samba - Feb 2018 - Is it possible to lower the domain and forest functional level

Hi Denis,

We are using the latest version of sharepoint.
samba-tool domain level show :
Domain and forest function level for domain 'DC=removed,DC=com'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

I did not have to change the revision attributes by hand.

I think the MSAD2K3 was an upgrade from MSAD2K.

We did not do anything with partition. So everything has been setup by default.

I'm going to try to join another samba 4.7.5 DC and switch all the fsmo
roles.

If needed, I'll need assistance to "recreate a Samba 4.7 domain with
same SID by piping in all the objects".

Thanks for your inputs, lets see how it goes with another samba 4.7 dc.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Denis Cardon" <dcardon at tranquil.it>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mercredi 14 Février 2018 12:52:04
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Hi Christophe,
> I don't know exactly, but there were problems with indexes ( as the
user said ).
since you have issues with your domain, perhaps fixing you domain would 
fix the sharepoint compatibility. What version of sharepoint are you 
trying to integrate?
> We did not try with the current release and our manager wants to go back to
Microsoft :-(
> Our samba version is 4.7.5.
What do you get when you try a "samba-tool domain level show"? Did you
had to change the revision attribute by hand because it was not changed 
during "samba-tool domain level raise"?

Your MSAD2k3, was it and upgrade from a MSAD2k? The forest DNS zone was 
in its own partition or not before the switch to Samba-AD? [1]
> I've been able to go one step further. We first were not able to join a
Windows 2008 R2 as a domain controller because it was asking for adprep.
> I found the missing datas in the ldap and added them. But know dcpromo
fails replicating the configuration partition.
> The most relevant error I can find in the dcpromo.log is :
Joining a win2k8r2 to a samba 4.7 should go without any issue. You have 
some corrupted entries somewhere (which may actually have been copied 
over from your MSAD2k3).

Have you tried to join a secondary DC, and demote the original one? DC 
replication does not sync all the DIT tree, and if your corrupted stuff 
is not to be sync'ed, then it may help. Be sure to switch all the FSMO 
role in between.

And if the issue is not yet resolved, then the last resort thing is to 
recreate a Samba 4.7 domain with same SID by piping in all the objects.

Cheers,

Denis

[1] 
https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

>
> Valeur de l’erreur principale :
> 8451 L’opération de réplication a rencontré une erreur dans la base de
données.
>
> Valeur de l’erreur secondaire :
> -1507 JET_errColumnNotFound, No such column
>
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Warning): NTDS General / Traitement
interne : 1173
> Internal event: Active Directory Domain Services has encountered the
following exception and associated parameters.
>
>
>
> Exception:
> e0010002
>
> Parameter:
> 0
>
>
>
> Additional Data
>
> Error value:
> 8451
>
> Internal ID:
> 106027e
>
> 02/13/2018 18:27:35 [INFO] Error - Les services de domaine Active Directory
n’ont pas pu répliquer la partition d’annuaire
CN=Configuration,DC=removed,DC=com du contrôleur de domaine Active Directory
distant frtlse-srv018.removed.com. (8451)
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Error): NTDS General / Traitement
interne : 1168
> Internal error: An Active Directory Domain Services error has occurred.
>
>
>
> Additional Data
>
> Error value (decimal):
> -1073741823
>
> Error value (hex):
> c0000001
>
> Internal ID:
> 300162a
>
> 02/13/2018 18:27:36 [INFO] EVENTLOG (Informational): NTDS General /
Contrôle du service : 1004
> Les services de domaine Active Directory ont été arrêtés correctement.
>
> 02/13/2018 18:27:37 [INFO] NtdsInstall for removed.com returned 8451
> 02/13/2018 18:27:37 [INFO] DsRolepInstallDs returned 8451
> 02/13/2018 18:27:37 [ERROR] Failed to install to Directory Service (8451)
> 02/13/2018 18:27:43 [INFO] Démarrage du service NETLOGON
> 02/13/2018 18:27:43 [INFO] Configuring service NETLOGON to 2 returned 0
> 02/13/2018 18:27:43 [INFO] La tentative de promotion du contrôleur de
domaine est terminée
> 02/13/2018 18:27:43 [INFO] DsRolepSetOperationDone returned 0
>
>
> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "Andrew Bartlett" <abartlet at samba.org>
> À: "Christophe BORIVANT" <cborivant at devinlec.com>,
"samba" <samba at lists.samba.org>
> Envoyé: Mardi 13 Février 2018 23:20:15
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level
>
> On Tue, 2018-02-13 at 10:38 +0100, Christophe Borivant via samba wrote:
>> Hello all,
>>
>> We have a samba 4 domain controller.
>> The domain controller was at first a secondary domain controller.
>> We joined it to a domain were the first controller was a windows 2003
server.
>> Then we have transfer the fsmo roles to the linux controller and demote
the 2003 server.
>> I then ran all the ldf files from the 2008 R2 dcpromo and raised the
functional levels.
>> Now we need to go back to windows domain controller because we need to
use sharepoint.
>
> Out of curiosity, what breaks with sharepoint?  Have you tried with the
> current release?
>
> Thanks,
>
> Andrew Bartlett
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

