samba - Jul 2019 - Samba 4.11.0RC1 replication with Windows2012R2 ?

Hello Tim,

Wow, great documentation! ? That really clears a lot of the terminology?
for me.

We have to remove our Win2008R2 Servers before Jan2020.??

Hopefully Samba 4.11.x will permit us to join a Win2012R2 Server at a
2008R2 functional level...?

Your documentation gives steps on how to do this.? But I need some
clarifications...

Here's my understanding of the workflow:

 1. Upgrade Samba DC's to version 4.11.x
 2. Promote domain to schema 69
 3. Transfer FSMO roles to Windows 2008R2 Server
 4. Join Windows 2012R2 Server to domain
 5. Delete Windows 2008R2 Server

When I join the Windows 2012R2 Server to the domain, how do I make sure
that it doesn't try to upgrade the functional level to 2012R2?

Do you know if 2012R2 functional level is planned for Samba 4.12.x ?

Thank You!

On 2019-07-29 5:36 p.m., Tim Beale wrote:
>
> FYI, we've added a wiki page that explains this difference between
> functional level and schema level in a bit more detail.
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility
>
> I've got a patch to link to the wiki page from the WHATSNEW (currently
> pending review/delivery).
>
> The other thing to note is there's a bug joining Windows on 4.10 and
> 4.11rc1. The fix is pending delivery, so this should be fixed in a
> subsequent rc build.
> https://bugzilla.samba.org/show_bug.cgi?id=14046
>
> On 30/07/19 4:43 AM, Luc Lalonde via samba wrote:
>> Ahh ok, thanks for the clarification!?? I'll go to bed less
ignorant
>> tonight ;-)
>>
>> On 2019-07-29 12:07 p.m., Rowland penny via samba wrote:
>>> On 29/07/2019 16:41, Luc Lalonde wrote:
>>>> The first sentence says that default schema has changed from
2008R2
>>>> (schema 47) to 2012R2 (schema 69).
>>>>
>>>> This does not mean that we're now at Windows 2012R2
functional level by
>>>> default??? I must be missing something...
>>>>
>>> Schema version != function level ;-)
>>>
>>> For instance, Samba, as you say, uses schema 47 which could be
>>> function level 2008R2, but you can set it to be 2003 (not that you
>>> would want to)
>>>
>>> Rowland
>>>
>>>
>>>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190730/59ed2767/signature.sig>

On 31/07/19 2:33 AM, Luc Lalonde wrote:
>
> Here's my understanding of the workflow:
>
>  1. Upgrade Samba DC's to version 4.11.x
>  2. Promote domain to schema 69
>  3. Transfer FSMO roles to Windows 2008R2 Server
>  4. Join Windows 2012R2 Server to domain
>  5. Delete Windows 2008R2 Server
>
As you've already got a Windows 2008R2 DC in your network, when you join
the 2012R2 DC it should automatically upgrade the schema. So this is
probably the most reliable/easiest way for your setup:

1. Upgrade Samba DC's to version 4.11.x
2. Transfer FSMO roles to Windows 2008R2 Server
3. Join Windows 2012R2 Server to domain (this should automatically
promote domain to schema 69).
4. Delete Windows 2008R2 Server

You could in theory use samba to upgrade the schema instead, which would
avoid the need for the FSMO role transfers. However, given you've got 2
different Windows versions here, I think it's best here to let Windows
sort out the interoperability. For reference, using Samba to do the
schema upgrade would look like:

1. Upgrade Samba DC's to version 4.11.x
2. Promote domain to schema 69 (using samba-tool domain schemaupgrade)
3. Join Windows 2012R2 Server to domain.

However, this approach would be more useful for users that didn't
already have a Windows 2008R2 DC in their network.
> When I join the Windows 2012R2 Server to the domain, how do I make
> sure that it doesn't try to upgrade the functional level to 2012R2?
>
You have to manually raise the functional level. This shouldn't
accidentally happen.
https://support.microsoft.com/en-nz/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels
> Do you know if 2012R2 functional level is planned for Samba 4.12.x ?
>
Sadly, no. Unfortunately this is a significant undertaking (it requires
a lot of Heimdal/FAST/Claims support work). Right now, we'd need some
more funding to make this happen.

