thr3ads.net - samba - [Samba] Migration strategy [Nov 2025]

If this information is useful, please help other people find it:
Share via:

Travis Wenks

2025-Nov-20 22:08 UTC

[Samba] Migration strategy

You?re very welcome. Best of luck!


Travis Wenks
Rose City Solutions
travis at rosecitysolutions.com
503-821-7000
> On Nov 20, 2025, at 1:22?PM, Anders ?stling <anders.ostling at
gmail.com> wrote:
> 
> ?Travis,
> 
> I finally made it work after moving FSMO roles from Windows server B
> to A and downgrading the forest and domain (on A). Replication looks
> fine, have checked on both Windows and Samba side. So I will leave it
> as it is for now. If all is good in a few days, I will (after
> snapshotting all 3 nodes) raise the schema level again, starting on
> the Windows side.
> The reason I moved the FSMO roles was that the join operation only
> found server A. Before moving the roles, I shutdown A thinking that B
> would step forward. It didn't, the join failed with "No writable
DC
> found". So I fired up A and rerun the join, now with success.
> 
> Thank you for pushing me!
> /Anders
> 
>> On Thu, Nov 20, 2025 at 8:55?PM Anders ?stling <anders.ostling at
gmail.com> wrote:
>> 
>> Travis, this might be a way to go forward. I don't think we are
using
>> any "modern AD features" since those DC's have been with
us since
>> 2012.
>> Do I need to lower the functional level on both Windows DC's before
>> joining the Samba DC?
>> /Anders
>> 
>>> On Thu, Nov 20, 2025 at 8:19?PM Travis Wenks
>>> <travis at rosecitysolutions.com> wrote:
>>> 
>>> Can you lower the schema level to 2008 for the join then when you
have removed the windows dc's upgrade the schema?
>>> For example:
>>> Downgrade Functional Levels to Windows Server 2008 R2
>>> 
>>> This allows Samba to join as a full writable DC but may disable
some modern Windows AD features (e.g., certain group policy enhancements or
authentication protocols). Only do this if your environment can tolerate it, and
back up your AD first.
>>> On the Windows DC:
>>> 
>>> Lower the domain functional level:textSet-ADDomainMode -Identity
xyz.se -DomainMode Windows2008R2Domain
>>> Lower the forest functional level:textSet-ADForestMode -Identity
xyz.se -ForestMode Windows2008R2Forest
>>> 
>>> Verify the changes with the Get-ADDomain and Get-ADForest commands
above.
>>> 
>>> On HP-SRV12, clean up any partial Samba state (you already started
this?ensure all .ldb and .tdb files are removed from /var/lib/samba,
/var/cache/samba, /run/samba, etc.).
>>> 
>>> Retry the join:textsamba-tool domain join xyz.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
>>> If successful, start Samba and verify replication with samba-tool
drs showrepl.
>>> 
>>> Travis Wenks
>>> Rose City Solutions
>>> Owner
>>> Phone 503.821.7000
>>> Website rosecitysolutions.com
>>> Email travis at rosecitysolutions.com
>>> 
>>> 
>>> ________________________________
>>> From: samba <samba-bounces at lists.samba.org> on behalf of
Anders ?stling via samba <samba at lists.samba.org>
>>> Sent: Thursday, November 20, 2025 8:49 AM
>>> To: samba at lists.samba.org <samba at lists.samba.org>
>>> Subject: Re: [Samba] Migration strategy
>>> 
>>> Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and this
>>> happened. I started with cleaning up the ldb and tdb files in
>>> /run/samba, /var/cache/samba, /var/lib/samba ...
>>> 
>>> 1. Attempt to join the existing 2019 domain
>>> 
>>> root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
>>> "XYZ\Administrator" --option="dns forwarder=8.8.8.8
1.1.1.1"
>>> INFO 2025-11-20 17:38:45,883 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #106: Finding a
writeable
>>> DC for domain 'xyz.se'
>>> INFO 2025-11-20 17:38:45,991 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
>>> HP-SRV01.xyzse
>>> Password for [XYZ\Administrator]:
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1618: workgroup is
XYZ
>>> INFO 2025-11-20 17:38:56,201 pid:5051
>>> /usr/lib/python3/dist-packages/samba/join.py #1621: realm is xyz.se
>>> Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Adding
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> Adding CN=NTDS
Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>> Join failed - cleaning up
>>> Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
>>> Deleted
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
>>> ERROR(runtime): uncaught exception - DsAddEntry failed
>>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
>>> 387, in _run
>>>    return self.run(*args, **kwargs)
>>>           ~~~~~~~~^^^^^^^^^^^^^^^^^
>>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
>>> line 128, in run
>>>    join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
>>>   
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            site=site, netbios_name=netbios_name,
targetdir=targetdir,
>>>           
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>    ...<4 lines>...
>>>            backend_store=backend_store,
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>            backend_store_size=backend_store_size)
>>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 1634, in join_DC
>>>    ctx.do_join()
>>>    ~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 1522, in do_join
>>>    ctx.join_add_objects()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 667, in
>>> join_add_objects
>>>    ctx.join_add_ntdsdsa()
>>>    ~~~~~~~~~~~~~~~~~~~~^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 592, in
>>> join_add_ntdsdsa
>>>    ctx.DsAddEntry([rec])
>>>    ~~~~~~~~~~~~~~^^^^^^^
>>>  File "/usr/lib/python3/dist-packages/samba/join.py",
line 528, in DsAddEntry
>>>    raise RuntimeError("DsAddEntry failed")
>>> 
>>> 2. Attempt to upgrade the schema (although the join failed)
>>> 
>>> root at hp-srv12:/etc# samba-tool domain schemaupgrade
--schema=2019
>>> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not
open
>>> file /var/lib/samba/private/sam.ldb: No such file or directory
>>> Unable to open tdb '/var/lib/samba/private/sam.ldb': No
such file or directory
>>> Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb'
with
>>> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
>>> such file or directory
>>> ERROR(ldb): uncaught exception - Unable to open tdb
>>> '/var/lib/samba/private/sam.ldb': No such file or directory
>>> 
>>> So here we are. Some files is required to exist in order to upgrade
>>> the schema, but they does not - is that because the DC still has
not
>>> joined the domain?
>>> 
>>> /Anders
>>> 
>>> On Thu, Nov 20, 2025 at 3:46?PM Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> 
>>>> On Thu, 20 Nov 2025 15:24:36 +0100
>>>> Anders ?stling via samba <samba at lists.samba.org>
wrote:
>>>> 
>>>>> HI Rowland
>>>>> 
>>>>> I would love to keep the domain and just replace the
DC's. But, as I
>>>>> have asked before, adding a Samba DC to the current Windows
(2019)
>>>>> domain does not work for me since there are schema upgrades
required,
>>>>> and I cant upgrade the schema since the Samba has not
joined the
>>>>> domain yet. I think I referred to a chicken and egg dilemma
a week
>>>>> ago. Can you comment on that; how I add a fresh Samba ad-dc
>>>>> installation to a domain that requires schema/function
level 2016?
>>>>> 
>>>> 
>>>> When you first join a DC, it doesn't have a schema, so
there is nothing
>>>> to upgrade, the schema is replicated in from the other DC in
the join.
>>>> 
>>>> As Samba now has the code to work with 2019, a join with the
latest
>>>> Samba may work.
>>>> Have you tried cloning the DC with the FSMO roles, sandboxing
it and
>>>> attempting a join ?
>>>> If it works, it will be a lot less work ;-)
>>>> 
>>>> Rowland
>>>> 
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> ------ -------------------- 8 ------------------ ------
>>> "A wise man once told me - Any idiot can do backups, but it
takes a
>>> genius to successfully restore"
>>> 
>>> Anders ?stling
>>> +46 768 716 165 (Mobil)
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 
>> 
>> --
>> ------ -------------------- 8 ------------------ ------
>> "A wise man once told me - Any idiot can do backups, but it takes
a
>> genius to successfully restore"
>> 
>> Anders ?stling
>> +46 768 716 165 (Mobil)
> 
> 
> 
> --
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
> 
> Anders ?stling
> +46 768 716 165 (Mobil)

Anders Östling

2025-Nov-21 08:43 UTC

head link

[Samba] Migration strategy

Quick followup: Join of server C was successful, and replication
works. A, B and C are shown as replicated correctly. But there is a
warning (?) on server C

samba-tool fsmo show
...all 5 default roles shown correctly
DomainDNSZonesMasterRole has no current owner
Forets DNSZonesMasterRole has no current owner

netdom query fsmo
The Windows servers (A and B) does not show these two lines, just the
5 default roles. Should I be worried? Google is not very helpful. IOne
article suggests that it could be caused by demoting or removing a DC
that held the SchemaMaster role. I can't recall removing or demoting
any DC in our environment. Is there a fix?

On Thu, Nov 20, 2025 at 11:08?PM Travis Wenks
<travis at rosecitysolutions.com> wrote:>
> You?re very welcome. Best of luck!
>
>
> Travis Wenks
> Rose City Solutions
> travis at rosecitysolutions.com
> 503-821-7000
>
> > On Nov 20, 2025, at 1:22?PM, Anders ?stling <anders.ostling at
gmail.com> wrote:
> >
> > ?Travis,
> >
> > I finally made it work after moving FSMO roles from Windows server B
> > to A and downgrading the forest and domain (on A). Replication looks
> > fine, have checked on both Windows and Samba side. So I will leave it
> > as it is for now. If all is good in a few days, I will (after
> > snapshotting all 3 nodes) raise the schema level again, starting on
> > the Windows side.
> > The reason I moved the FSMO roles was that the join operation only
> > found server A. Before moving the roles, I shutdown A thinking that B
> > would step forward. It didn't, the join failed with "No
writable DC
> > found". So I fired up A and rerun the join, now with success.
> >
> > Thank you for pushing me!
> > /Anders
> >
> >> On Thu, Nov 20, 2025 at 8:55?PM Anders ?stling <anders.ostling
at gmail.com> wrote:
> >>
> >> Travis, this might be a way to go forward. I don't think we
are using
> >> any "modern AD features" since those DC's have been
with us since
> >> 2012.
> >> Do I need to lower the functional level on both Windows DC's
before
> >> joining the Samba DC?
> >> /Anders
> >>
> >>> On Thu, Nov 20, 2025 at 8:19?PM Travis Wenks
> >>> <travis at rosecitysolutions.com> wrote:
> >>>
> >>> Can you lower the schema level to 2008 for the join then when
you have removed the windows dc's upgrade the schema?
> >>> For example:
> >>> Downgrade Functional Levels to Windows Server 2008 R2
> >>>
> >>> This allows Samba to join as a full writable DC but may
disable some modern Windows AD features (e.g., certain group policy enhancements
or authentication protocols). Only do this if your environment can tolerate it,
and back up your AD first.
> >>> On the Windows DC:
> >>>
> >>> Lower the domain functional level:textSet-ADDomainMode
-Identity xyz.se -DomainMode Windows2008R2Domain
> >>> Lower the forest functional level:textSet-ADForestMode
-Identity xyz.se -ForestMode Windows2008R2Forest
> >>>
> >>> Verify the changes with the Get-ADDomain and Get-ADForest
commands above.
> >>>
> >>> On HP-SRV12, clean up any partial Samba state (you already
started this?ensure all .ldb and .tdb files are removed from /var/lib/samba,
/var/cache/samba, /run/samba, etc.).
> >>>
> >>> Retry the join:textsamba-tool domain join xyz.se DC -U
"XYZ\Administrator" --option="dns forwarder=8.8.8.8 1.1.1.1"
> >>> If successful, start Samba and verify replication with
samba-tool drs showrepl.
> >>>
> >>> Travis Wenks
> >>> Rose City Solutions
> >>> Owner
> >>> Phone 503.821.7000
> >>> Website rosecitysolutions.com
> >>> Email travis at rosecitysolutions.com
> >>>
> >>>
> >>> ________________________________
> >>> From: samba <samba-bounces at lists.samba.org> on behalf
of Anders ?stling via samba <samba at lists.samba.org>
> >>> Sent: Thursday, November 20, 2025 8:49 AM
> >>> To: samba at lists.samba.org <samba at lists.samba.org>
> >>> Subject: Re: [Samba] Migration strategy
> >>>
> >>> Ok, I upgraded Samba from 4.22 to 4.23 (Trixie backports) and
this
> >>> happened. I started with cleaning up the ldb and tdb files in
> >>> /run/samba, /var/cache/samba, /var/lib/samba ...
> >>>
> >>> 1. Attempt to join the existing 2019 domain
> >>>
> >>> root at hp-srv12:/etc# samba-tool domain join XYZ.se DC -U
> >>> "XYZ\Administrator" --option="dns
forwarder=8.8.8.8 1.1.1.1"
> >>> INFO 2025-11-20 17:38:45,883 pid:5051
> >>> /usr/lib/python3/dist-packages/samba/join.py #106: Finding a
writeable
> >>> DC for domain 'xyz.se'
> >>> INFO 2025-11-20 17:38:45,991 pid:5051
> >>> /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
> >>> HP-SRV01.xyzse
> >>> Password for [XYZ\Administrator]:
> >>> INFO 2025-11-20 17:38:56,201 pid:5051
> >>> /usr/lib/python3/dist-packages/samba/join.py #1618: workgroup
is XYZ
> >>> INFO 2025-11-20 17:38:56,201 pid:5051
> >>> /usr/lib/python3/dist-packages/samba/join.py #1621: realm is
xyz.se
> >>> Adding CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
> >>> Adding
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> >>> Adding CN=NTDS
Settings,CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> >>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
> >>> 'WERR_DS_INCOMPATIBLE_VERSION')
> >>> Join failed - cleaning up
> >>> Deleted CN=HP-SRV12,OU=Domain Controllers,DC=xyz,DC=se
> >>> Deleted
CN=HP-SRV12,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=se
> >>> ERROR(runtime): uncaught exception - DsAddEntry failed
> >>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> >>> 387, in _run
> >>>    return self.run(*args, **kwargs)
> >>>           ~~~~~~~~^^^^^^^^^^^^^^^^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> >>> line 128, in run
> >>>    join_DC(logger=logger, server=server, creds=creds, lp=lp,
domain=domain,
> >>>   
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>            site=site, netbios_name=netbios_name,
targetdir=targetdir,
> >>>           
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>    ...<4 lines>...
> >>>            backend_store=backend_store,
> >>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>            backend_store_size=backend_store_size)
> >>>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/join.py", line 1634, in join_DC
> >>>    ctx.do_join()
> >>>    ~~~~~~~~~~~^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/join.py", line 1522, in do_join
> >>>    ctx.join_add_objects()
> >>>    ~~~~~~~~~~~~~~~~~~~~^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/join.py", line 667, in
> >>> join_add_objects
> >>>    ctx.join_add_ntdsdsa()
> >>>    ~~~~~~~~~~~~~~~~~~~~^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/join.py", line 592, in
> >>> join_add_ntdsdsa
> >>>    ctx.DsAddEntry([rec])
> >>>    ~~~~~~~~~~~~~~^^^^^^^
> >>>  File
"/usr/lib/python3/dist-packages/samba/join.py", line 528, in
DsAddEntry
> >>>    raise RuntimeError("DsAddEntry failed")
> >>>
> >>> 2. Attempt to upgrade the schema (although the join failed)
> >>>
> >>> root at hp-srv12:/etc# samba-tool domain schemaupgrade
--schema=2019
> >>> ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could
not open
> >>> file /var/lib/samba/private/sam.ldb: No such file or directory
> >>> Unable to open tdb '/var/lib/samba/private/sam.ldb':
No such file or directory
> >>> Failed to connect to
'tdb:///var/lib/samba/private/sam.ldb' with
> >>> backend 'tdb': Unable to open tdb
'/var/lib/samba/private/sam.ldb': No
> >>> such file or directory
> >>> ERROR(ldb): uncaught exception - Unable to open tdb
> >>> '/var/lib/samba/private/sam.ldb': No such file or
directory
> >>>
> >>> So here we are. Some files is required to exist in order to
upgrade
> >>> the schema, but they does not - is that because the DC still
has not
> >>> joined the domain?
> >>>
> >>> /Anders
> >>>
> >>> On Thu, Nov 20, 2025 at 3:46?PM Rowland Penny via samba
> >>> <samba at lists.samba.org> wrote:
> >>>>
> >>>> On Thu, 20 Nov 2025 15:24:36 +0100
> >>>> Anders ?stling via samba <samba at lists.samba.org>
wrote:
> >>>>
> >>>>> HI Rowland
> >>>>>
> >>>>> I would love to keep the domain and just replace the
DC's. But, as I
> >>>>> have asked before, adding a Samba DC to the current
Windows (2019)
> >>>>> domain does not work for me since there are schema
upgrades required,
> >>>>> and I cant upgrade the schema since the Samba has not
joined the
> >>>>> domain yet. I think I referred to a chicken and egg
dilemma a week
> >>>>> ago. Can you comment on that; how I add a fresh Samba
ad-dc
> >>>>> installation to a domain that requires schema/function
level 2016?
> >>>>>
> >>>>
> >>>> When you first join a DC, it doesn't have a schema, so
there is nothing
> >>>> to upgrade, the schema is replicated in from the other DC
in the join.
> >>>>
> >>>> As Samba now has the code to work with 2019, a join with
the latest
> >>>> Samba may work.
> >>>> Have you tried cloning the DC with the FSMO roles,
sandboxing it and
> >>>> attempting a join ?
> >>>> If it works, it will be a lot less work ;-)
> >>>>
> >>>> Rowland
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and
read the
> >>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> >>> --
> >>> ------ -------------------- 8 ------------------ ------
> >>> "A wise man once told me - Any idiot can do backups, but
it takes a
> >>> genius to successfully restore"
> >>>
> >>> Anders ?stling
> >>> +46 768 716 165 (Mobil)
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> >> --
> >> ------ -------------------- 8 ------------------ ------
> >> "A wise man once told me - Any idiot can do backups, but it
takes a
> >> genius to successfully restore"
> >>
> >> Anders ?stling
> >> +46 768 716 165 (Mobil)
> >
> >
> >
> > --
> > ------ -------------------- 8 ------------------ ------
> > "A wise man once told me - Any idiot can do backups, but it takes
a
> > genius to successfully restore"
> >
> > Anders ?stling
> > +46 768 716 165 (Mobil)


-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)

samba - Nov 2025 - Migration strategy

[Samba] Migration strategy

[Samba] Migration strategy