upgrading DC 4.5.x to 4.7.x

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
Hello,
I have couple of samba 4.5.10 AD DC running that I've been planning to upgrade to 4.7.latest

I"ve done upgrades previously (from 4.3), so I know the procedure, but I've been checking on samba list regularly, and I see some people having issues after update, mainly with replication. So how safe is it now? Are there still known issues? Should i upgrade 4.5 -> 4.6 -> 4.7 or directly go to 4.7.latest?

Samba I'm running is compiled from source on Centos 7.

Regards,
Kacper
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
Dear Kacper,

For us the upgrade is currently blocked by this bug:
https://bugzilla.samba.org/show_bug.cgi?id=13123
It blocks our automated deployment of Windows clients.

Best,
Tim


On 01.12.2017 13:46, k.wirski via samba wrote:
> Hello,
> I have couple of samba 4.5.10 AD DC running that I've been planning to upgrade to 4.7.latest
>
> I"ve done upgrades previously (from 4.3), so I know the procedure, but I've been checking on samba list regularly, and I see some people having issues after update, mainly with replication. So how safe is it now? Are there still known issues? Should i upgrade 4.5 -> 4.6 -> 4.7 or directly go to 4.7.latest?
>
> Samba I'm running is compiled from source on Centos 7.
>
> Regards,
> Kacper
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
In reply to this post by Samba - General mailing list


On 12/01/2017 01:46 PM, k.wirski via samba wrote:
> I"ve done upgrades previously (from 4.3), so I know the procedure, but I've been checking on samba list regularly, and I see some people having issues after update, mainly with replication. So how safe is it now? Are there still known issues? Should i upgrade 4.5 -> 4.6 -> 4.7 or directly go to 4.7.latest?

We upgraded straight from 4.5 to 4.7.2.

Since we had some corruption, we upgraded by:
= bringing the 4.5 DCs online in a seperated environment
- adding a new temporary 4.7.2 DC
- make absolutely sure everything replicated successfully to that new DC
- power off the old DCs
- reize fsmo roles, cleanup the database, etc
- add new 4.7.2 DCs using their old names/ips
- remove the temporary DC

After this, we swapped the 4.5 production DCs for the new 4.7.2 DCs in
the production network, and nobody noticed the change. Except for one or
two users and computers that had changed their passwords during the
above procedure.

The above procedure took some testing and multiple tries, but now, on
4.7.3, everything is running absolutely beautifully. We are specially
happy with the new auth audit logging.

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
02.12.2017 2:16, mj via samba пишет:

> - power off the old DCs
> - reize fsmo roles, cleanup the database, etc

why  not to transfer roles while old DC are online?

> - add new 4.7.2 DCs using their old names/ips
> - remove the temporary DC

why not simply add new DCs to current production domain?

I'm thinking about way to upgrade too, but using "separated environment"
and restore current production servers from backups seems too
complicated for me.
I don't know what changes was made in prodiction domain while doing
procedure above, if it will take day or two (and it wiil be lost)

> The above procedure took some testing and multiple tries,

hmm :)

_
Mike

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
Hi,

On 12/02/2017 03:49 PM, Mike Lykov via samba wrote:
> 02.12.2017 2:16, mj via samba пишет:
>
>> - power off the old DCs
>> - reize fsmo roles, cleanup the database, etc
>
> why  not to transfer roles while old DC are online?
See your question two

>
>> - add new 4.7.2 DCs using their old names/ips
>> - remove the temporary DC
>
> why not simply add new DCs to current production domain?

Because we were facing corruption issues on the 4.5 DCs, upgrading those
to 4.7 didn't work out. We tried, but faced replication issues, and
commands like samba-tool drs showrepl no longer showed any output, or
python errrors and timeouts. Also fsmo transfer failed with timeout issues.

Therefore we decided to start as 'fresh as possible', with only data
that 4.7 replicated from our 4.5 DCs.

Note: I am not advising the OP to follow this procedure, I'm just saying
that now that we've finally landed on 4.7, we were very happy with it.
(that's what he was asking about)

And it did not take a day or two, but just a few hours. As our DCs are
all virtual, backing-up and restoring in an isolated environment was
almost instant.

>
> I'm thinking about way to upgrade too, but using "separated environment"
Just a different VLAN with only the DCs.

> and restore current production servers from backups seems too
> complicated for me.
> I don't know what changes was made in prodiction domain while doing
> procedure above, if it will take day or two (and it wiil be lost)
After some practising and taking notes, I could do it in just a few
hours for our three DCs. :-)

Anyway, he asked about experiences on 4.7, and those are positive. The
way it took to get there was a hassle, we can agree on that, but it
seemed to be the only way out of our 4.5 install. :-)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
Thank for all advice,

I have a question about:
"- add new 4.7.2 DCs using their old names/ips
- remove the temporary DC"

Do I understand correctly, You created new machine (or
removed/reinstalled samba completely), used IP/hostname of the previous
DC and just re-added as DC?

Also, did You have any issues after removing temporary DC? Some time ago
i had to remove one DC and I had some erros in --dbcheck --crossncs 
later on?

I might consider trying upgrade in separated environment, since my DC's
are also VM's, so no problem for me to clone and separate them.

Some of You said about replication issues after straight upgrade. When
they occured, i.e. was it obvious error after drs -showrepl command, or
something that "sneaked up" upon You later on?

Regards,
Kacper



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
Hi,

On 12/02/2017 09:46 PM, Kacper Wirski via samba wrote:
> Do I understand correctly, You created new machine (or
> removed/reinstalled samba completely), used IP/hostname of the previous
> DC and just re-added as DC?
Yep, but some samba-tool database cleaning was required on the temp DC:
   dbcheck --crossncs --fix
  --remove-other-dead-server=dcX
  samba-tool domain tombstones expunge --tombstone-lifetime=1
and some more
   dbcheck --crossncs --fix
until everything is healthy.

> Also, did You have any issues after removing temporary DC? Some time ago
> i had to remove one DC and I had some erros in --dbcheck --crossncs
> later on?
No, removing the DC went fine.

> I might consider trying upgrade in separated environment, since my DC's
> are also VM's, so no problem for me to clone and separate them.
Yep, just try it and let us know how it works out for you. I also liked
the idea to having new lean freshly installed stretch DCs, instead of
older upgraded wheezy installs. We also moved from internal dns to
BIND9_DLZ in the process, btw.

> Some of You said about replication issues after straight upgrade. When
> they occured, i.e. was it obvious error after drs -showrepl command, or
> something that "sneaked up" upon You later on?
We experienced no 'hidden' replication issues, only the obvious ones
(showrepl) where some DCs would not replicate with others, because of a
variety or errors.

We also used samba-tool ldapcmp ldap://dcX ldap://dcX to make sure all
data was in fact in sync on various DCs.

And since you're also on VMs, just give it a try and see where it gets
you? Perhaps you can upgrade straight to 4.7, and you don't need the
route we took? Easy enough to try out.

We had some misbehaviours in our AD to start with, and therefore did all
the extra stuff. (with the temp DC etc)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list


On 12/02/2017 10:24 PM, mj via samba wrote:
> We experienced no 'hidden' replication issues, only the obvious ones
> (showrepl) where some DCs would not replicate with others, because of a
> variety or errors.

This one a lot: "WERR_DS_DRA_ACCESS_DENIED"

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: upgrading DC 4.5.x to 4.7.x

Samba - General mailing list
In reply to this post by Samba - General mailing list
02.12.2017 22:13, mj via samba пишет:

>> why not simply add new DCs to current production domain?
> Because we were facing corruption issues on the 4.5 DCs, upgrading those
> to 4.7 didn't work out.

corruption/replication issues on 4.5 production servers between each 4.5
before try to upgrade?
I have an old 4.1 DCs with "internal dns inconsistent" status now.

  We tried, but faced replication issues, and
> commands like samba-tool drs showrepl no longer showed any output, or
> python errrors and timeouts. Also fsmo transfer failed with timeout issues.

Ok, I understand, thanks for the clarification.


>> I'm thinking about way to upgrade too, but using "separated environment"
> Just a different VLAN with only the DCs.

different VLAN, but with same addresses/network mask? without gateway
with main network, ok.

> After some practising and taking notes, I could do it in just a few
> hours for our three DCs. :-)

i.e. you can try free in diffrenet vlan for some time (restore, try,
delete and next attempt), and, when ready, start replacing new copy of
production domain? ok...

--
Mike

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba