On 12.02.2019 11:16, Rowland Penny via samba wrote:> On Tue, 12 Feb 2019 14:28:44 +0500
> Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote:
>
>> I joined the windows 2019 domain, where among the controllers there
>> is a Samba DC version 4.8.5, and after that the replica stopped
>> working windows servers <--> samba DC. Upgrading to version 4.9.4
did
>> not help
>>
>> Errors:
>>
>> ```
>>
>> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872,
>> 0]
../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema)
>> фев 12 14:15:28 srv-dc01 samba[24637]: Can't continue Schema
load:
>> didn't manage to convert any objects: all 1 remaining of 133
objects
>> failed to convert
>> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036,
>> 0]
../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema)
>> фев 12 14:15:28 srv-dc01 samba[24637]:
>> ../source4/dsdb/repl/replicated_objects.c:361:
>> dsdb_repl_resolve_working_schema() failed: WERR_INTERNAL_ERRORFailed
>> to create working schema: WERR_INTERNAL_ERROR
>>
>> ```
>>
>>
>>
> Samba hasn't got to Windows 2016 yet, never mind 2019. You may be able
> to fix your domain by demoting the Windows 2019 DC. If this doesn't
> work, stop the Windows 2019 DC and forcibly remove it from the domain
> with 'samba-tool domain demote
> --remove-other-dead-server=<THE_2019_DC_SHORTHOSTNAME>
>
> I fear that you may have terminally mangled your AD.
>
I never had to deal with this but the topic is of interest to me.
According to the Samba Wiki (see 1), Samba supports a domain functional
level of up to 2012_R2 with restrictions, and 2008_R2 without
restrictions. According to Microsoft (see 2), both Win16 and Win19
require a minimum domain functional level of 2008_R2. So why is it not
possible to join a Win19 DC to a Samba domain, or the other way round,
without negatively affecting the AD?
If I read on in the Wiki (see 3), it seems that the only version that
will work without breaking something is Win Server 2008. One big issue
seems to be that newer Win Servers expect WMI to work in order to join a
domain, something that Samba doesn't support so having a running 2008 DC
is a requirement in order to join Win2012. But the bigger issue seems to
be that versions 2012+ will break replication in any case. Is that all
still accurate?
By the way, the main reason this topic interests me is because more and
more businesses I work with are using or plan to introduce MS Office
365. When talking about a very small user base (<10) it's fine to manage
O365 separately from the AD but with bigger ones there clearly are
benefits of syncing on-premise AD with Azure/O365. Currently, this only
seems possible from Win DCs (please do correct me if this information is
not accurate) which is why it may become necessary to install one.
However, with version 2008 approaching EOL, this may become a critical
issue.
(1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels
(2)
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
(3)
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
Viktor