Ok I did the test of joining a new samba 4.7.5 as a domain controller.
Unfortunatly we have the exact same error using dcpromo !
So now I need help to "recreate a Samba 4.7 domain with same SID by piping
in all the objects".

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "samba" <samba at lists.samba.org>
À: "Denis Cardon" <dcardon at tranquil.it>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mercredi 14 Février 2018 14:11:53
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Hi Denis,

We are using the latest version of sharepoint.
samba-tool domain level show :
Domain and forest function level for domain 'DC=removed,DC=com'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

I did not have to change the revision attributes by hand.

I think the MSAD2K3 was an upgrade from MSAD2K.

We did not do anything with partition. So everything has been setup by default.

I'm going to try to join another samba 4.7.5 DC and switch all the fsmo
roles.

If needed, I'll need assistance to "recreate a Samba 4.7 domain with
same SID by piping in all the objects".

Thanks for your inputs, lets see how it goes with another samba 4.7 dc.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Denis Cardon" <dcardon at tranquil.it>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mercredi 14 Février 2018 12:52:04
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Hi Christophe,
> I don't know exactly, but there were problems with indexes ( as the
user said ).
since you have issues with your domain, perhaps fixing you domain would 
fix the sharepoint compatibility. What version of sharepoint are you 
trying to integrate?
> We did not try with the current release and our manager wants to go back to
Microsoft :-(
> Our samba version is 4.7.5.
What do you get when you try a "samba-tool domain level show"? Did you
had to change the revision attribute by hand because it was not changed 
during "samba-tool domain level raise"?

Your MSAD2k3, was it and upgrade from a MSAD2k? The forest DNS zone was 
in its own partition or not before the switch to Samba-AD? [1]
> I've been able to go one step further. We first were not able to join a
Windows 2008 R2 as a domain controller because it was asking for adprep.
> I found the missing datas in the ldap and added them. But know dcpromo
fails replicating the configuration partition.
> The most relevant error I can find in the dcpromo.log is :
Joining a win2k8r2 to a samba 4.7 should go without any issue. You have 
some corrupted entries somewhere (which may actually have been copied 
over from your MSAD2k3).

Have you tried to join a secondary DC, and demote the original one? DC 
replication does not sync all the DIT tree, and if your corrupted stuff 
is not to be sync'ed, then it may help. Be sure to switch all the FSMO 
role in between.

And if the issue is not yet resolved, then the last resort thing is to 
recreate a Samba 4.7 domain with same SID by piping in all the objects.

