thr3ads.net - samba - [Samba] doc suggestion / question on adding native win 2012R2 DC [May 2021]

If this information is useful, please help other people find it:
Share via:

Rowland penny

2021-May-17 14:25 UTC

[Samba] doc suggestion / question on adding native win 2012R2 DC

On 17/05/2021 14:42, mj via samba wrote:> Hi Rowland, list,
>
> So, I did that. And now the dbcheck errors are gone, but now also: 
> 5835 objects on samba_DC2 vs 5836 objects on samba_DC3. :-|
>
> While ldapcmp reports NO differences between the two samba DCs.
>
> That is interesting? I am used to seeing the same number of objects on 
> my DCs.

I have seen different number of objects after a join, it usually clears up.
>
>> I do not know, never tried it, but I think it should work, what are 
>> the errors you get ?
> See here: https://pad.ceph.com/p/ldapcmp
Hmm, interesting:

You appear to have different 'userParameters', but if you look closely, 
they are the same (hint, remove all the '\x00').

The 'instanceType' attributes can be different, see here:

https://docs.microsoft.com/en-us/windows/win32/adschema/a-instancetype

They probably will come into line.

Rowland

2021-May-18 08:01 UTC

head link

[Samba] doc suggestion / question on adding native win 2012R2 DC

Hi Rowland, list,

On 17/05/2021 16:25, Rowland penny via samba wrote:>> That is interesting? I am used to seeing the same number of objects on 
>> my DCs.
> 
> I have seen different number of objects after a join, it usually clears up.
Yes, it all cleared up, as you predicted.
>>> I do not know, never tried it, but I think it should work, what are
>>> the errors you get ?
>> See here: https://pad.ceph.com/p/ldapcmp
> 
> Hmm, interesting:
> 
> You appear to have different 'userParameters', but if you look
closely,
> they are the same (hint, remove all the '\x00').
> 
> The 'instanceType' attributes can be different, see here:
> 
> https://docs.microsoft.com/en-us/windows/win32/adschema/a-instancetype
> 
> They probably will come into line.
They don't. (or not yet...)

I now have in my test AD: samba_dc2, samba_dc3, windc_2008r2 and 
windc_2012r2, so I can compare a bit.

