Hi,
This morning, I simply tried adding the 2008R2 DC again, and the DC was 
added successfully. Domain logons work, etc. Not sure why it didn't work 
yesterday. I also transferred fsmo roles to the 2008R2 DC.
Next step was trying to add a win2012R2 DC following>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
but it fails with:
The attempt to join this computer to the "samba.company.com" domain 
failed. "This operation is only allowed for the Primary Domain 
Controller of the domain."
I did not know that there are primary (and thus also secondary?) DCs in AD.
Thing is: I would prefer not to include a (EOLed) win2008R2 DC in our 
samba domain.
Hence the question: Is it possible at all to add a current (not EOL-ed) 
version of windows as a DC in a samba AD on level 2008_R2 ?
Also asking because of the warning on the samba wiki.> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the
> AD replication! Do not use this documentation until the problem is fixed!
> For more details, see Bug #13618 and Bug #13619.")
What is the situation regarding this?
Best,
MJ
On 10/05/2021 19:16, mj via samba wrote:> Hi,
> 
> My goal is to add a native windows DC to my otherwise samba-only AD.
> 
> I started by raising the domain functional level from 2003 to 2008R2, 
> while on samba 4.13.7, by doing just:
> 
>> ?samba-tool domain level raise --domain-level=2008_R2
>> ?samba-tool domain level raise --forest-level=2008_R2
> 
> I cloned my 3 production DC VMs to an isolated network, and confirmed 
> that they were happy there. (replicating, etc)
> 
> Then I tried adding a windows x64 2008R2 DC following the instructions 
> from:
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD
> 
> 
> The result is: 90-95% CPU usage for rpc(0) process on the 4.13.7 samba 
> DC during initial replication, and the replication takes eternally 
> (hanging on CN=Configuration for 90 minutes, with no visible progress)
> 
> I'll leave it for the night, perhaps it just takes *very* long.
> 
> (the status is: Replicating data CN=Configuration,DC=samba... Received 
> 1625 out of approx 1625 objects, and 18 out of approx 18 DN values)
> 
> The new windows DC shows up in samba-tool drs showrepl as 
> "WERR_FILE_NOT_FOUND"
> 
> Not sure about adding win2012 (or win2012R2) because of the warning 
> listed here:
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
> 
> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the
> AD replication! Do not use this documentation until the problem is fixed!
> For more details, see Bug #13618 and Bug #13619.")
> 
> Besides (I tried it anyway...) and it showed that adding a win2012 DC 
> directly does not work, because of the incompatible (WMI) protocol used.
> I read it has to be done 'through' a win2008 DC anyway.
> 
> My goal is to test the azure cloud provisioning agent, and connect it to 
> this new dedicated windows DC. For the rest I'd like my network to 
> remain samba.
> 
> I will try adding the 2008R2 DC again tomorrow with a higher samba log 
> level, because at the moment it is unclear why CPU usage is high, and 
> what it is hanging on.
> 
> If anyone has insights to share, they would be welcomed and appreciated. 
> :-)
> 
> Thanks,
> MJ
>