samba - Nov 2025 - Migration strategy

On Thu, 20 Nov 2025 15:24:36 +0100
Anders ?stling via samba <samba at lists.samba.org> wrote:
> HI Rowland
> 
> I would love to keep the domain and just replace the DC's. But, as I
> have asked before, adding a Samba DC to the current Windows (2019)
> domain does not work for me since there are schema upgrades required,
> and I cant upgrade the schema since the Samba has not joined the
> domain yet. I think I referred to a chicken and egg dilemma a week
> ago. Can you comment on that; how I add a fresh Samba ad-dc
> installation to a domain that requires schema/function level 2016?
> 
When you first join a DC, it doesn't have a schema, so there is nothing
to upgrade, the schema is replicated in from the other DC in the join.

As Samba now has the code to work with 2019, a join with the latest
Samba may work.
Have you tried cloning the DC with the FSMO roles, sandboxing it and
attempting a join ?
If it works, it will be a lot less work ;-)

Rowland

Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
happened. I started with cleaning up the ldb and tdb files in
/run/samba, /var/cache/samba, /var/lib/samba ...

1. Attempt to join the existing 2019 domain

root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
INFO 2025-11-20 17:38:45,883 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable
DC for domain 'xyz.se'
INFO 2025-11-20 17:38:45,991 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #108: Found DC
HP-SRV01.xyzse
Password for [XYZ\Administrator]:
INFO 2025-11-20 17:38:56,201 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is XYZ
INFO 2025-11-20 17:38:56,201 pid:5051
/usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
Adding
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
Adding CN=NTDS
Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Join failed - cleaning up
Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
Deleted
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
ERROR(runtime): uncaught exception - DsAddEntry failed
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
387, in _run
    return self.run(*args, **kwargs)
           ~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 128, in run
    join_DC(logger=logger, server=server, creds=creds, lp=lp, domain=domain,
    ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            site=site, netbios_name=netbios_name, targetdir=targetdir,
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    ...<4 lines>...
            backend_store=backend_store,
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
            backend_store_size=backend_store_size)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1634, in
join_DC
    ctx.do_join()
    ~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 1522, in
do_join
    ctx.join_add_objects()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 667, in
join_add_objects
    ctx.join_add_ntdsdsa()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 592, in
join_add_ntdsdsa
    ctx.DsAddEntry([rec])
    ~~~~~~~~~~~~~~^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/join.py", line 528, in
DsAddEntry
    raise RuntimeError("DsAddEntry failed")

2. Attempt to upgrade the schema (although the join failed)

root at hp-srv12:/etc# samba-tool domain schemaupgrade --schema=2019
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file /var/lib/samba/private/sam.ldb: No such file or directory
Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
such file or directory
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': No such file or directory

So here we are. Some files is required to exist in order to upgrade
the schema, but they does not - is that because the DC still has not
joined the domain?

/Anders

On Thu, Nov 20, 2025 at 3:46?PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Thu, 20 Nov 2025 15:24:36 +0100
> Anders ?stling via samba <samba at lists.samba.org> wrote:
>
> > HI Rowland
> >
> > I would love to keep the domain and just replace the DC's. But, as
I
> > have asked before, adding a Samba DC to the current Windows (2019)
> > domain does not work for me since there are schema upgrades required,
> > and I cant upgrade the schema since the Samba has not joined the
> > domain yet. I think I referred to a chicken and egg dilemma a week
> > ago. Can you comment on that; how I add a fresh Samba ad-dc
> > installation to a domain that requires schema/function level 2016?
> >
>
> When you first join a DC, it doesn't have a schema, so there is nothing
> to upgrade, the schema is replicated in from the other DC in the join.
>
> As Samba now has the code to work with 2019, a join with the latest
> Samba may work.
> Have you tried cloning the DC with the FSMO roles, sandboxing it and
> attempting a join ?
> If it works, it will be a lot less work ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)