Re: [Samba] Upgrading from 4.6.x to 4.7.x AD and member server setup - recommended path

Hi Götz,

Am 31.12.2017 um 17:32 schrieb Rowland Penny via samba

On Sun, 31 Dec 2017 16:18:27 +0100
Götz Reinicke via samba


we have three 4.6.x AD servers in a cluster

What do you mean by 'a cluster' ?

If you mean an actual cluster, how are you doing this and why ?

I was a bit misleading, yes, just 3 DCs.

and some member
Fileservers. What is the best/savest/recomended upgrade path?

Can I upgrade the AD servers one by one and run a „mixed“ setup for
some time (minutes) ?

Hopefully you mean that you just have 3 DCs, if this is the case then
it depends on how you are doing the updates. if you are updating using
packages, then the packages should stop Samba before doing the
update. If you are going to compile Samba yourself, you will need to
use the configure options as originally and stop Samba before running
'make install'.
Either way, I would start with the DC holding all the FSMO roles.
Then the other two DCs, one by one.

I’d do the upgrade by rpm.

I did find something in the samba wiki as I had time to google, which says the other way round; starting with a server that dose NOT hols a FSMO.

https://wiki.samba.org/index.php/Updating_Samba#Updating_Multiple_Samba_Domain_Controllers <https://wiki.samba.org/index.php/Updating_Samba#Updating_Multiple_Samba_Domain_Controllers>

If you are updating multiple Samba Active Directory (AD) Domain Controllers (DC), the recommended order is:
Update one Samba AD DC that does not hold any flexible single master operations (FSMO) role.

So thats the way to go ?

And dose all DCs should be shut down at that time?

You can upgrade your DC in-place, just be sure to first make a test upgrade in a sandbox and check that everything is fine after upgrade. You may want to run a dbcheck --cross-ncs, and use --fix if there are any error, and check that you db is fine and that there is no more error after the dbcheck.

About the upgrade order, I usually start upgrades with the DC holding the FSMO role, I am not aware of any drawbacks.

You may check that you have the latest 4.7.4 rpms. Samba 4.7.4 fixes quite a few bugs from the older 4.7 series.

If you are upgrading to 4.7, you might double check in your sandbox that you don't have any duplicate forward link or dangling links after upgrade (dbcheck will tell you that). If you get this problem, be sure to know how to clean that up. Actually this is probably the one case where upgrade by joining a new Samba 4.7 server in your 4.6.x domain and demoting the 4.6.x afterward might help (I didn't check).

Beware that there are a lot of issues that arise from left-overs after demoting a DC. With the recent versions of Samba the command line "samba-tool demote --remove-other-dead-server" is doing a much better job at cleanup though.

Cheers, happy new year 2018,


Regards . Götz

