On 12.02.2019 11:16, Rowland Penny via samba wrote:> On Tue, 12 Feb 2019 14:28:44 +0500 > Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote: > >> I joined the windows 2019 domain, where among the controllers there >> is a Samba DC version 4.8.5, and after that the replica stopped >> working windows servers <--> samba DC. Upgrading to version 4.9.4 did >> not help >> >> Errors: >> >> ``` >> >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872, >> 0] ../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema) >> фев 12 14:15:28 srv-dc01 samba[24637]: Can't continue Schema load: >> didn't manage to convert any objects: all 1 remaining of 133 objects >> failed to convert >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036, >> 0] ../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema) >> фев 12 14:15:28 srv-dc01 samba[24637]: >> ../source4/dsdb/repl/replicated_objects.c:361: >> dsdb_repl_resolve_working_schema() failed: WERR_INTERNAL_ERRORFailed >> to create working schema: WERR_INTERNAL_ERROR >> >> ``` >> >> >> > Samba hasn't got to Windows 2016 yet, never mind 2019. You may be able > to fix your domain by demoting the Windows 2019 DC. If this doesn't > work, stop the Windows 2019 DC and forcibly remove it from the domain > with 'samba-tool domain demote > --remove-other-dead-server=<THE_2019_DC_SHORTHOSTNAME> > > I fear that you may have terminally mangled your AD. >I never had to deal with this but the topic is of interest to me. According to the Samba Wiki (see 1), Samba supports a domain functional level of up to 2012_R2 with restrictions, and 2008_R2 without restrictions. According to Microsoft (see 2), both Win16 and Win19 require a minimum domain functional level of 2008_R2. So why is it not possible to join a Win19 DC to a Samba domain, or the other way round, without negatively affecting the AD? If I read on in the Wiki (see 3), it seems that the only version that will work without breaking something is Win Server 2008. One big issue seems to be that newer Win Servers expect WMI to work in order to join a domain, something that Samba doesn't support so having a running 2008 DC is a requirement in order to join Win2012. But the bigger issue seems to be that versions 2012+ will break replication in any case. Is that all still accurate? By the way, the main reason this topic interests me is because more and more businesses I work with are using or plan to introduce MS Office 365. When talking about a very small user base (<10) it's fine to manage O365 separately from the AD but with bigger ones there clearly are benefits of syncing on-premise AD with Azure/O365. Currently, this only seems possible from Win DCs (please do correct me if this information is not accurate) which is why it may become necessary to install one. However, with version 2008 approaching EOL, this may become a critical issue. (1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels (2) https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels (3) https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD Viktor
On Tue, 12 Feb 2019 12:21:29 +0100 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> > On 12.02.2019 11:16, Rowland Penny via samba wrote: > > On Tue, 12 Feb 2019 14:28:44 +0500 > > Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote: > > > >> I joined the windows 2019 domain, where among the controllers there > >> is a Samba DC version 4.8.5, and after that the replica stopped > >> working windows servers <--> samba DC. Upgrading to version 4.9.4 > >> did not help > >> > >> Errors: > >> > >> ``` > >> > >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872, > >> 0] ../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema) > >> фев 12 14:15:28 srv-dc01 samba[24637]: Can't continue Schema > >> load: didn't manage to convert any objects: all 1 remaining of 133 > >> objects failed to convert > >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036, > >> 0] ../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema) > >> фев 12 14:15:28 srv-dc01 samba[24637]: > >> ../source4/dsdb/repl/replicated_objects.c:361: > >> dsdb_repl_resolve_working_schema() failed: > >> WERR_INTERNAL_ERRORFailed to create working schema: > >> WERR_INTERNAL_ERROR > >> > >> ``` > >> > >> > >> > > Samba hasn't got to Windows 2016 yet, never mind 2019. You may be > > able to fix your domain by demoting the Windows 2019 DC. If this > > doesn't work, stop the Windows 2019 DC and forcibly remove it from > > the domain with 'samba-tool domain demote > > --remove-other-dead-server=<THE_2019_DC_SHORTHOSTNAME> > > > > I fear that you may have terminally mangled your AD. > > > I never had to deal with this but the topic is of interest to me. > According to the Samba Wiki (see 1), Samba supports a domain > functional level of up to 2012_R2 with restrictions, and 2008_R2 > without restrictions. According to Microsoft (see 2), both Win16 and > Win19 require a minimum domain functional level of 2008_R2. So why is > it not possible to join a Win19 DC to a Samba domain, or the other > way round, without negatively affecting the AD? > > If I read on in the Wiki (see 3), it seems that the only version that > will work without breaking something is Win Server 2008. One big > issue seems to be that newer Win Servers expect WMI to work in order > to join a domain, something that Samba doesn't support so having a > running 2008 DC is a requirement in order to join Win2012. But the > bigger issue seems to be that versions 2012+ will break replication > in any case. Is that all still accurate? > > By the way, the main reason this topic interests me is because more > and more businesses I work with are using or plan to introduce MS > Office 365. When talking about a very small user base (<10) it's fine > to manage O365 separately from the AD but with bigger ones there > clearly are benefits of syncing on-premise AD with Azure/O365. > Currently, this only seems possible from Win DCs (please do correct > me if this information is not accurate) which is why it may become > necessary to install one. However, with version 2008 approaching EOL, > this may become a critical issue. > > (1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels > (2) > https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels > (3) > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD > > Viktor > >It is all down to the schema version support, Samba supports version 47 and experimentally version 69, more info here: https://wiki.samba.org/index.php/AD_Schema_Version_Support Rowland
On Tue, 2019-02-12 at 11:48 +0000, Rowland Penny via samba wrote:> > It is all down to the schema version support, Samba supports version > 47 > and experimentally version 69, more info here: > > https://wiki.samba.org/index.php/AD_Schema_Version_Support > > RowlandI would note there is some good news for Samba 4.11, we have in development (currently pending the addition of the required very thorough automated testing) patches to address this problem. It allows live schema updates over DRS even for complex schema changes that cause trouble for Samba at the moment. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba