thr3ads.net - samba - [Samba] doc suggestion / question on adding native win 2012R2 DC [May 2021]

If this information is useful, please help other people find it:
Share via:

2021-May-17 12:14 UTC

[Samba] doc suggestion / question on adding native win 2012R2 DC

Hi,

I am studying the wiki and trying and testing, in order to better 
understand the situation on adding native windows DCs to an otherwise 
samba managed AD domain.

On the wiki page
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD 
breaks the AD replication.", with two bug reports linked.

Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2 
DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD replication"?

I have just tested this with a samba (4.13.7) AD with functional level 
2008_R2 and adding a native windows 2012R2 DC (through a windows 2008R2 
DC) seems to have worked out. Our domain functional level is still 
2008R2, and the samba AD schema is at version 56, and it seems they are 
all replicating to each other.

In the aforementioned bug report 
(https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett says: 
"Thankfully Windows 2012 can join a down-level domain, just not at FL 
2012, provided the schema is updated, which we can do."

I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support to 
upgrade the schema, but it seems to have failed:
> root at dc2:~# samba-tool domain schemaupgrade
> Temporarily overriding 'dsdb:schema update allowed' setting
> ERROR: Failed to upgrade schema. Check if 'patch' is installed.
Plus samba-tool dbcheck now throws some errors that are probably related 
to the failed schemaupgrade:
> root at dc3:~# samba-tool dbcheck --cross-ncs
> Checking 5813 objects
> ERROR: wrong instanceType 5 on
CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
> Not changing instanceType from 5 to 13 on
CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
> ERROR: wrong instanceType 5 on CN=Configuration,DC=samba,DC=company,DC=com,
should be 13
> Not changing instanceType from 5 to 13 on
CN=Configuration,DC=samba,DC=company,DC=com
> ERROR: incorrect DN string component for serverReference in object
CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com
-
<GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
> Not fixing string component mismatch
> Please use --fix to fix these errors
> Checked 5813 objects (3 errors)
> root at dc3:~# 
Feedback on the above dbcheck errors? Just fix them, or do they indicate 
something bigger..?

Also: samba-tool ldapcmp works between the native samba DCs, but reports 
errors when comparing between samba <-> windows DCs. Perhaps that is 
expected?

So, all in all what I tried seems to have worked out fairly well. It 
just feels a bit eerie, because of the warnings and specifics on the way.

MJ

Rowland penny

2021-May-17 12:58 UTC

head link

[Samba] doc suggestion / question on adding native win 2012R2 DC

On 17/05/2021 13:14, mj via samba wrote:> Hi,
>
> I am studying the wiki and trying and testing, in order to better 
> understand the situation on adding native windows DCs to an otherwise 
> samba managed AD domain.
>
> On the wiki page
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
>
> is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD 
> breaks the AD replication.", with two bug reports linked.
>
> Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2
> DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD
replication"?

Probably now, but not when the note was originally added to the wiki page.
>
> I have just tested this with a samba (4.13.7) AD with functional level 
> 2008_R2 and adding a native windows 2012R2 DC (through a windows 
> 2008R2 DC) seems to have worked out. Our domain functional level is 
> still 2008R2, and the samba AD schema is at version 56, and it seems 
> they are all replicating to each other.

Good to know.
>
> In the aforementioned bug report 
> (https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett 
> says: "Thankfully Windows 2012 can join a down-level domain, just not 
> at FL 2012, provided the schema is updated, which we can do."

that was something that he was seemingly keeping to himself.
>
> I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support 
> to upgrade the schema, but it seems to have failed:
>
>> root at dc2:~# samba-tool domain schemaupgrade
>> Temporarily overriding 'dsdb:schema update allowed' setting
>> ERROR: Failed to upgrade schema. Check if 'patch' is installed.

That could be because the default schema is now 2012R2
>
> Plus samba-tool dbcheck now throws some errors that are probably 
> related to the failed schemaupgrade:
>
>> root at dc3:~# samba-tool dbcheck --cross-ncs
>> Checking 5813 objects
>> ERROR: wrong instanceType 5 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: wrong instanceType 5 on 
>> CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: incorrect DN string component for serverReference in object 
>>
CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com
>> - 
>>
<GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
>> Not fixing string component mismatch
>> Please use --fix to fix these errors
>> Checked 5813 objects (3 errors)
>> root at dc3:~# 
>
> Feedback on the above dbcheck errors? Just fix them, or do they 
> indicate something bigger..?

I would fix them. Then check again.
>
> Also: samba-tool ldapcmp works between the native samba DCs, but 
> reports errors when comparing between samba <-> windows DCs. Perhaps 
> that is expected?

I do not know, never tried it, but I think it should work, what are the 
errors you get ?

>
> So, all in all what I tried seems to have worked out fairly well. It 
> just feels a bit eerie, because of the warnings and specifics on the way.

Did you make any notes ? If so, can I have a (sanitised) copy of them, 
then I can update the wiki page ?

Rowland

samba - May 2021 - doc suggestion / question on adding native win 2012R2 DC

[Samba] doc suggestion / question on adding native win 2012R2 DC

[Samba] doc suggestion / question on adding native win 2012R2 DC