The steps I used are:

• I created a new machine DC2 that runs V17
• I *joined* the existing domain using DC1(running V16)
• This replicated all data to V17
• I then transferred all FSMO roles to the newly created DC2
• I then demoted DC1
• I deleted DC1 (I had to manually delete one leaf node)
• This left me with only DC2 managing the domain

It's always best to backup before doing anything. I borked this process and luckily was able to restore my LXCs from the backup and try again. Still have the backups, but so far so good...

If you decide to try this, let me know whether it worked for you as well or not.

When you try to delete the old DC1 (which should be a regular domain member rather than a domain controller after you demote it) you may get an error:

root ~# samba-tool computer delete DC1
ERROR(ldb): Failed to remove computer "DC1$" - subtree_delete: Unable to delete a non-leaf node (it has 1 children)!

This is because the entry has a sub-node in LDAP that is called "RID Set" (a set of RIDs is assigned to each domain controller and it does not get deleted when you demote the server).

I simply manually deleted that using Apache Directory studio and then retried the command which worked without issues.

Details are  in this thread of the samba mailing list: https://lists.samba.org/archive/samba/2023-May/245300.html