Prof. Dr. Michael Schefczyk
2017-Jan-29 20:47 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
Dear All, I am running a two location SOHO network with a Microsoft AD on a Windows 2008 R2 server. The only secondary DC is a Microsoft HyperV VM running on the same Windows machine. My aim is to become more independent from Microsoft products. Nevertheless, I need to upgrade my server to Windows 2016 sometime soon - which does not mean that the DC level needs to be upgraded to Server 2016 (known to incompatible with Samba). In parallel, I would like to move the active directory to two separate servers (= one per location) running debian jessie and Samba. Based on previous advice via this list, I did compile myself and I did try 4.5.2, 4.5.3 and 4.5.4. To gain confidence, I would like to run the Windows and Samba DC in parallel for some time (being aware that sysvol replication needs to be managed). I found it quite doable to setup the Samba 4.5.X severs and let them join the Microsoft AD as DC. Running samba-tool drs showrepl on them, indicates no relevant issues. Things do run very well for about a week, but then replication does fail from the perspective of the Microsoft AD. The error indicates that schemas to no longer match (original error message in German below). So far, I did find no way to avoid this issue. If this stays, this setup is just not usable, unfortunately. Can someone please point me to a direction other than giving this up (at least for the next few versions of Samba)? Regards, Michael Protokollname: Directory Service Quelle: Microsoft-Windows-ActiveDirectory_DomainService Datum: 29.01.2017 20:55:42 Ereignis-ID: 1791 Aufgabenkategorie:Replikation Ebene: Fehler Schlüsselwörter:Klassisch Benutzer: ANONYMOUS-ANMELDUNG Computer: servercore.schefczyk.local Beschreibung: Die Replikation der Anwendungsverzeichnispartition DC=schefczyk,DC=local von Quelle 11d000d6-f318-44fa-9935-dfc82a28c282 (domainb72.schefczyk.local) wurde abgebrochen. Für die Replikation ist ein konsistentes Schema erforderlich, aber beim letzten Versuch, das Schema zu synchronisieren, ist ein Fehler aufgetreten. Ein ordnungsgemäßes Funktionieren der Schemareplikation ist äußerst wichtig. Betrachten Sie die vorangegangenen Fehler zur weiteren Analyse. Wenden Sie sich an Microsoft Support Services, falls das Problem weiterhin besteht. Fehler 8418: Der Replikationsvorgang ist fehlgeschlagen, da Schemas unter den beteiligten Servern nicht übereinstimmten.. Ereignis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="49152">1791</EventID> <Version>0</Version> <Level>2</Level> <Task>5</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2017-01-29T19:55:42.634417100Z" /> <EventRecordID>35100</EventRecordID> <Correlation /> <Execution ProcessID="816" ThreadID="1856" /> <Channel>Directory Service</Channel> <Computer>servercore.schefczyk.local</Computer> <Security UserID="S-1-5-7" /> </System> <EventData> <Data>DC=schefczyk,DC=local</Data> <Data>11d000d6-f318-44fa-9935-dfc82a28c282 (domainb72.schefczyk.local)</Data> <Data>8418</Data> <Data>Der Replikationsvorgang ist fehlgeschlagen, da Schemas unter den beteiligten Servern nicht übereinstimmten.</Data> </EventData> </Event>
Andrew Bartlett
2017-Feb-01 09:58 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
On Sun, 2017-01-29 at 20:47 +0000, Prof. Dr. Michael Schefczyk via samba wrote:> Dear All, > > I am running a two location SOHO network with a Microsoft AD on a > Windows 2008 R2 server. The only secondary DC is a Microsoft HyperV > VM running on the same Windows machine. My aim is to become more > independent from Microsoft products. Nevertheless, I need to upgrade > my server to Windows 2016 sometime soon - which does not mean that > the DC level needs to be upgraded to Server 2016 (known to > incompatible with Samba).The major issue at this point relates to the schema. Your domain functional level is a different thing to your server functional level, so you can keep the domain functional level at 2008R2, which is what Samba has reasonable support for.> In parallel, I would like to move the active directory to two > separate servers (= one per location) running debian jessie and > Samba. Based on previous advice via this list, I did compile myself > and I did try 4.5.2, 4.5.3 and 4.5.4. To gain confidence, I would > like to run the Windows and Samba DC in parallel for some time (being > aware that sysvol replication needs to be managed). > > I found it quite doable to setup the Samba 4.5.X severs and let them > join the Microsoft AD as DC. Running samba-tool drs showrepl on them, > indicates no relevant issues. Things do run very well for about a > week, but then replication does fail from the perspective of the > Microsoft AD. The error indicates that schemas to no longer match > (original error message in German below). > > So far, I did find no way to avoid this issue. If this stays, this > setup is just not usable, unfortunately. > > Can someone please point me to a direction other than giving this up > (at least for the next few versions of Samba)?At this point what it needs is for a developer to spend some time digging into the issue. From your end, it is always worth re-testing with new versions (4.6 release candidates for example), and if you are at a larger organisation (because that is where being windows-free can really save!), perhaps ask a commercial support vendor to push Samba over the line in this area. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
mj
2017-Feb-01 10:12 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
On 02/01/2017 10:58 AM, Andrew Bartlett via samba wrote:> The major issue at this point relates to the schema. Your domain > functional level is a different thing to your server functional level, > so you can keep the domain functional level at 2008R2, which is what > Samba has reasonable support for.As this week I also looked into the functional levels that samba supports, I must say that this wiki page: https://wiki.samba.org/index.php/Raising_the_Functional_Levels looks as if samba 4.4 and later support 2012_R2. I understand that this is not the case, but I feel that the info on the wiki is (at least) confusing. (or even plain wrong) MJ