* ldapcmp between the samba's is perfect.
* ldapcmp between win2008 and win2012 is pretty good, sanatised output:
> root at dc2:~# SAMDOM-tool ldapcmp ldap://win2008r2 ldap://win2012r2
> 
> * Comparing [DOMAIN] context...
> 
> * Objects to be compared: 2004
> 
> Comparing:
> 'CN=WIN2012R2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=COMPANY,DC=COM'
[ldap://win2008r2]
> 'CN=WIN2012R2,OU=DOMAIN CONTROLLERS,DC=SAMDOM,DC=COMPANY,DC=COM'
[ldap://win2012r2]
>     Attributes found only in ldap://win2012r2:        MSDS-GENERATIONID
> 
>     FAILED
> 
> * Result for [DOMAIN]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes found only in ldap://win2012r2:
> 
>     MSDS-GENERATIONID
> 
> * Comparing [CONFIGURATION] context...
> 
> * Objects to be compared: 1763
> 
> * Result for [CONFIGURATION]: SUCCESS
> 
> * Comparing [SCHEMA] context...
> 
> * Objects to be compared: 1739
> 
> * Result for [SCHEMA]: SUCCESS
> 
> * Comparing [DNSDOMAIN] context...
> 
> * Objects to be compared: 298
> 
> Comparing:
>
'DC=@,DC=SAMDOM.COMPANY.COM,CN=MICROSOFTDNS,DC=DOMAINDNSZONES,DC=SAMDOM,DC=COMPANY,DC=COM'
[ldap://win2008r2]
>
'DC=@,DC=SAMDOM.COMPANY.COM,CN=MICROSOFTDNS,DC=DOMAINDNSZONES,DC=SAMDOM,DC=COMPANY,DC=COM'
[ldap://win2012r2]
>     Difference in attribute values:
>         dnsRecord => 
>
[b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x08',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x0f',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x10',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00A:8\x00\xc0W\x8f\x0c',
b'\x10\x00\x1c\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00
\x02\xc0W\x8f\x08\x00\x00\x00\x00\x00\x00\xc0W\x8f\x08',
b'\x10\x00\x1c\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00A:8\x00
\x02\xc0W\x8f\x0c\x00\x00\x00\x00\x00\x00\xc0W\x8f\x0c',
b'\x1b\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x03\x84\x00\x00\x00\x00\x99S7\x00\x19\x05\x03dc2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'\x1b\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x03\x84\x00\x00\x00\x00\x99S7\x00\x19\x05\x03dc3\x05SAMDOM\x05COMPANY\x03COM\x00',
b'!\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x05\twin2008r2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'!\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x05\twin2012r2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'Q\x00\x06\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01S\xec\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x00\x00\x19\x05\x03dc2\x05SAMDOM\x05COMPANY\x03COM\x00
\x05\nhostmaster\x05SAMDOM\x05COMPANY\x03COM\x00']
>
[b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x08',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x0f',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00\xc0W\x8f\x10',
b'\x04\x00\x01\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00A:8\x00\xc0W\x8f\x0c',
b'\x10\x00\x1c\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00\x00\x00\x00\x00
\x02\xc0W\x8f\x08\x00\x00\x00\x00\x00\x00\xc0W\x8f\x08',
b'\x10\x00\x1c\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x02X\x00\x00\x00\x00A:8\x00
\x02\xc0W\x8f\x0c\x00\x00\x00\x00\x00\x00\xc0W\x8f\x0c',
b'\x1b\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x03\x84\x00\x00\x00\x00\x99S7\x00\x19\x05\x03dc2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'\x1b\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x03\x84\x00\x00\x00\x00\x99S7\x00\x19\x05\x03dc3\x05SAMDOM\x05COMPANY\x03COM\x00',
b'!\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x05\twin2008r2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'!\x00\x02\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x05\twin2012r2\x05SAMDOM\x05COMPANY\x03COM\x00',
b'Q\x00\x06\x00\x05\xf0\x00\x00\xebS\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01S\xec\x00\x00\x03\x84\x00\x00\x02X\x00\x01Q\x80\x00\x00\x00\x00\x19\x05\x03dc3\x05SAMDOM\x05COMPANY\x03COM\x00
\x05\nhostmaster\x05SAMDOM\x05COMPANY\x03COM\x00']
> 
>     FAILED
> 
> * Result for [DNSDOMAIN]: FAILURE
> 
> SUMMARY
> ---------
> 
> Attributes with different values:
> 
>     dnsRecord
> 
> * Comparing [DNSFOREST] context...
> 
> * Objects to be compared: 22
> 
> * Result for [DNSFOREST]: SUCCESS
> ERROR: Compare failed: -1
> root at dc2:~# 
But ldapcmp output between samba <-> windows (2008r2 or 2012r2) is 
basically the same mess as posted yesterday.

Is someone else running windows DCs alongside samba..? Anyone care to 
try ldapcmp samba <-> windows in their setup..?

And a suggestion for the wiki page on this subject 
(https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD)

It says: "Samba supports Active Directory (AD) schema version 56 and 
67". I could not find anything about version 67. I think it should be 
69. That bit was misleading to me, initially.

I also assume that after the 2012R2 was successfully joined, the 2008R2 
can be removed again. It would be helpful to make this clearer in the 
introduction. (as 2008R2 is EOL-ed it would be good to emphasize that it 
is only used as a catalysor for joining 2012r2)

MJ

samba - May 2021 - doc suggestion / question on adding native win 2012R2 DC

[Samba] doc suggestion / question on adding native win 2012R2 DC

[Samba] doc suggestion / question on adding native win 2012R2 DC