Il 31/07/2019 00:05, Tim Beale via samba ha scritto:
> On 31/07/19 2:33 AM, Luc Lalonde wrote:
>> Here's my understanding of the workflow:
>>
>>   1. Upgrade Samba DC's to version 4.11.x
>>   2. Promote domain to schema 69
>>   3. Transfer FSMO roles to Windows 2008R2 Server
>>   4. Join Windows 2012R2 Server to domain
>>   5. Delete Windows 2008R2 Server
>>
> As you've already got a Windows 2008R2 DC in your network, when you
join
> the 2012R2 DC it should automatically upgrade the schema. So this is
> probably the most reliable/easiest way for your setup:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Transfer FSMO roles to Windows 2008R2 Server
> 3. Join Windows 2012R2 Server to domain (this should automatically
> promote domain to schema 69).
> 4. Delete Windows 2008R2 Server
>
> You could in theory use samba to upgrade the schema instead, which would
> avoid the need for the FSMO role transfers. However, given you've got 2
> different Windows versions here, I think it's best here to let Windows
> sort out the interoperability. For reference, using Samba to do the
> schema upgrade would look like:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Promote domain to schema 69 (using samba-tool domain schemaupgrade)
> 3. Join Windows 2012R2 Server to domain.
>
> However, this approach would be more useful for users that didn't
> already have a Windows 2008R2 DC in their network.
>
>> When I join the Windows 2012R2 Server to the domain, how do I make
>> sure that it doesn't try to upgrade the functional level to 2012R2?
>>
> You have to manually raise the functional level. This shouldn't
> accidentally happen.
>
https://support.microsoft.com/en-nz/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels
>
>> Do you know if 2012R2 functional level is planned for Samba 4.12.x ?
>>
> Sadly, no. Unfortunately this is a significant undertaking (it requires
> a lot of Heimdal/FAST/Claims support work). Right now, we'd need some
> more funding to make this happen.
>
Thanks for the useful information about different cases of samba upgrade 
for w2012r2.

About functional level to 2012R2 why doesn't the samba team make a 
specific crownfunding?

Great!? That sounds clear enough.?? I'll wait for 4.11.0 to come out and
try that out.

Thanks for your help.

On 2019-07-30 6:05 p.m., Tim Beale wrote:
> On 31/07/19 2:33 AM, Luc Lalonde wrote:
>>
>> Here's my understanding of the workflow:
>>
>>  1. Upgrade Samba DC's to version 4.11.x
>>  2. Promote domain to schema 69
>>  3. Transfer FSMO roles to Windows 2008R2 Server
>>  4. Join Windows 2012R2 Server to domain
>>  5. Delete Windows 2008R2 Server
>>
> As you've already got a Windows 2008R2 DC in your network, when you
> join the 2012R2 DC it should automatically upgrade the schema. So this
> is probably the most reliable/easiest way for your setup:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Transfer FSMO roles to Windows 2008R2 Server
> 3. Join Windows 2012R2 Server to domain (this should automatically
> promote domain to schema 69).
> 4. Delete Windows 2008R2 Server
>
> You could in theory use samba to upgrade the schema instead, which
> would avoid the need for the FSMO role transfers. However, given
> you've got 2 different Windows versions here, I think it's best
here
> to let Windows sort out the interoperability. For reference, using
> Samba to do the schema upgrade would look like:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Promote domain to schema 69 (using samba-tool domain schemaupgrade)
> 3. Join Windows 2012R2 Server to domain.
>
> However, this approach would be more useful for users that didn't
> already have a Windows 2008R2 DC in their network.
>
>> When I join the Windows 2012R2 Server to the domain, how do I make
>> sure that it doesn't try to upgrade the functional level to 2012R2?
>>
> You have to manually raise the functional level. This shouldn't
> accidentally happen.
>
https://support.microsoft.com/en-nz/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels
>
>> Do you know if 2012R2 functional level is planned for Samba 4.12.x ?
>>
> Sadly, no. Unfortunately this is a significant undertaking (it
> requires a lot of Heimdal/FAST/Claims support work). Right now, we'd
> need some more funding to make this happen.
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190731/881e95eb/signature.sig>

Hello Tim,

I finally got around to testing your steps in a virtual environment.??
The schema upgrade was updated automatically as you predicted:

Here's are the two existing DC's:

DC1.foobar.org (Windows 2008R2)

DC2.foobar.org (Samba 4.0.11.0RC4)

New DC to join FOOBAR.ORG domain:

DC3.foobar.org (Windows 2012R2)

As you mentioned below, after having joined the schema upgrade should be
automatically migrated to version 69.??

