Hello all, Our Samba AD DC is running perfectly for years with the following basic setup (see smb.conf below) : - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from sources) - internal DNS - this DC is also a Print Server - about 400 PC workstations (mainly win7 Pro / win10 Pro and some XP Pro), and about 300 users - several Synology NAS file servers joined as domain members Since 4.1.7 is quite old, I would like to upgrade to the last stable Samba 4.6.7. I wonder what is the best way to make this upgrade without any risks to break the links between PCs and the domain in production. I see two alternatives : 1) As described in Wiki > Updating_Samba : Upgrade the running DC : - Compile the last stable release 4.6.7 - stop samba - install 4.6.7 over the 4.1.7 - make the Database Check and fix errors if any - restart samba In this alternative , would it be much careful to gradually upgrade to each major release after some tests between each (4.1.7 to 4.2 then 4.2 to 4.3 , ... , then 4.5 to 4.6) ? Or install directly 4.6.7 over 4.1.7 should not cause any problem ? 2) Add a new DC : - create and add a new DC based on samba 4.6.7 (CentOS 7) to the domain - transfer the FSMO roles from old 4.1.7 DC to the new DC (no incompatibility between 4.1 and 4.6 ?) - replicate the sysvol dir to the new DC after validation that everything is ok , either : - demote the old DC - or upgrade the old DC to 4.6.7 also and keep it as secondary DC My questions are the following : - Are my two alternatives correct ? Any comments are welcome . - Are there any problems I have to anticipate ? - What would be your advices to make this upgrade the most secured way, knowing that the DC is in production and my absolute priority is to have no implication on the clients. I can schedule the operation out of worked hours, but I can't assume any interruption during the opened days. - The current DC is also a Print server, is there an easy way to change a DC to a simple Domain member (that keeps the print server role)? Here is my smb.conf of the currently running DC : # Global parameters [global] log level = 1 max log size = 100000 workgroup = MYDOM server string = Serveur MYDOM realm = MYDOM.MYCOMP.FR netbios name = DC1 server role = active directory domain controller dns forwarder = 123.123.123.1 idmap_ldb:use rfc2307 = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork load printers = no [netlogon] path = /usr/local/samba/var/locks/sysvol/mydom.mycomp.fr/scripts read only = No browseable = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No browseable = No [printers] path = /var/spool/samba comment = Public Printers printable = yes printing = cups [print$] path = /home/samba/Printer_drivers comment = Printer Drivers writeable = yes Many thanks in advance for any advice. Henri
On Mon, 21 Aug 2017 15:52:01 +0400 HB via samba <samba at lists.samba.org> wrote:> Hello all, > > Our Samba AD DC is running perfectly for years with the following > basic setup (see smb.conf below) : > - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from > sources) > - internal DNS > - this DC is also a Print Server > - about 400 PC workstations (mainly win7 Pro / win10 Pro and > some XP Pro), and about 300 users > - several Synology NAS file servers joined as domain members > > Since 4.1.7 is quite old, I would like to upgrade to the last stable > Samba 4.6.7. > I wonder what is the best way to make this upgrade without any risks > to break the links between PCs and the domain in production. > > I see two alternatives : > 1) As described in Wiki > Updating_Samba : > Upgrade the running DC : > - Compile the last stable release 4.6.7 > - stop samba > - install 4.6.7 over the 4.1.7 > - make the Database Check and fix errors if any > - restart samba > In this alternative , would it be much careful to gradually upgrade > to each major release after some tests between each (4.1.7 to 4.2 > then 4.2 to 4.3 , ... , then 4.5 to 4.6) ? > Or install directly 4.6.7 over 4.1.7 should not cause any problem ? > > 2) Add a new DC : > - create and add a new DC based on samba 4.6.7 (CentOS 7) to > the domain > - transfer the FSMO roles from old 4.1.7 DC to the new DC (no > incompatibility between 4.1 and 4.6 ?) > - replicate the sysvol dir to the new DC > > after validation that everything is ok , either : > - demote the old DC > - or upgrade the old DC to 4.6.7 also and keep it as > secondary DC > > My questions are the following : > - Are my two alternatives correct ? Any comments are welcome . > - Are there any problems I have to