my two alternatives correct ? Any comments are welcome .
> > > - Are there any problems I have to anticipate ?
> > > - What would be your advices to make this upgrade the most secured
> > > way, knowing that the DC is in production and my absolute
> > > priority is to have no implication on the clients. I can schedule
> > > the operation out of worked hours, but I can't assume any
> > > interruption during the opened days.
> > > - The current DC is also a Print server, is there an easy way to
> > > change a DC to a simple Domain member (that keeps the print server
> > > role)?
> > >
> > 
> > Normally, both of your suggested ways would be valid, but, because
> > of the big jump between versions and the large amount of changes
> > that have occurred, I would tend to go with your second option and
> > add a new DC and then demote the old DC.
> > 
> > You cannot directly demote a DC to a Unix domain member, you would
> > have join it to the domain, so I would take this chance to update
> > the OS and then set up Samba etc as shown on the wiki.
> > 
> > I would also consider adding a second DC, just in case.
> > 
> > Rowland
> Hi, 
> 
> I have begun to add a new 4.6.7 DC  (following
> Joining_a_Samba_DC_to_an_Existing_Active_Directory ). At the
> Joining_the_Active_Directory_as_a_Domain_Controller step I got the
> following error : 
> 
> [root@newdc samba]# samba-tool domain join my-domain.mycomp.fr DC
> -U"MY-DOMAIN\administrator" Finding a writeable DC for domain
> 'my-domain.mycomp.fr' Found DC dc1.my-domain.mycomp.fr
> Password for [MY-DOMAIN\administrator]:
> workgroup is MY-DOMAIN
> realm is my-domain.mycomp.fr
> Adding CN=NEWDC,OU=Domain Controllers,DC=my-domain,DC=mycomp,DC=fr
> Adding
> CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr
> Adding CN=NTDS
> Settings,CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr
> Adding SPNs to CN=NEWDC,OU=Domain
> Controllers,DC=my-domain,DC=mycomp,DC=fr Setting account password for
> NEWDC$ Enabling account Calling bare provision Looking up IPv4
> addresses Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba AD has been generated
> at /usr/local/samba/private/krb5.conf Provision OK for domain DN
> DC=my-domain,DC=mycomp,DC=fr Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[1550/1550] linked_values[0/0] Analyze and apply schema
> objects Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[402/1624] linked_values[0/0]
> Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[804/1624] linked_values[0/0]
> Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[1206/1624] linked_values[0/0]
> Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[1608/1624] linked_values[0/0]
> Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr]
> objects[1624/1624] linked_values[38/0] Replicating critical objects
> from the base DN of the domain
> Partition[DC=my-domain,DC=mycomp,DC=fr] objects[97/97]
> linked_values[27/0] Partition[DC=my-domain,DC=mycomp,DC=fr]
> objects[499/1791] linked_values[0/0]
> Partition[DC=my-domain,DC=mycomp,DC=fr] objects[901/1791]
> linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr]
> objects[1303/1791] linked_values[0/0]
> Partition[DC=my-domain,DC=mycomp,DC=fr] objects[1705/1791]
> linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr]
> objects[1888/1791] linked_values[1190/0] Done with always replicated
> NC (base, config, schema) Replicating
> DC=DomainDnsZones,DC=my-domain,DC=mycomp,DC=fr Join failed - cleaning
> up Deleted CN=NEWDC,OU=Domain
> Controllers,DC=my-domain,DC=mycomp,DC=fr Deleted CN=NTDS
> Settings,CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr
> Deleted
> CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr
> ERROR(runtime): uncaught exception - (8442,
> 'WERR_DS_DRA_INTERNAL_ERROR') File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run return self.run(*args, **kwargs) File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs,
> dns_backend=dns_backend) File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1269, in join_DC ctx.do_join() File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 1177, in do_join ctx.join_replicate() File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line
> 918, in join_replicate replica_flags=ctx.replica_flags) File
> "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py",
> line 254, in replicate (level, ctr) =
> self.drs.DsGetNCChanges(self.drs_handle, req_level, req) [root@newdc
> samba]#
> 
> 
> I recall that my olddc is samba 4.1.7 , here is its smb.conf : 
> [global]
>         log level = 1
>         max log size = 100000
>         workgroup = MY-DOMAIN
>         server string = Serveur MY-DOMAIN
>         realm = MY-DOMAIN.MYCOMP.FR
>         netbios name = DC1
>         server role = active directory domain controller
>         dns forwarder = 123.123.123.1 
>         idmap_ldb:use rfc2307 = yes
> 
>         rpc_server:spoolss = external
>         rpc_daemon:spoolssd = fork
> 
>         load printers = no
> 
> Is there an incompatibility between 4.6.7 and 4.1.7 ? 
> 
> Thanks in advance 
> 
> Henri 
> 
> 

Not that I am aware, there have been a lot of changes between the
versions, but the underlying database hasn't changed.
Have you tried running 'samba-tool dbcheck' ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba