samba:upgrade-fl-2016

Upgrading Samba AD schema and functional level

This is the procedure to upgrade the Active Directory schema and functional level of a Samba AD domain. You will typically do this after upgrading Samba to a new major version that supports a higher functional level.

Backup your Samba AD domain first! Irreversible changes will be made to the domain — once the schema is upgraded, you cannot go back.

samba-tool domain backup online --targetdir=/backup/schema-upgrade --server=dc1 -U "MAD\Administrator"

Upgrade prerequisites

Upgrade Samba to at least 4.20.0 on all DCs. This is required, as older versions do not support `ad dc functional level = 2016` or schema 2019.

Install `patch` on the DC where you run `samba-tool domain schemaupgrade` (you only need it on that DC):

apt-get install patch

Set functional level parameter

Add this parameter to the `[global]` section of `/etc/samba/smb.conf` on every Samba AD DC:

ad dc functional level = 2016

This enables the internal logic in Samba to operate at functional level 2016, which allows the domain to use new features and improves compatibility with modern Windows clients.

Restart the Samba service on all DCs:

systemctl restart samba-ad-dc.service

Upgrade schema and functional level

Now run the following commands — these will upgrade the Active Directory schema and domain functional level.

The schema defines which objects and attributes exist in AD. Functional level controls which AD features are available.

samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016

Explanation:

`samba-tool domain schemaupgrade` upgrades the AD schema version (objects, attributes).
`samba-tool domain functionalprep` prepares the domain for the new functional level.
`samba-tool domain level raise` actually raises the domain and forest functional levels.

You can verify the current levels with:

samba-tool domain level show

Verify AD database consistency

After changing schema and functional level, it is good practice to check the AD database for errors:

samba-tool dbcheck --cross-ncs --fix --yes

You may have to run this command twice to fully fix any errors.

Typical errors you may see:

Orphaned attributes
Incorrect object references
Missing backlinks

Notes

Once the functional level is raised, older Windows clients or older Samba DCs that do not support this level may not work correctly.
Make sure all DCs are fully upgraded and healthy before raising levels.
Schema 2019 and functional level 2016 are fully compatible with Windows 10/11 clients and modern AD features.

Expected replication behaviour after schema upgrade

After raising the schema and functional level, you should expect to see a large number of changes to be propagated across your AD domain. This is normal, especially if you run `samba-tool visualize uptodateness` shortly after completing the upgrade.

Example output after schema upgrade:

samba-tool visualize uptodateness -rS --utf8

DOMAIN

                                    out-of-date-ness
                 ╭───────────────── CN=DC2+
                 │   ╭───────────── CN=DC3+
                 │   │   ╭───────── CN=DC4+
            DC   │   │   │   ╭───── CN=DC1+
     CN=DC2+     ·   3   0   0 
     CN=DC3+     0   ·   0   0 
     CN=DC4+     0   0   ·   0 
     CN=DC1+   432 432 432   ·

'+' stands for ',CN=Servers,CN=default,CN=Sites,CN=Configuration,DC=mad,DC=caponato,DC=es'

CONFIGURATION

                                    out-of-date-ness
                 ╭───────────────── CN=DC2+
                 │   ╭───────────── CN=DC3+
                 │   │   ╭───────── CN=DC4+
            DC   │   │   │   ╭───── CN=DC1+
     CN=DC2+     ·   3   0   0 
     CN=DC3+     0   ·   0   0 
     CN=DC4+     0   0   ·   0 
     CN=DC1+   432 432 432   ·

'+' stands for ',CN=Servers,CN=default,CN=Sites,CN=Configuration,DC=mad,DC=caponato,DC=es'

SCHEMA

                                    out-of-date-ness
                 ╭───────────────── CN=DC2+
                 │   ╭───────────── CN=DC3+
                 │   │   ╭───────── CN=DC4+
            DC   │   │   │   ╭───── CN=DC1+
     CN=DC2+     · 171   3   3 
     CN=DC3+     3   ·   3   3 
     CN=DC4+     3   3   ·   3 
     CN=DC1+   432 440 432   ·

'+' stands for ',CN=Servers,CN=default,CN=Sites,CN=Configuration,DC=mad,DC=caponato,DC=es'

DNSDOMAIN

                                    out-of-date-ness
                 ╭───────────────── CN=DC2+
                 │   ╭───────────── CN=DC3+
                 │   │   ╭───────── CN=DC4+
            DC   │   │   │   ╭───── CN=DC1+
     CN=DC2+     · 431 430 789 
     CN=DC3+   430   · 430 789 
     CN=DC4+   430 430   · 789 
     CN=DC1+   432 432 432   ·

'+' stands for ',CN=Servers,CN=default,CN=Sites,CN=Configuration,DC=mad,DC=caponato,DC=es'

DNSFOREST

                                    out-of-date-ness
                 ╭───────────────── CN=DC2+
                 │   ╭───────────── CN=DC3+
                 │   │   ╭───────── CN=DC4+
            DC   │   │   │   ╭───── CN=DC1+
     CN=DC2+   · 432 432 793 
     CN=DC3+   432   · 432 800 
     CN=DC4+   432 432   · 793 
     CN=DC1+   432 440 432   ·

'+' stands for ',CN=Servers,CN=default,CN=Sites,CN=Configuration,DC=mad,DC=caponato,DC=es' </code>

Notes

This level of out-of-date-ness is fully expected right after schema upgrade.
Allow replication to stabilize across your DCs — check again after 15-30 minutes.
These numbers show the number of pending changes queued for replication.
These values should gradually reduce to `0` (green) as replication completes.

Caponato's Samba notebook. Start here or return to Main menu.