The steps I used are:

• I created a new machine DC2 that runs V17
• I *joined* the existing domain using DC1(running V16)
• This replicated all data to V17
• I then transferred all FSMO roles to the newly created DC2
• I then demoted DC1
• I deleted DC1 (I had to manually delete one leaf node)
• This left me with only DC2 managing the domain

It's always best to backup before doing anything. I borked this process and luckily was able to restore my LXCs from the backup and try again. Still have the backups, but so far so good...

If you decide to try this, let me know whether it worked for you as well or not.

When you try to delete the old DC1 (which should be a regular domain member rather than a domain controller after you demote it) you may get an error:

root ~# samba-tool computer delete DC1
ERROR(ldb): Failed to remove computer "DC1$" - subtree_delete: Unable to delete a non-leaf node (it has 1 children)!

This is because the entry has a sub-node in LDAP that is called "RID Set" (a set of RIDs is assigned to each domain controller and it does not get deleted when you demote the server).

I simply manually deleted that using Apache Directory studio and then retried the command which worked without issues.

Details are  in this thread of the samba mailing list: https://lists.samba.org/archive/samba/2023-May/245300.html

[update - I just updated the title as i realized it was a bit presumptuous of me to assume you're a man - perhaps you are, but I shouldn't assume]

Yep, the Domain Controller appliance is a very specific setup and the best way to do it is to add the new servers and demote the old. It is in theory possible to do a "Debian style" in place upgrade, but I think the way that you've documented is best practice and also much cleaner.

Thanks for posting your experience and the workaround to the bug you hit. FWIW we're currently working on v18.0 and hope to have some RCs out within the next week or so. The stable release will come ASAP after Debian do their first point release (v12.1 - the first point release almost always includes a ton of bug fixes). The Domain Controller itself shouldn't be too hard to update, so whilst it's unlikely it'll be in the first batch, it should probably be fairly early on in the release (it got held back last release for a range of reasons, but in part because I had some improvements to implement which took me some time - whilst juggling everything else).

Anyway, thanks again for posting.