Bogdan Rudas
2016-Oct-27 12:59 UTC
[Samba] Integrating remote Samba DC in existing 2012R2 AD
Hello all! We have Windows-base AD with 2012R2 level. I would like to provide authentication and GPO in our new remote branch office. Basically, there are two ways: 1. Samba-only domain + trust relationship main AD. 2. Remote Samba DC as members of existing AD maintainig same set of users. FAQ says that 'trust' is useless due to group membership restrictions. But what about second option, does it make sense to use Samba as remote DC? What restrictions will be applied in this case? Thank you! -- Bogdan Rudas Head of Minsk IT Support Department Exadel Inc. http://www.exadel.com/ E-mail: brudas at exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.
Marc Muehlfeld
2016-Oct-27 15:20 UTC
[Samba] Integrating remote Samba DC in existing 2012R2 AD
Hi Bogdan, Am 27.10.2016 um 14:59 schrieb Bogdan Rudas via samba:> We have Windows-base AD with 2012R2 level. I would like to provide > authentication and GPO in our new remote branch office. Basically, there > are two ways: > 1. Samba-only domain + trust relationship main AD. > 2. Remote Samba DC as members of existing AD maintainig same set of users. > > FAQ says that 'trust' is useless due to group membership restrictions. But > what about second option, does it make sense to use Samba as remote DC? > What restrictions will be applied in this case?Joining a Windows 2012R2 DC to a Samba-based AD currently fails: https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD But I recently successfully joined a Samba 4.5.0rc DC to a Windows-based AD, when I rewrote: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory However, this was a test environment - but everything looked successful. As mentioned in https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Preconditions you require Samba >=4.5, because this version is the first that brings AD schema 69 support. Additionally, you have to downgrade the forest functional level to 2008_R2. However, test the procedure before doing this production environment. :-) Please let me know about success/failure or problems with the docs. Regards, Marc