I did make sure that all the FSMO roles + Global Catalog were moved to
the 2008R2 server (DC1) before proceeding.

On the Samba side (DC2) , the schema is updated to 69:

[root at roquefort ~]# /usr/local/samba/bin/ldbsearch -H
/usr/local/samba/private/sam.ldb -b
'cn=Schema,cn=Configuration,dc=foobar,dc=org' -s base objectVersion
# record 1
dn: CN=Schema,CN=Configuration,DC=foobar,DC=org
objectVersion: 69

# returned 1 records
# 1 entries
# 0 referrals

And on the new Windows 2012R2 (DC3) and on the Windows 2008R2 (DC1), I
am seeing schema 69:

PS C:\Users\administrator> Get-ADObject
(Get-ADRootDSE).schemaNamingContext -Property objectVersion

DistinguishedName : CN=Schema,CN=Configuration,DC=foobar,DC=org
Name????????????? : Schema
ObjectClass?????? : dMD
ObjectGUID??????? : 3fa3d94d-3654-4bce-8062-359e1de3df50
objectVersion???? : 69

I also checked replication status on the Windows and Linux sides.??
Everything seems to be running without errors.

So hooray!?? Once 4.11.1 comes out, I'll migrate my AD environment to
get rid of 2008R2 servers and move them to 2012R2. ?

My superstitious nature won't allow me to use *.*.0 releases in a
production environment ;-)

Thanks again for the great work!

Best regards, Luc.

On 2019-07-30 6:05 p.m., Tim Beale wrote:
> On 31/07/19 2:33 AM, Luc Lalonde wrote:
>>
>> Here's my understanding of the workflow:
>>
>>  1. Upgrade Samba DC's to version 4.11.x
>>  2. Promote domain to schema 69
>>  3. Transfer FSMO roles to Windows 2008R2 Server
>>  4. Join Windows 2012R2 Server to domain
>>  5. Delete Windows 2008R2 Server
>>
> As you've already got a Windows 2008R2 DC in your network, when you
> join the 2012R2 DC it should automatically upgrade the schema. So this
> is probably the most reliable/easiest way for your setup:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Transfer FSMO roles to Windows 2008R2 Server
> 3. Join Windows 2012R2 Server to domain (this should automatically
> promote domain to schema 69).
> 4. Delete Windows 2008R2 Server
>
> You could in theory use samba to upgrade the schema instead, which
> would avoid the need for the FSMO role transfers. However, given
> you've got 2 different Windows versions here, I think it's best
here
> to let Windows sort out the interoperability. For reference, using
> Samba to do the schema upgrade would look like:
>
> 1. Upgrade Samba DC's to version 4.11.x
> 2. Promote domain to schema 69 (using samba-tool domain schemaupgrade)
> 3. Join Windows 2012R2 Server to domain.
>
> However, this approach would be more useful for users that didn't
> already have a Windows 2008R2 DC in their network.
>
>> When I join the Windows 2012R2 Server to the domain, how do I make
>> sure that it doesn't try to upgrade the functional level to 2012R2?
>>
> You have to manually raise the functional level. This shouldn't
> accidentally happen.
>
https://support.microsoft.com/en-nz/help/322692/how-to-raise-active-directory-domain-and-forest-functional-levels
>
>> Do you know if 2012R2 functional level is planned for Samba 4.12.x ?
>>
> Sadly, no. Unfortunately this is a significant undertaking (it
> requires a lot of Heimdal/FAST/Claims support work). Right now, we'd
> need some more funding to make this happen.
>
-- 
Luc Lalonde, analyste
-----------------------------
D?partement de g?nie informatique:
?cole polytechnique de MTL
(514) 340-4711 x5049
Luc.Lalonde at polymtl.ca
-----------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190919/ce475796/signature.sig>