samba - Dec 2016 - Samba 2.4.2 as secondary DC to Windows 2008 R2

Dear All,

I am running a two location SOHO network with a Microsoft AD on a Windows 2008
R2 server. The only secondary DC is a Microsoft HyperV VM running on the same
Windows machine. My aim is to become more independent from Microsoft products.
Nevertheless, I need to upgrade my server to Windows 2016 sometime soon.

In parallel, I would like to move the active directory to two separate servers
(= one per location) running debian jessie and Samba 4.2.10 (current debian
package 2:4.2.10+dfsg-0+deb8u3). To gain confidence, I would like to run the
Windows and Samba DC in parallel for some time (being aware that sysvol
replication needs to be managed).

I found it quite doable to setup the Samba 4.2.10 severs and let them join the
Microsoft AD as DC. Running samba-tool drs showrepl on them, indicates no issues
(except "Warning: No NC replicated for Connection!" Under KCC
Connection Objects). However, the Winders 2008 R2 server throws "AD
Replication error 8418" The replication operation failed because of a
schema mismatch between the servers involved when replicating from Windows
Server 2008 R2 to Samba.

I use Microsoft Exchange 2010 (to be replaced as well). My smb.conf has
dsdb:schema update allowed = true in the [global] section. All the manual
replications from Windows to Samba (listed at
https://wiki.samba.org/index.php/Samba-tool_drs_replicate) do work including
CN=Schema,CN=Configuration when initiated on the Samba DC. Nevertheless,
automatic replication by the Windows (FSMO) DC keeps failing as described above.

Quite likely, it is similar to this issue:
https://lists.samba.org/archive/samba/2013-January/170906.html The author of
that thread confirmed that he did not get this resolved.

Is there any pragmatic way to copy the AD schema from the Microsoft AD to a
Samba 4.2.10 DC to run them in parallel for a while before turning off the
Microsoft AD altogether?

Regards,

Michael

Hello Michael,
> Nevertheless, I need to upgrade my server to Windows 2016 sometime
> soon.
If you plan to use Windows Server 2016 as a DC together with Samba DCs:
This is currently not supported. See:
https://wiki.samba.org/index.php/FAQ#I_Am_Running_Samba_as_an_AD_DC._Which_Windows_Server_Version_Can_I_Join_as_an_DC_to_the_Forrest.3F



Am 04.12.2016 um 11:05 schrieb Prof. Dr. Michael Schefczyk via
samba:
> In parallel, I would like to move the active directory to two separate
> servers (= one per location) running debian jessie and Samba 4.2.10
> (current debian package 2:4.2.10+dfsg-0+deb8u3). To gain confidence,
> I would like to run the Windows and Samba DC in parallel for some
> time (being aware that sysvol replication needs to be managed).
You should really use a recent version of Samba. 4.2 is not longer
maintained. See
https://wiki.samba.org/index.php/Samba_Release_Planning#General_information

Additionally, there were a lot of improvements around compatibility and
others in newer version. Especially if you already encountered problems,
it makes a lot of sense to try the latest version (4.5.2 is currently
scheduled for next Wednesday).


> I found it quite doable to setup the Samba 4.2.10 severs and let
> them join the Microsoft AD as DC. Running samba-tool drs
> showrepl on them, indicates no issues
> (except "Warning: No NC replicated for Connection!"
> Under KCC Connection Objects).
https://wiki.samba.org/index.php/FAQ#What_does_Warning:_No_NC_replicated_for_Connection.21_Mean.3F


> However, the Winders 2008 R2 server throws
> "AD Replication error 8418" The replication operation
> failed because of a schema mismatch between the servers
> involved when replicating from Windows Server 2008 R2 to Samba.
>
> I use Microsoft Exchange 2010 (to be replaced as well).
>
> My smb.conf has dsdb:schema update allowed = true in the
> [global] section. All the manual replications from Windows
> to Samba (listed at
https://wiki.samba.org/index.php/Samba-tool_drs_replicate)
> do work including CN=Schema,CN=Configuration when initiated on
> the Samba DC. Nevertheless, automatic replication by the Windows
> (FSMO) DC keeps failing as described above.
I don't know what the latest status of Exchange schema support is in
Samba. There were some threads in the past that not all (or none?) of
the Exchange versions are currently working. However, please try the
latest Samba version. A lot of things got improved since 4.2.


> Is there any pragmatic way to copy the AD schema from the
> Microsoft AD to a Samba 4.2.10 DC to run them in parallel
> for a while before turning off the Microsoft AD altogether?
Not if the Exchange schema is not fully supported.


Regards,
Marc