Prof. Dr. Michael Schefczyk
2017-Jan-29 20:47 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
Dear All,
I am running a two location SOHO network with a Microsoft AD on a Windows 2008
R2 server. The only secondary DC is a Microsoft HyperV VM running on the same
Windows machine. My aim is to become more independent from Microsoft products.
Nevertheless, I need to upgrade my server to Windows 2016 sometime soon - which
does not mean that the DC level needs to be upgraded to Server 2016 (known to
incompatible with Samba).
In parallel, I would like to move the active directory to two separate servers
(= one per location) running debian jessie and Samba. Based on previous advice
via this list, I did compile myself and I did try 4.5.2, 4.5.3 and 4.5.4. To
gain confidence, I would like to run the Windows and Samba DC in parallel for
some time (being aware that sysvol replication needs to be managed).
I found it quite doable to setup the Samba 4.5.X severs and let them join the
Microsoft AD as DC. Running samba-tool drs showrepl on them, indicates no
relevant issues. Things do run very well for about a week, but then replication
does fail from the perspective of the Microsoft AD. The error indicates that
schemas to no longer match (original error message in German below).
So far, I did find no way to avoid this issue. If this stays, this setup is just
not usable, unfortunately.
Can someone please point me to a direction other than giving this up (at least
for the next few versions of Samba)?
Regards,
Michael
Protokollname: Directory Service
Quelle: Microsoft-Windows-ActiveDirectory_DomainService
Datum: 29.01.2017 20:55:42
Ereignis-ID: 1791
Aufgabenkategorie:Replikation
Ebene: Fehler
Schlüsselwörter:Klassisch
Benutzer: ANONYMOUS-ANMELDUNG
Computer: servercore.schefczyk.local
Beschreibung:
Die Replikation der Anwendungsverzeichnispartition DC=schefczyk,DC=local von
Quelle 11d000d6-f318-44fa-9935-dfc82a28c282 (domainb72.schefczyk.local) wurde
abgebrochen. Für die Replikation ist ein konsistentes Schema erforderlich, aber
beim letzten Versuch, das Schema zu synchronisieren, ist ein Fehler aufgetreten.
Ein ordnungsgemäßes Funktionieren der Schemareplikation ist äußerst wichtig.
Betrachten Sie die vorangegangenen Fehler zur weiteren Analyse. Wenden Sie sich
an Microsoft Support Services, falls das Problem weiterhin besteht. Fehler 8418:
Der Replikationsvorgang ist fehlgeschlagen, da Schemas unter den beteiligten
Servern nicht übereinstimmten..
Ereignis-XML:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider
Name="Microsoft-Windows-ActiveDirectory_DomainService"
Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}"
EventSourceName="NTDS General" />
<EventID Qualifiers="49152">1791</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>5</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2017-01-29T19:55:42.634417100Z" />
<EventRecordID>35100</EventRecordID>
<Correlation />
<Execution ProcessID="816" ThreadID="1856" />
<Channel>Directory Service</Channel>
<Computer>servercore.schefczyk.local</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>DC=schefczyk,DC=local</Data>
<Data>11d000d6-f318-44fa-9935-dfc82a28c282
(domainb72.schefczyk.local)</Data>
<Data>8418</Data>
<Data>Der Replikationsvorgang ist fehlgeschlagen, da Schemas unter den
beteiligten Servern nicht übereinstimmten.</Data>
</EventData>
</Event>
Andrew Bartlett
2017-Feb-01 09:58 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
On Sun, 2017-01-29 at 20:47 +0000, Prof. Dr. Michael Schefczyk via samba wrote:> Dear All, > > I am running a two location SOHO network with a Microsoft AD on a > Windows 2008 R2 server. The only secondary DC is a Microsoft HyperV > VM running on the same Windows machine. My aim is to become more > independent from Microsoft products. Nevertheless, I need to upgrade > my server to Windows 2016 sometime soon - which does not mean that > the DC level needs to be upgraded to Server 2016 (known to > incompatible with Samba).The major issue at this point relates to the schema. Your domain functional level is a different thing to your server functional level, so you can keep the domain functional level at 2008R2, which is what Samba has reasonable support for.> In parallel, I would like to move the active directory to two > separate servers (= one per location) running debian jessie and > Samba. Based on previous advice via this list, I did compile myself > and I did try 4.5.2, 4.5.3 and 4.5.4. To gain confidence, I would > like to run the Windows and Samba DC in parallel for some time (being > aware that sysvol replication needs to be managed). > > I found it quite doable to setup the Samba 4.5.X severs and let them > join the Microsoft AD as DC. Running samba-tool drs showrepl on them, > indicates no relevant issues. Things do run very well for about a > week, but then replication does fail from the perspective of the > Microsoft AD. The error indicates that schemas to no longer match > (original error message in German below). > > So far, I did find no way to avoid this issue. If this stays, this > setup is just not usable, unfortunately. > > Can someone please point me to a direction other than giving this up > (at least for the next few versions of Samba)?At this point what it needs is for a developer to spend some time digging into the issue. From your end, it is always worth re-testing with new versions (4.6 release candidates for example), and if you are at a larger organisation (because that is where being windows-free can really save!), perhaps ask a commercial support vendor to push Samba over the line in this area. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
mj
2017-Feb-01 10:12 UTC
[Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2
On 02/01/2017 10:58 AM, Andrew Bartlett via samba wrote:> The major issue at this point relates to the schema. Your domain > functional level is a different thing to your server functional level, > so you can keep the domain functional level at 2008R2, which is what > Samba has reasonable support for.As this week I also looked into the functional levels that samba supports, I must say that this wiki page: https://wiki.samba.org/index.php/Raising_the_Functional_Levels looks as if samba 4.4 and later support 2012_R2. I understand that this is not the case, but I feel that the info on the wiki is (at least) confusing. (or even plain wrong) MJ