Cheers,

Denis

[1] 
https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

>
> Valeur de l’erreur principale :
> 8451 L’opération de réplication a rencontré une erreur dans la base de
données.
>
> Valeur de l’erreur secondaire :
> -1507 JET_errColumnNotFound, No such column
>
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Warning): NTDS General / Traitement
interne : 1173
> Internal event: Active Directory Domain Services has encountered the
following exception and associated parameters.
>
>
>
> Exception:
> e0010002
>
> Parameter:
> 0
>
>
>
> Additional Data
>
> Error value:
> 8451
>
> Internal ID:
> 106027e
>
> 02/13/2018 18:27:35 [INFO] Error - Les services de domaine Active Directory
n’ont pas pu répliquer la partition d’annuaire
CN=Configuration,DC=removed,DC=com du contrôleur de domaine Active Directory
distant frtlse-srv018.removed.com. (8451)
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Error): NTDS General / Traitement
interne : 1168
> Internal error: An Active Directory Domain Services error has occurred.
>
>
>
> Additional Data
>
> Error value (decimal):
> -1073741823
>
> Error value (hex):
> c0000001
>
> Internal ID:
> 300162a
>
> 02/13/2018 18:27:36 [INFO] EVENTLOG (Informational): NTDS General /
Contrôle du service : 1004
> Les services de domaine Active Directory ont été arrêtés correctement.
>
> 02/13/2018 18:27:37 [INFO] NtdsInstall for removed.com returned 8451
> 02/13/2018 18:27:37 [INFO] DsRolepInstallDs returned 8451
> 02/13/2018 18:27:37 [ERROR] Failed to install to Directory Service (8451)
> 02/13/2018 18:27:43 [INFO] Démarrage du service NETLOGON
> 02/13/2018 18:27:43 [INFO] Configuring service NETLOGON to 2 returned 0
> 02/13/2018 18:27:43 [INFO] La tentative de promotion du contrôleur de
domaine est terminée
> 02/13/2018 18:27:43 [INFO] DsRolepSetOperationDone returned 0
>
>
> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "Andrew Bartlett" <abartlet at samba.org>
> À: "Christophe BORIVANT" <cborivant at devinlec.com>,
"samba" <samba at lists.samba.org>
> Envoyé: Mardi 13 Février 2018 23:20:15
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level
>
> On Tue, 2018-02-13 at 10:38 +0100, Christophe Borivant via samba wrote:
>> Hello all,
>>
>> We have a samba 4 domain controller.
>> The domain controller was at first a secondary domain controller.
>> We joined it to a domain were the first controller was a windows 2003
server.
>> Then we have transfer the fsmo roles to the linux controller and demote
the 2003 server.
>> I then ran all the ldf files from the 2008 R2 dcpromo and raised the
functional levels.
>> Now we need to go back to windows domain controller because we need to
use sharepoint.
>
> Out of curiosity, what breaks with sharepoint?  Have you tried with the
> current release?
>
> Thanks,
>
> Andrew Bartlett
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hello Denis,

I checked all the attributes and objectclass defined in
/usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
and /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt
exists in my samba 4 ldap.
Nothing is missing.
Can you give me some inputs to "recreate a Samba 4.7 domain with same SID
by piping in all the objects" ?

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "samba" <samba at lists.samba.org>
Cc: "samba" <samba at lists.samba.org>, "Denis Cardon"
<dcardon at tranquil.it>
Envoyé: Mercredi 14 Février 2018 17:11:02
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Ok I did the test of joining a new samba 4.7.5 as a domain controller.
Unfortunatly we have the exact same error using dcpromo !
So now I need help to "recreate a Samba 4.7 domain with same SID by piping
in all the objects".

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "samba" <samba at lists.samba.org>
À: "Denis Cardon" <dcardon at tranquil.it>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mercredi 14 Février 2018 14:11:53
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Hi Denis,

We are using the latest version of sharepoint.
samba-tool domain level show :
Domain and forest function level for domain 'DC=removed,DC=com'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

I did not have to change the revision attributes by hand.

I think the MSAD2K3 was an upgrade from MSAD2K.

We did not do anything with partition. So everything has been setup by default.

I'm going to try to join another samba 4.7.5 DC and switch all the fsmo
roles.

If needed, I'll need assistance to "recreate a Samba 4.7 domain with
same SID by piping in all the objects".

Thanks for your inputs, lets see how it goes with another samba 4.7 dc.

---------------------------------------------
Christophe Borivant
Responsable d'exploitation informatique
+33 5 62 20 71 71 (Poste 503)

Devinlec - Groupe Leclerc
--------------------------------------------

----- Mail original -----
De: "Denis Cardon" <dcardon at tranquil.it>
À: "Christophe BORIVANT" <cborivant at devinlec.com>
Cc: "samba" <samba at lists.samba.org>
Envoyé: Mercredi 14 Février 2018 12:52:04
Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level

Hi Christophe,
> I don't know exactly, but there were problems with indexes ( as the
user said ).
since you have issues with your domain, perhaps fixing you domain would 
fix the sharepoint compatibility. What version of sharepoint are you 
trying to integrate?
> We did not try with the current release and our manager wants to go back to
Microsoft :-(
> Our samba version is 4.7.5.
What do you get when you try a "samba-tool domain level show"? Did you
had to change the revision attribute by hand because it was not changed 
during "samba-tool domain level raise"?

Your MSAD2k3, was it and upgrade from a MSAD2k? The forest DNS zone was 
in its own partition or not before the switch to Samba-AD? [1]
> I've been able to go one step further. We first were not able to join a
Windows 2008 R2 as a domain controller because it was asking for adprep.
> I found the missing datas in the ldap and added them. But know dcpromo
fails replicating the configuration partition.
> The most relevant error I can find in the dcpromo.log is :
Joining a win2k8r2 to a samba 4.7 should go without any issue. You have 
some corrupted entries somewhere (which may actually have been copied 
over from your MSAD2k3).

Have you tried to join a secondary DC, and demote the original one? DC 
replication does not sync all the DIT tree, and if your corrupted stuff 
is not to be sync'ed, then it may help. Be sure to switch all the FSMO 
role in between.

And if the issue is not yet resolved, then the last resort thing is to 
recreate a Samba 4.7 domain with same SID by piping in all the objects.

Cheers,

Denis

[1] 
https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application

>
> Valeur de l’erreur principale :
> 8451 L’opération de réplication a rencontré une erreur dans la base de
données.
>
> Valeur de l’erreur secondaire :
> -1507 JET_errColumnNotFound, No such column
>
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Warning): NTDS General / Traitement
interne : 1173
> Internal event: Active Directory Domain Services has encountered the
following exception and associated parameters.
>
>
>
> Exception:
> e0010002
>
> Parameter:
> 0
>
>
>
> Additional Data
>
> Error value:
> 8451
>
> Internal ID:
> 106027e
>
> 02/13/2018 18:27:35 [INFO] Error - Les services de domaine Active Directory
n’ont pas pu répliquer la partition d’annuaire
CN=Configuration,DC=removed,DC=com du contrôleur de domaine Active Directory
distant frtlse-srv018.removed.com. (8451)
> 02/13/2018 18:27:35 [INFO] EVENTLOG (Error): NTDS General / Traitement
interne : 1168
> Internal error: An Active Directory Domain Services error has occurred.
>
>
>
> Additional Data
>
> Error value (decimal):
> -1073741823
>
> Error value (hex):
> c0000001
>
> Internal ID:
> 300162a
>
> 02/13/2018 18:27:36 [INFO] EVENTLOG (Informational): NTDS General /
Contrôle du service : 1004
> Les services de domaine Active Directory ont été arrêtés correctement.
>
> 02/13/2018 18:27:37 [INFO] NtdsInstall for removed.com returned 8451
> 02/13/2018 18:27:37 [INFO] DsRolepInstallDs returned 8451
> 02/13/2018 18:27:37 [ERROR] Failed to install to Directory Service (8451)
> 02/13/2018 18:27:43 [INFO] Démarrage du service NETLOGON
> 02/13/2018 18:27:43 [INFO] Configuring service NETLOGON to 2 returned 0
> 02/13/2018 18:27:43 [INFO] La tentative de promotion du contrôleur de
domaine est terminée
> 02/13/2018 18:27:43 [INFO] DsRolepSetOperationDone returned 0
>
>
> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "Andrew Bartlett" <abartlet at samba.org>
> À: "Christophe BORIVANT" <cborivant at devinlec.com>,
"samba" <samba at lists.samba.org>
> Envoyé: Mardi 13 Février 2018 23:20:15
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional
level
>
> On Tue, 2018-02-13 at 10:38 +0100, Christophe Borivant via samba wrote:
>> Hello all,
>>
>> We have a samba 4 domain controller.
>> The domain controller was at first a secondary domain controller.
>> We joined it to a domain were the first controller was a windows 2003
server.
>> Then we have transfer the fsmo roles to the linux controller and demote
the 2003 server.
>> I then ran all the ldf files from the 2008 R2 dcpromo and raised the
functional levels.
>> Now we need to go back to windows domain controller because we need to
use sharepoint.
>
> Out of curiosity, what breaks with sharepoint?  Have you tried with the
> current release?
>
> Thanks,
>
> Andrew Bartlett
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba