Upgrading a Samba DC the right way
Whilst it is possible to upgrade Samba by using the usual apt tools, the Samba Team recommends that a DC should first be demoted, followed by an upgrade to the desired version, and then rejoining the domain.
This is specially important if you are upgrading to a major versions, for example, 4.18 to 4.19. Due to the fact that most of the configuration remains the same, only the Samba databases and configuration files will need to be removed.
Once you are familiar with this procedure, it can be completed within a short time frame and requires only a few simple steps. Let us assume that we would like to upgrade DC2.
Demote DC2
See Demoting a DC. There is no need to review the DNS entries, they will be re-created with the same name.
When demoting make sure the DC about to be demoted does not own any FSMO roles. Follow the link in the demote page.
Make sure samba is stopped
systemctl stop samba-ad-dc.service
Remove all config files and databases
rm /run/samba/*.tdb \ /run/samba/*.ldb \ /var/lib/samba/*.tdb \ /var/lib/samba/*.ldb \ /var/cache/samba/*.tdb \ /var/cache/samba/*.ldb \ /var/lib/samba/private/*.tdb \ /var/lib/samba/private/*.ldb mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
Upgrade samba
This is now a good time if you want to use other sources or repositories, see using debian backports or maybe using Michael Tokarev repo. Then:
If you want to know what will be installed, try :
apt-get update && apt-cache policy samba
And look for “Candidate” line.
** Warning if upgrading to 4.20 **
4.20 has a new package samba-ad-dc (split from other binaries in previous versions) that provides DC functionality.
Before 4.20, there is a meta-package with the same name that provides compatibility before the upgrade. It is recommended to install this meta package samba-ad-dc before upgrading to 4.20, so the upgrade has all its binaries in place and all works as expected.
If your version of Samba is very old and there is no samba-ad-dc meta package, please be aware you will need to install the additional package samba-ad-dc right after your upgrade.
apt-get install samba-ad-dc
Remember to add '-t bookworm-backports ' if using backports
If you are using main Debian source, or Michael Tokarev's repo
A simple:
apt-get update && apt-get upgrade
will get the job done. Continue to Join Domain
If you have changed from main Debian to backports
You need to force the use of backports (first time only):
apt-get update && apt-get install --no-install-recommends -t bookworm-backports samba
Continue to Join Domain
Re-join the domain
samba-tool domain join mad.caponato.es DC -U"MAD\Administrator" --option="dns forwarder=1.1.1.1 8.8.8.8"
Sync Sysvol
Se this article to sync Sysvol folders.
Sync idmap.ldb
See this article to sync idmap.ldb between DCs (and why this needs to be done os a regular basis).
This procedure will check and reset if needed SysVol permissions.
Reboot your server
reboot
Reset the Sysvol folder's file system access control lists (ACL) on the new DC
samba-tool ntacl sysvolreset
Consider re-assigning FSMO roles from another DC if needed
If this server owned any or all FSMO roles before upgrading, you may want to transfer the roles back.