anticipate ? > - What would be your advices to make this upgrade the most secured > way, knowing that the DC is in production and my absolute priority is > to have no implication on the clients. I can schedule the operation > out of worked hours, but I can't assume any interruption during the > opened days. > - The current DC is also a Print server, is there an easy way to > change a DC to a simple Domain member (that keeps the print server > role)? >Normally, both of your suggested ways would be valid, but, because of the big jump between versions and the large amount of changes that have occurred, I would tend to go with your second option and add a new DC and then demote the old DC. You cannot directly demote a DC to a Unix domain member, you would have join it to the domain, so I would take this chance to update the OS and then set up Samba etc as shown on the wiki. I would also consider adding a second DC, just in case. Rowland
I did a similar DC upgrade from 4.1.13 to 4.6.6(like your option 1, upgrade on existing AD servers, I have two, first upgrade on none-FSMO). and I don't have any issues with the DC upgrade itself. But be careful with your member servers. After the upgrade, I have to change some default values on file servers: 1. samba 3.5.10 member server(rpm from CentOS 6.2) lost connection to samba 4.6.6 AD, I have to add the following to fix the default values: client NTLMv2 auth = yes ntlm auth = No client ldap sasl wrapping = sign winbind use default domain = yes 2. samba 3.6.23 member server(rpm from CentOS 6.8) and samba 4.6.6 need this change: winbind use default domain = yes 3. My TeraStation NAS storage server lost connection to samba 4.6.6 AD, I have to move it to a Samba 4.6.6 member server, and get rid of the TeraStation NAS storage server, too much headache with TeraStation. Setting up a samba 4.6.6 member server is easier. and you can control everything on the member server. 4. squid-cache proxy server cannot ldap to the new AD, I have to change it to ldaps(of cause some changes in /etc/openldap/ldap.conf). My AD environment may be different from yours. I don't use and configure anything else on the DC(pretty standard from samba doc) , but you have printer server on it. It's better to test it, also test your Synology NAS servers with the new DC, but how? you may have support from Synology? Allen On 8/21/2017 8:33 AM, Rowland Penny via samba wrote:> On Mon, 21 Aug 2017 15:52:01 +0400 > HB via samba <samba at lists.samba.org> wrote: > >> Hello all, >> >> Our Samba AD DC is running perfectly for years with the following >> basic setup (see smb.conf below) : >> - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from >> sources) >> - internal DNS >> - this DC is also a Print Server >> - about 400 PC workstations (mainly win7 Pro / win10 Pro and >> some XP Pro), and about 300 users >> - several Synology NAS file servers joined as domain members >> >> Since 4.1.7 is quite old, I would like to upgrade to the last stable >> Samba 4.6.7. >> I wonder what is the best way to make this upgrade without any risks >> to break the links between PCs and the domain in production. >> >> I see two alternatives : >> 1) As described in Wiki > Updating_Samba : >> Upgrade the running DC : >> - Compile the last stable release 4.6.7 >> - stop samba >> - install 4.6.7 over the 4.1.7 >> - make the Database Check and fix errors if any >> - restart samba >> In this alternative , would it be much careful to gradually upgrade >> to each major release after some tests between each (4.1.7 to 4.2 >> then 4.2 to 4.3 , ... , then 4.5 to 4.6) ? >> Or install directly 4.6.7 over 4.1.7 should not cause any problem ? >> >> 2) Add a new DC : >> - create and add a new DC based on samba 4.6.7 (CentOS 7) to >> the domain >> - transfer the FSMO roles from old 4.1.7 DC to the new DC (no >> incompatibility between 4.1 and 4.6 ?) >> - replicate the sysvol dir to the new DC >> >> after validation that everything is ok , either : >> - demote the old DC >> - or upgrade the old DC to 4.6.7 also and keep it as >> secondary DC >> >> My questions are the following : >> - Are my two alternatives correct ? Any comments are welcome . >> - Are there any problems I have to anticipate ? >> - What would be your advices to make this upgrade the most secured >> way, knowing that the DC is in production and my absolute priority is >> to have no implication on the clients. I can schedule the operation >> out of worked hours, but I can't assume any interruption during the >> opened days. >> - The current DC is also a Print server, is there an easy way to >> change a DC to a simple Domain member (that keeps the print server >> role)? >> > Normally, both of your suggested ways would be valid, but, because of > the big jump between versions and the large amount of changes that > have occurred, I would tend to go with your second option and add a > new DC and then demote the old DC. > > You cannot directly demote a DC to a Unix domain member, you would > have join it to the domain, so I would take this chance to update the > OS and then set up Samba etc as shown on the wiki. > > I would also consider adding a second DC, just in case. > > Rowland > >-- Allen Chen Network Administrator IT Harbourfront Centre 235 Queens Quay West, Toronto, ON M5J 2G8, Canada | harbourfrontcentre.com <http://www.harbourfrontcentre.com> Office: +1 416 973 7973 Cell: +1 416 556 2493
> -----Message d'origine----- > De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland > Penny via samba > Envoyé : lundi 21 août 2017 16:34 > À : samba at lists.samba.org > Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7 > > On Mon, 21 Aug 2017 15:52:01 +0400 > HB via samba <samba at lists.samba.org> wrote: > > > Hello all, > > > > Our Samba AD DC is running perfectly for years with the following > > basic setup (see smb.conf below) : > > - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from > > sources) > > - internal DNS > > - this DC is also a Print Server > > - about 400 PC workstations (mainly win7 Pro / win10 Pro and > > some XP Pro), and about 300 users > > - several Synology NAS file servers joined as domain members > > > > Since 4.1.7 is quite old, I would like to upgrade to the last stable > > Samba 4.6.7. > > I wonder what is the best way to make this upgrade without any risks > > to break the links between PCs and the domain in production. > > > > I see two alternatives : > > 1) As described in Wiki > Updating_Samba : > > Upgrade the running DC : > > - Compile the last stable release 4.6.7 > > - stop samba > > - install 4.6.7 over the 4.1.7 > > - make the Database Check and fix errors if any > > - restart samba > > In this alternative , would it be much careful to gradually upgrade to > > each major release after some tests between each (4.1.7 to 4.2 then > > 4.2 to 4.3 , ... , then 4.5 to 4.6) ? > > Or install directly 4.6.7 over 4.1.7 should not cause any problem ? > > > > 2) Add a new DC : > > - create and add a new DC based on samba 4.6.7 (CentOS 7) to the > > domain > > - transfer the FSMO roles from old 4.1.7 DC to the new DC (no > > incompatibility between 4.1 and 4.6 ?) > > - replicate the sysvol dir to the new DC > > > > after validation that everything is ok , either : > > - demote the old DC > > - or upgrade the old DC to 4.6.7 also and keep it as secondary DC > > > > My questions are the following : > > - Are my two alternatives correct ? Any comments are welcome . > > - Are there any problems I have to anticipate ? > > - What would be your advices to make this upgrade the most secured > > way, knowing that the DC is in production and my absolute priority is > > to have no implication on the clients. I can schedule the operation > > out of worked hours, but I can't assume any interruption during the > > opened days. > > - The current DC is also a Print server, is there an easy way to > > change a DC to a simple Domain member (that keeps the print server > > role)? > > > > Normally, both of your suggested ways would be valid, but, because of the > big jump between versions and the large amount of changes that have > occurred, I would tend to go with your second option and add a new DC and > then demote the old DC. > > You cannot directly demote a DC to a Unix domain member, you would have > join it to the domain, so I would take this chance to update the OS and then > set up Samba etc as shown on the wiki. > > I would also consider adding a second DC, just in case. > > RowlandThanks Rowland for your advice. In order to transform the old DC + Print Server to a member print server , I plan the following operations : 1- transfer the FSMO roles to the new DC New-DC# samba-tool fsmo transfer --role=all 2- demote the old DC Old-DC# samba-tool demote -Uadministrator 3- stop the samba service 4- change smb.conf for a domain member 5- join the the domain Old-DC# net ads join -Uadministrator 6- Start winbindd , smbd, nmbd services Am I correct ? Will I have to recreate printers and upload the printer drivers again or will all the print stuff remain from the old DC configuration? Thanks a lot.
> -----Message d'origine----- > De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland > Penny via samba > Envoyé : lundi 21 août 2017 16:34 > À : samba at lists.samba.org > Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7 > > On Mon, 21 Aug 2017 15:52:01 +0400 > HB via samba <samba at lists.samba.org> wrote: > > > Hello all, > > > > Our Samba AD DC is running perfectly for years with the following > > basic setup (see smb.conf below) : > > - one DC running Samba 4.1.7 / CentOS 6.5 (compiled from > > sources) > > - internal DNS > > - this DC is also a Print Server > > - about 400 PC workstations (mainly win7 Pro / win10 Pro and > > some XP Pro), and about 300 users > > - several Synology NAS file servers joined as domain members > > > > Since 4.1.7 is quite old, I would like to upgrade to the last stable > > Samba 4.6.7. > > I wonder what is the best way to make this upgrade without any risks > > to break the links between PCs and the domain in production. > > > > I see two alternatives : > > 1) As described in Wiki > Updating_Samba : > > Upgrade the running DC : > > - Compile the last stable release 4.6.7 > > - stop samba > > - install 4.6.7 over the 4.1.7 > > - make the Database Check and fix errors if any > > - restart samba > > In this alternative , would it be much careful to gradually upgrade to > > each major release after some tests between each (4.1.7 to 4.2 then > > 4.2 to 4.3 , ... , then 4.5 to 4.6) ? > > Or install directly 4.6.7 over 4.1.7 should not cause any problem ? > > > > 2) Add a new DC : > > - create and add a new DC based on samba 4.6.7 (CentOS 7) to the > > domain > > - transfer the FSMO roles from old 4.1.7 DC to the new DC (no > > incompatibility between 4.1 and 4.6 ?) > > - replicate the sysvol dir to the new DC > > > > after validation that everything is ok , either : > > - demote the old DC > > - or upgrade the old DC to 4.6.7 also and keep it as secondary DC > > > > My questions are the following : > > - Are my two alternatives correct ? Any comments are welcome . > > - Are there any problems I have to anticipate ? > > - What would be your advices to make this upgrade the most secured > > way, knowing that the DC is in production and my absolute priority is > > to have no implication on the clients. I can schedule the operation > > out of worked hours, but I can't assume any interruption during the > > opened days. > > - The current DC is also a Print server, is there an easy way to > > change a DC to a simple Domain member (that keeps the print server > > role)? > > > > Normally, both of your suggested ways would be valid, but, because of the > big jump between versions and the large amount of changes that have > occurred, I would tend to go with your second option and add a new DC and > then demote the old DC. > > You cannot directly demote a DC to a Unix domain member, you would have > join it to the domain, so I would take this chance to update the OS and then > set up Samba etc as shown on the wiki. > > I would also consider adding a second DC, just in case. > > RowlandHi, I have begun to add a new 4.6.7 DC (following Joining_a_Samba_DC_to_an_Existing_Active_Directory ). At the Joining_the_Active_Directory_as_a_Domain_Controller step I got the following error : [root at newdc samba]# samba-tool domain join my-domain.mycomp.fr DC -U"MY-DOMAIN\administrator" Finding a writeable DC for domain 'my-domain.mycomp.fr' Found DC dc1.my-domain.mycomp.fr Password for [MY-DOMAIN\administrator]: workgroup is MY-DOMAIN realm is my-domain.mycomp.fr Adding CN=NEWDC,OU=Domain Controllers,DC=my-domain,DC=mycomp,DC=fr Adding CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr Adding CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr Adding SPNs to CN=NEWDC,OU=Domain Controllers,DC=my-domain,DC=mycomp,DC=fr Setting account password for NEWDC$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba AD has been generated at /usr/local/samba/private/krb5.conf Provision OK for domain DN DC=my-domain,DC=mycomp,DC=fr Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[402/1624] linked_values[0/0] Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[804/1624] linked_values[0/0] Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[1206/1624] linked_values[0/0] Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[1608/1624] linked_values[0/0] Partition[CN=Configuration,DC=my-domain,DC=mycomp,DC=fr] objects[1624/1624] linked_values[38/0] Replicating critical objects from the base DN of the domain Partition[DC=my-domain,DC=mycomp,DC=fr] objects[97/97] linked_values[27/0] Partition[DC=my-domain,DC=mycomp,DC=fr] objects[499/1791] linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr] objects[901/1791] linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr] objects[1303/1791] linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr] objects[1705/1791] linked_values[0/0] Partition[DC=my-domain,DC=mycomp,DC=fr] objects[1888/1791] linked_values[1190/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=my-domain,DC=mycomp,DC=fr Join failed - cleaning up Deleted CN=NEWDC,OU=Domain Controllers,DC=my-domain,DC=mycomp,DC=fr Deleted CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr Deleted CN=NEWDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my-domain,DC=mycomp,DC=fr ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 661, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1269, in join_DC ctx.do_join() File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 1177, in do_join ctx.join_replicate() File "/usr/local/samba/lib64/python2.7/site-packages/samba/join.py", line 918, in join_replicate replica_flags=ctx.replica_flags) File "/usr/local/samba/lib64/python2.7/site-packages/samba/drs_utils.py", line 254, in replicate (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) [root at newdc samba]# I recall that my olddc is samba 4.1.7 , here is its smb.conf : [global] log level = 1 max log size = 100000 workgroup = MY-DOMAIN server string = Serveur MY-DOMAIN realm = MY-DOMAIN.MYCOMP.FR netbios name = DC1 server role = active directory domain controller dns forwarder = 123.123.123.1 idmap_ldb:use rfc2307 = yes rpc_server:spoolss = external rpc_daemon:spoolssd = fork load printers = no Is there an incompatibility between 4.6.7 and 4.1.7 ? Thanks in advance Henri