samba - Nov 2025 - Migration strategy

Travis,

I finally made it work after moving FSMO roles from Windows server B
to A and downgrading the forest and domain (on A). Replication looks
fine, have checked on both Windows and Samba side. So I will leave it
as it is for now. If all is good in a few days, I will (after
snapshotting all 3 nodes) raise the schema level again, starting on
the Windows side.
The reason I moved the FSMO roles was that the join operation only
found server A. Before moving the roles, I shutdown A thinking that B
would step forward. It didn't, the join failed with "No writable DC
found". So I fired up A and rerun the join, now with success.

Thank you for pushing me!
/Anders

On Thu, Nov 20, 2025 at 8:55?PM Anders ?stling <anders.ostling at
gmail.com> wrote:
>
> Travis, this might be a way to go forward. I don't think we are using
> any "modern AD features" since those DC's have been with us
since
> 2012.
> Do I need to lower the functional level on both Windows DC's before
> joining the Samba DC?
> /Anders
>
> On Thu, Nov 20, 2025 at 8:19?PM Travis Wenks
> <travis at rosecitysolutions.com> wrote:
> >
> > Can you lower the schema level to 2008 for the join then when you have
removed the windows dc's upgrade the schema?
> > For example:
> > Downgrade Functional Levels to Windows Server 2008 R2
> >
> > This allows Samba to join as a full writable DC but may disable some
modern Windows AD features (e.g., certain group policy enhancements or
authentication protocols). Only do this if your environment can tolerate it, and
back up your AD first.
> > On the Windows DC:
> >
> > Lower the domain functional level:textSet-ADDomainMode -Identity
xyz.se -DomainMode Windows2008R2Domain
> > Lower the forest functional level:textSet-ADForestMode -Identity
xyz.se -ForestMode Windows2008R2Forest
> >
> > Verify the changes with the Get-ADDomain and Get-ADForest commands
above.
> >
> > On HP-SRV12, clean up any partial Samba state (you already started
this?ensure all .ldb and .tdb files are removed from /var/lib/samba,
/var/cache/samba, /run/samba, etc.).
> >
> > Retry the join:textsamba-tool domain join xyz.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
> > If successful, start Samba and verify replication with samba-tool drs
showrepl.
> >
> > Travis Wenks
> > Rose City Solutions
> > Owner
> > Phone 503.821.7000
> > Website rosecitysolutions.com
> > Email travis at rosecitysolutions.com
> >
> >
> > ________________________________
> > From: samba <samba-bounces at lists.samba.org> on behalf of
Anders ?stling via samba <samba at lists.samba.org>
> > Sent: Thursday, November 20, 2025 8:49 AM
> > To: samba at lists.samba.org <samba at lists.samba.org>
> > Subject: Re: [Samba] Migration strategy
> >
> > Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
> > happened. I started with cleaning up the ldb and tdb files in
> > /run/samba, /var/cache/samba, /var/lib/samba ...
> >
> > 1. Attempt to join the existing 2019 domain
> >
> > root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
> > "XYZ\Administrator" --option="dns forwarder=8.8.8.8
1.1.1.1"
> > INFO 2025-11-20 17:38:45,883 pid:5051
> > /usr/lib/python3/dist-packages/samba/join.py #106: Finding a writeable
> > DC for domain 'xyz.se'
> > INFO 2025-11-20 17:38:45,991 pid:5051
> > /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
> > HP-SRV01.xyzse
> > Password for [XYZ\Administrator]:
> > INFO 2025-11-20 17:38:56,201 pid:5051
> > /usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is XYZ
> > INFO 2025-11-20 17:38:56,201 pid:5051
> > /usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
> > Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
> > Adding
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> > Adding CN=NTDS
Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> > DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> > 'WERR_DS_INCOMPATIBLE_VERSION')
> > Join failed - cleaning up
> > Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
> > Deleted
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> > ERROR(runtime): uncaught exception - DsAddEntry failed
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> > 387, in _run
> >     return self.run(*args, **kwargs)
> >            ~~~~~~~~^^^^^^^^^^^^^^^^^
> >   File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> > line 128, in run
> >     join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
> >    
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >             site=site, netbios_name=netbios_name, targetdir=targetdir,
> >             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >     ...<4 lines>...
> >             backend_store=backend_store,
> >             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >             backend_store_size=backend_store_size)
> >             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
1634, in join_DC
> >     ctx.do_join()
> >     ~~~~~~~~~~~^^
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
1522, in do_join
> >     ctx.join_add_objects()
> >     ~~~~~~~~~~~~~~~~~~~~^^
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
667, in
> > join_add_objects
> >     ctx.join_add_ntdsdsa()
> >     ~~~~~~~~~~~~~~~~~~~~^^
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
592, in
> > join_add_ntdsdsa
> >     ctx.DsAddEntry([rec])
> >     ~~~~~~~~~~~~~~^^^^^^^
> >   File "/usr/lib/python3/dist-packages/samba/join.py", line
528, in DsAddEntry
> >     raise RuntimeError("DsAddEntry failed")
> >
> > 2. Attempt to upgrade the schema (although the join failed)
> >
> > root at hp-srv12:/etc# samba-tool domain schemaupgrade --schema=2019
> > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
> > file /var/lib/samba/private/sam.ldb: No such file or directory
> > Unable to open tdb '/var/lib/samba/private/sam.ldb': No such
file or directory
> > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb'
with
> > backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
> > such file or directory
> > ERROR(ldb): uncaught exception - Unable to open tdb
> > '/var/lib/samba/private/sam.ldb': No such file or directory
> >
> > So here we are. Some files is required to exist in order to upgrade
> > the schema, but they does not - is that because the DC still has not
> > joined the domain?
> >
> > /Anders
> >
> > On Thu, Nov 20, 2025 at 3:46?PM Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > >
> > > On Thu, 20 Nov 2025 15:24:36 +0100
> > > Anders ?stling via samba <samba at lists.samba.org> wrote:
> > >
> > > > HI Rowland
> > > >
> > > > I would love to keep the domain and just replace the
DC's. But, as I
> > > > have asked before, adding a Samba DC to the current Windows
(2019)
> > > > domain does not work for me since there are schema upgrades
required,
> > > > and I cant upgrade the schema since the Samba has not joined
the
> > > > domain yet. I think I referred to a chicken and egg dilemma
a week
> > > > ago. Can you comment on that; how I add a fresh Samba ad-dc
> > > > installation to a domain that requires schema/function level
2016?
> > > >
> > >
> > > When you first join a DC, it doesn't have a schema, so there
is nothing
> > > to upgrade, the schema is replicated in from the other DC in the
join.
> > >
> > > As Samba now has the code to work with 2019, a join with the
latest
> > > Samba may work.
> > > Have you tried cloning the DC with the FSMO roles, sandboxing it
and
> > > attempting a join ?
> > > If it works, it will be a lot less work ;-)
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > ------ -------------------- 8 ------------------ ------
> > "A wise man once told me - Any idiot can do backups, but it takes
a
> > genius to successfully restore"
> >
> > Anders ?stling
> > +46 768 716 165 (Mobil)
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
>
> Anders ?stling
> +46 768 716 165 (Mobil)


-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)

You?re very welcome. Best of luck!


Travis Wenks
Rose City Solutions
travis at rosecitysolutions.com
503-821-7000
> On Nov 20, 2025, at 1:22?PM, Anders ?stling <anders.ostling at
gmail.com> wrote:
> 
> ?Travis,
> 
> I finally made it work after moving FSMO roles from Windows server B
> to A and downgrading the forest and domain (on A). Replication looks
> fine, have checked on both Windows and Samba side. So I will leave it
> as it is for now. If all is good in a few days, I will (after
> snapshotting all 3 nodes) raise the schema level again, starting on
> the Windows side.
> The reason I moved the FSMO roles was that the join operation only
> found server A. Before moving the roles, I shutdown A thinking that B
> would step forward. It didn't, the join failed with "No writable
DC
> found". So I fired up A and rerun the join, now with success.
> 
> Thank you for pushing me!
> /Anders
> 
>> On Thu, Nov 20, 2025 at 8:55?PM Anders ?stling <anders.ostling at
gmail.com> wrote:
>> 
>> Travis, this might be a way to go forward. I don't think we are
using
>> any "modern AD features" since those DC's have been with
us since
>> 2012.
>> Do I need to lower the functional level on both Windows DC's before
>> joining the Samba DC?
>> /Anders
>> 
>>> On Thu, Nov 20, 2025 at 8:19?PM Travis Wenks
>>> <travis at rosecitysolutions.com> wrote:
>>> 
>>> Can you lower the schema level to 2008 for the join then when you
have removed the windows dc's upgrade the schema?
>>> For example:
>>> Downgrade Functional Levels to Windows Server 2008 R2
>>> 
>>> This allows Samba to join as a full writable DC but may disable
some modern Windows AD features (e.g., certain group policy enhancements or
authentication protocols). Only do this if your environment can tolerate it, and
back up your AD first.
>>> On the Windows DC:
>>> 
>>> Lower the domain functional level:textSet-ADDomainMode -Identity
xyz.se -DomainMode Windows2008R2Domain
>>> Lower the forest functional level:textSet-ADForestMode -Identity
xyz.se -ForestMode Windows2008R2Forest
>>> 
>>> Verify the changes with the Get-ADDomain and Get-ADForest commands
above.
>>> 
>>> On HP-SRV12, clean up any partial Samba state (you already started
this?ensure all .ldb and .tdb files are removed from /var/lib/samba,
/var/cache/samba, /run/samba, etc.).
>>> 
>>> Retry the join:textsamba-tool domain join xyz.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
>>> If successful, start Samba and verify replication with samba-tool
drs showrepl.
>>> 
>>> Travis Wenks
>>> Rose City Solutions
>>> Owner
>>> Phone 503.821.7000
>>> Website rosecitysolutions.com
>>> Email travis at rosecitysolutions.com
>>> 
>>> 
>>> ________________________________
>>> From: samba <samba-bounces at lists.samba.org> on behalf of
Anders ?stling via samba <samba at lists.samba.org>
>>> Sent: Thursday, November 20, 2025 8:49 AM
>>> To: samba at lists.samba.org <samba at lists.samba.org>
>>> Subject: Re: [Samba] Migration strategy
>>> 
>>> Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
>>> happened. I started with cleaning up the ldb and tdb files in
>>> /run/samba, /var/cache/samba, /var/lib/samba ...
>>> 
>>> 1. Attempt to join the existing 2019 domain
>>> 
>>> root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
>>> "XYZ\Administrator" --option="dns forwarder=8.8.8.8
1.1.1.1"
>>> INFO 2025-11-20 17:38:45,883 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #106: Finding a
writeable
>>> DC for domain 'xyz.se'
>>> INFO 2025-11-20 17:38:45,991 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
>>> HP-SRV01.xyzse
>>> Password for [XYZ\Administrator]:
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is
XYZ
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
>>> Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Adding
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> Adding CN=NTDS
Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>> Join failed - cleaning up
>>> Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Deleted
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> ERROR(runtime): uncaught exception - DsAddEntry failed
>>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
>>> 387, in _run
>>>    return self.run(*args, **kwargs)
>>>           ~~~~~~~~^^^^^^^^^^^^^^^^^
>>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
>>> line 128, in run
>>>    join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
>>>   
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            site=site, netbios_name=netbios_name,
targetdir=targetdir,
>>>           
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>    ...<4 lines>...
>>>            backend_store=backend_store,
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            backend_store_size=backend_store_size)
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 1634, in join_DC
>>>    ctx.do_join()
>>>    ~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 1522, in do_join
>>>    ctx.join_add_objects()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 667, in
>>> join_add_objects
>>>    ctx.join_add_ntdsdsa()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 592, in
>>> join_add_ntdsdsa
>>>    ctx.DsAddEntry([rec])
>>>    ~~~~~~~~~~~~~~^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 528, in DsAddEntry
>>>    raise RuntimeError("DsAddEntry failed")
>>> 
>>> 2. Attempt to upgrade the schema (although the join failed)
>>> 
>>> root at hp-srv12:/etc# samba-tool domain schemaupgrade
--schema=2019
>>> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not
open
>>> file /var/lib/samba/private/sam.ldb: No such file or directory
>>> Unable to open tdb '/var/lib/samba/private/sam.ldb': No
such file or directory
>>> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb'
with
>>> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
>>> such file or directory
>>> ERROR(ldb): uncaught exception - Unable to open tdb
>>> '/var/lib/samba/private/sam.ldb': No such file or directory
>>> 
>>> So here we are. Some files is required to exist in order to upgrade
>>> the schema, but they does not - is that because the DC still has
not
>>> joined the domain?
>>> 
>>> /Anders
>>> 
>>> On Thu, Nov 20, 2025 at 3:46?PM Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> 
>>>> On Thu, 20 Nov 2025 15:24:36 +0100
>>>> Anders ?stling via samba <samba at lists.samba.org>
wrote:
>>>> 
>>>>> HI Rowland
>>>>> 
>>>>> I would love to keep the domain and just replace the
DC's. But, as I
>>>>> have asked before, adding a Samba DC to the current Windows
(2019)
>>>>> domain does not work for me since there are schema upgrades
required,
>>>>> and I cant upgrade the schema since the Samba has not
joined the
>>>>> domain yet. I think I referred to a chicken and egg dilemma
a week
>>>>> ago. Can you comment on that; how I add a fresh Samba ad-dc
>>>>> installation to a domain that requires schema/function
level 2016?
>>>>> 
>>>> 
>>>> When you first join a DC, it doesn't have a schema, so
there is nothing
>>>> to upgrade, the schema is replicated in from the other DC in
the join.
>>>> 
>>>> As Samba now has the code to work with 2019, a join with the
latest
>>>> Samba may work.
>>>> Have you tried cloning the DC with the FSMO roles, sandboxing
it and
>>>> attempting a join ?
>>>> If it works, it will be a lot less work ;-)
>>>> 
>>>> Rowland
>>>> 
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> ------ -------------------- 8 ------------------ ------
>>> "A wise man once told me - Any idiot can do backups, but it
takes a
>>> genius to successfully restore"
>>> 
>>> Anders ?stling
>>> +46 768 716 165 (Mobil)
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>> 
>> --
>> ------ -------------------- 8 ------------------ ------
>> "A wise man once told me - Any idiot can do backups, but it takes
a
>> genius to successfully restore"
>> 
>> Anders ?stling
>> +46 768 716 165 (Mobil)
> 
> 
> 
> --
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
> 
> Anders ?stling
> +46 768 716 165 (Mobil)