Hi,
This morning, I simply tried adding the 2008R2 DC again, and the DC was
added successfully. Domain logons work, etc. Not sure why it didn't work
yesterday. I also transferred fsmo roles to the 2008R2 DC.
Next step was trying to add a win2012R2 DC following>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
but it fails with:
The attempt to join this computer to the "samba.company.com" domain
failed. "This operation is only allowed for the Primary Domain
Controller of the domain."
I did not know that there are primary (and thus also secondary?) DCs in AD.
Thing is: I would prefer not to include a (EOLed) win2008R2 DC in our
samba domain.
Hence the question: Is it possible at all to add a current (not EOL-ed)
version of windows as a DC in a samba AD on level 2008_R2 ?
Also asking because of the warning on the samba wiki.> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the
> AD replication! Do not use this documentation until the problem is fixed!
> For more details, see Bug #13618 and Bug #13619.")
What is the situation regarding this?
Best,
MJ
On 10/05/2021 19:16, mj via samba wrote:> Hi,
>
> My goal is to add a native windows DC to my otherwise samba-only AD.
>
> I started by raising the domain functional level from 2003 to 2008R2,
> while on samba 4.13.7, by doing just:
>
>> ?samba-tool domain level raise --domain-level=2008_R2
>> ?samba-tool domain level raise --forest-level=2008_R2
>
> I cloned my 3 production DC VMs to an isolated network, and confirmed
> that they were happy there. (replicating, etc)
>
> Then I tried adding a windows x64 2008R2 DC following the instructions
> from:
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
>
>
> The result is: 90-95% CPU usage for rpc(0) process on the 4.13.7 samba
> DC during initial replication, and the replication takes eternally
> (hanging on CN=Configuration for 90 minutes, with no visible progress)
>
> I'll leave it for the night, perhaps it just takes *very* long.
>
> (the status is: Replicating data CN=Configuration,DC=samba... Received
> 1625 out of approx 1625 objects, and 18 out of approx 18 DN values)
>
> The new windows DC shows up in samba-tool drs showrepl as
> "WERR_FILE_NOT_FOUND"
>
> Not sure about adding win2012 (or win2012R2) because of the warning
> listed here:
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
>
> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the
> AD replication! Do not use this documentation until the problem is fixed!
> For more details, see Bug #13618 and Bug #13619.")
>
> Besides (I tried it anyway...) and it showed that adding a win2012 DC
> directly does not work, because of the incompatible (WMI) protocol used.
> I read it has to be done 'through' a win2008 DC anyway.
>
> My goal is to test the azure cloud provisioning agent, and connect it to
> this new dedicated windows DC. For the rest I'd like my network to
> remain samba.
>
> I will try adding the 2008R2 DC again tomorrow with a higher samba log
> level, because at the moment it is unclear why CPU usage is high, and
> what it is hanging on.
>
> If anyone has insights to share, they would be welcomed and appreciated.
> :-)
>
> Thanks,
> MJ
>