samba - Jun 2025 - both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

We are preparing to upgrade our two Samba AD DCs during this school 
holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema 
= 47 (Server 2008R2), there is one AD domain.
We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to current
Server 2019 or 2022.

Can you please advise on the optimal upgrade procedure, and possibly 
give some general recommendations and warnings about possible issues?

According to the Samba Wiki at 
  https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
, it seems that this procedure might work:

- on FSMO DC, backup domain (samba-tool domain backup online ...)

- demote non-FSMO DC (samba-tool domain demote ...), shutdown VM

- run new VM with actual Samba-4.22.x DC installed, with same hostname,
  realm,... as had previously removed machine.

- join to domain (samba-tool domain join ...)

- start Samba and run AD replication status and Samba AD DC database 
 check (samba-tool drs showrepl ... / samba-tool dbcheck ...)

- transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
 (is it really needed? What about seizing a FSMO Role at the whole end?
 - but Wiki say FSMO transfer is recommeded before seizing)

- demote former FSMO, stop Samba and shutdown this old VM

- run another new VM with actual Samba-4.22.x DC prepared, with same 
  hostname, realm,... as had previously removed former FSMO.

- join it to AD, start Samba, check replication and DB status, maybe 
  transfer FSMO here again..(or seize FSMO here?)
 
- upgrade AD schema version (samba-tool domain schemaupgrade...) to
  value 88 


Apart from the fact that I am not sure that the above procedure is correct 
and optimal, there are still some ambiguities, e.g.:

- already mentioned above - can there be no server FSMO role defined 
anywhere (during the upgrade)? (and then seizing if at final end)

- Since Samba-4.9.5 supports a higher (but experimental) schema 69 
(Server 2012R2), wouldn't it be better to upgrade the AD schema to this 
level on the old DCs (and at end only do a schema upgrade 69 -> 88)?
-- 
I apologize for the possibly too amateurish questions, bad English, etc.
Franta Hanzl?k

On 29.06.2025 19:11, Franta Hanzl?k via samba wrote:
> We are preparing to upgrade our two Samba AD DCs during this school
> holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema
> = 47 (Server 2008R2), there is one AD domain.
> We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to current
> Server 2019 or 2022.
>
> Can you please advise on the optimal upgrade procedure, and possibly
> give some general recommendations and warnings about possible issues?
>
> According to the Samba Wiki at
>    https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
> , it seems that this procedure might work:
>
> - on FSMO DC, backup domain (samba-tool domain backup online ...)
>
> - demote non-FSMO DC (samba-tool domain demote ...), shutdown VM
>
> - run new VM with actual Samba-4.22.x DC installed, with same hostname,
>    realm,... as had previously removed machine.
>
> - join to domain (samba-tool domain join ...)
>
> - start Samba and run AD replication status and Samba AD DC database
>   check (samba-tool drs showrepl ... / samba-tool dbcheck ...)
>
> - transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
>   (is it really needed? What about seizing a FSMO Role at the whole end?
>   - but Wiki say FSMO transfer is recommeded before seizing)
>
> - demote former FSMO, stop Samba and shutdown this old VM
>
> - run another new VM with actual Samba-4.22.x DC prepared, with same
>    hostname, realm,... as had previously removed former FSMO.
>
> - join it to AD, start Samba, check replication and DB status, maybe
>    transfer FSMO here again..(or seize FSMO here?)
>   
> - upgrade AD schema version (samba-tool domain schemaupgrade...) to
>    value 88
>
>
> Apart from the fact that I am not sure that the above procedure is correct
> and optimal, there are still some ambiguities, e.g.:
>
> - already mentioned above - can there be no server FSMO role defined
> anywhere (during the upgrade)? (and then seizing if at final end)
>
> - Since Samba-4.9.5 supports a higher (but experimental) schema 69
> (Server 2012R2), wouldn't it be better to upgrade the AD schema to this
> level on the old DCs (and at end only do a schema upgrade 69 -> 88)?
Hi Franta,

I have upgraded a few times, and I have found that the simplest way is 
creating one or more AD DCs on VMs from the most recent Debian 
backports, and join them to the existing domain. When everything seems 
to work, transfer the FSMO roles, and demote the old DCs. After that, 
you can raise the forest and domain levels. And if you don't use 
rfc2307, make sure to disable this when promoting the new DCs. Trying to 
upgrade the old DCs is asking for lots of trouble. Installing new VMs is 
really a snap, cheap and efficient.

Just as a side note, I set up a new Windows 2025 DC in a VM a few days 
ago, and that was an experience I wish nobody will experience. 
Incredibly buggy. At one point, I was almost on the way to throw it out, 
and replace it with a Windows 2022 DC. Never had those problems with Samba.

HTH.

Best regards,

Peter

On Sun, 29 Jun 2025 19:11:47 +0200
Franta Hanzl?k via samba <samba at lists.samba.org> wrote:
> We are preparing to upgrade our two Samba AD DCs during this school 
> holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema 
> = 47 (Server 2008R2), there is one AD domain.
> We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to
> current Server 2019 or 2022.
> 
I would suggest you upgrade to the highest samba version possible and
then upgrade on a regular basis, certainly sooner than your apparent
every five years or so.
 
> Can you please advise on the optimal upgrade procedure, and possibly 
> give some general recommendations and warnings about possible issues?
> 
> According to the Samba Wiki at 
>   https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
> , it seems that this procedure might work:
> 
> - on FSMO DC, backup domain (samba-tool domain backup online ...)
At this point, as you are using VMs, I would install a new VM and join
that as a DC, this will raise the schema version to 2012R2 (you can
raise it further later). Transfer the FSMO roles to this DC. You can
call this DC whatever you like, it is just a temporary DC to hold your
domain
> 
> - demote non-FSMO DC (samba-tool domain demote ...), shutdown VM
> 
> - run new VM with actual Samba-4.22.x DC installed, with same
> hostname, realm,... as had previously removed machine.
> 
> - join to domain (samba-tool domain join ...)
> 
> - start Samba and run AD replication status and Samba AD DC database 
>  check (samba-tool drs showrepl ... / samba-tool dbcheck ...)
Do this for all of your existing DCs (you could change everything if
you want, every DC will become a new DC, all that will be the same is
the hostname and IP).
> 
> - transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
>  (is it really needed? What about seizing a FSMO Role at the whole
> end?
>  - but Wiki say FSMO transfer is recommeded before seizing)
Seizing is a last resort method, in fact if you run the command without
the '--force' switch, it will attempt to transfer the roles first.
> 
> - demote former FSMO, stop Samba and shutdown this old VM
> 
> - run another new VM with actual Samba-4.22.x DC prepared, with same 
>   hostname, realm,... as had previously removed former FSMO.
> 
> - join it to AD, start Samba, check replication and DB status, maybe 
>   transfer FSMO here again..(or seize FSMO here?)
Once you have all the new DCs running correctly, transfer the FSMO
roles to whichever DC you like, just be aware that this does not make
it the 'pdc' or 'primary', all DCs are equal, it is just that
some have
FSMO roles.

At this point, you can now demote and shutdown the temporary DC.

There is a possible gotcha though, when you transfer the PDC_Emulator
FSMO role, a new dns record could be created and there is nothing to
delete the old one. You have to manually delete it.
>  
> - upgrade AD schema version (samba-tool domain schemaupgrade...) to
>   value 88 
> 
> 
> Apart from the fact that I am not sure that the above procedure is
> correct and optimal, there are still some ambiguities, e.g.:
> 
> - already mentioned above - can there be no server FSMO role defined 
> anywhere (during the upgrade)? (and then seizing if at final end)
You must have FSMO roles assigned somewhere, or your domain will not
function correctly.
> 
> - Since Samba-4.9.5 supports a higher (but experimental) schema 69 
> (Server 2012R2), wouldn't it be better to upgrade the AD schema to
> this level on the old DCs (and at end only do a schema upgrade 69 ->
> 88)?
Just joining a later version of Samba will upgrade the schema to 69,
you then have to upgrade to 88 manually, but only when all DCs are
capable.

Rowland

Hi there.

The Oracle has already spoken, (@Rowland) I will give you some links:

This is what I would do:

First, there is a chance you may need to do this in 2 stages as 4.9 to 4.22 may
be a bit too extreme.



0.- Back up both VMs, just in case.

1.- Do a good check on the DCs:

http://samba.bigbird.es/doku.php?id=samba:dc-maintenance


2.- Install and join new DC using Debian 12, you will need a new name for the
machine:

?http://samba.bigbird.es/doku.php?id=samba:aditional-dc

If you get errors with this join, chances are you may need to get an
intermediate version (Debian 11 and Samba 4.13). If so, restore VMs from backup
and try Debian 11.

3.- All going well you have now 3 DCs. Transfer the FSMO roles to the new one:

http://samba.bigbird.es/doku.php?id=samba:fsmo-roles

4.- Demote one of the older DCs:

http://samba.bigbird.es/doku.php?id=samba:demote-dc

5.- Install an additional new DC as (2)

6.- Demote the other, older DC as (4)

7.- Once all has been tested with Samba 4.17, upgrade to 4.22 using back ports:

Using back ports:

http://samba.bigbird.es/doku.php?id=samba:installing-from-backports

Uppgrade:

http://samba.bigbird.es/doku.php?id=samba:upgrade-sama

8.- Once all done, check you only have on entry for PDC Emulator role:

http://samba.bigbird.es/doku.php?id=samba:fsmo-roles



Note:?If you are using "idmap_ldb:use rfc2307 = yes? I recommend you don?t.

http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307

On 29 Jun 2025 at 18:31 +0100, Franta Hanzl?k via samba <samba at
lists.samba.org>, wrote:
> We are preparing to upgrade our two Samba AD DCs during this school
> holidays. Both current DCs are x86_64 VMs with Samba 4.9.5, AD schema
> = 47 (Server 2008R2), there is one AD domain.
> We expect to upgrade to Samba 4.20.* or 4.22.* and AD schema to current
> Server 2019 or 2022.
>
> Can you please advise on the optimal upgrade procedure, and possibly
> give some general recommendations and warnings about possible issues?
>
> According to the Samba Wiki at
> https://wiki.samba.org/index.php/Upgrading_a_Samba_AD_DC
> , it seems that this procedure might work:
>
> - on FSMO DC, backup domain (samba-tool domain backup online ...)
>
> - demote non-FSMO DC (samba-tool domain demote ...), shutdown VM
>
> - run new VM with actual Samba-4.22.x DC installed, with same hostname,
> realm,... as had previously removed machine.
>
> - join to domain (samba-tool domain join ...)
>
> - start Samba and run AD replication status and Samba AD DC database
> check (samba-tool drs showrepl ... / samba-tool dbcheck ...)
>
> - transfer FSMO role to newly joined DC (samba-tool fsmo transfer...)
> (is it really needed? What about seizing a FSMO Role at the whole end?
> - but Wiki say FSMO transfer is recommeded before seizing)
>
> - demote former FSMO, stop Samba and shutdown this old VM
>
> - run another new VM with actual Samba-4.22.x DC prepared, with same
> hostname, realm,... as had previously removed former FSMO.
>
> - join it to AD, start Samba, check replication and DB status, maybe
> transfer FSMO here again..(or seize FSMO here?)
>
> - upgrade AD schema version (samba-tool domain schemaupgrade...) to
> value 88
>
>
> Apart from the fact that I am not sure that the above procedure is correct
> and optimal, there are still some ambiguities, e.g.:
>
> - already mentioned above - can there be no server FSMO role defined
> anywhere (during the upgrade)? (and then seizing if at final end)
>
> - Since Samba-4.9.5 supports a higher (but experimental) schema 69
> (Server 2012R2), wouldn't it be better to upgrade the AD schema to this
> level on the old DCs (and at end only do a schema upgrade 69 -> 88)?
> --
> I apologize for the possibly too amateurish questions, bad English, etc.
> Franta Hanzl?k
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba