On Mon, 2024-03-25 at 11:56 +0100, Pisch Tam?s via samba
wrote:> Hi,
>
> I would like to connect our AD to the Azure AD. As I see, it needs
> 2012_R2
> functional level. I don't have any Windows AD DC. Is it safe to raise
> the
> functional level to 2012_R2 in production environment? I read that
> 4.19 has
> initial support for 2019 schema, and for the 2016 functional level,
> but the
> 2012 support is still not complete.
Others have integrated Azure AD with Samba without the FL increase, and
the key step would be the adprep work, but regardless the main risk
with using the FL 2012 or FL2016 'early' in Samba 4.19 or 4.20 is that
we don't have any further protection against 'mixed domains' if you
use
the silos, claims or authentication policy features. So if you have some DCs on
4.19 and some on a later version with the full support, eg 4.21 or partial
support (4.20), then you will have inconsistent behaivour between your DCs.
So as long as you upgrade your DCs in lock-step or don't use any of
those features, you should be fine.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions