Hi, This morning, I simply tried adding the 2008R2 DC again, and the DC was added successfully. Domain logons work, etc. Not sure why it didn't work yesterday. I also transferred fsmo roles to the 2008R2 DC. Next step was trying to add a win2012R2 DC following> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_ADbut it fails with: The attempt to join this computer to the "samba.company.com" domain failed. "This operation is only allowed for the Primary Domain Controller of the domain." I did not know that there are primary (and thus also secondary?) DCs in AD. Thing is: I would prefer not to include a (EOLed) win2008R2 DC in our samba domain. Hence the question: Is it possible at all to add a current (not EOL-ed) version of windows as a DC in a samba AD on level 2008_R2 ? Also asking because of the warning on the samba wiki.> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the > AD replication! Do not use this documentation until the problem is fixed! > For more details, see Bug #13618 and Bug #13619.")What is the situation regarding this? Best, MJ On 10/05/2021 19:16, mj via samba wrote:> Hi, > > My goal is to add a native windows DC to my otherwise samba-only AD. > > I started by raising the domain functional level from 2003 to 2008R2, > while on samba 4.13.7, by doing just: > >> ?samba-tool domain level raise --domain-level=2008_R2 >> ?samba-tool domain level raise --forest-level=2008_R2 > > I cloned my 3 production DC VMs to an isolated network, and confirmed > that they were happy there. (replicating, etc) > > Then I tried adding a windows x64 2008R2 DC following the instructions > from: > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD > > > The result is: 90-95% CPU usage for rpc(0) process on the 4.13.7 samba > DC during initial replication, and the replication takes eternally > (hanging on CN=Configuration for 90 minutes, with no visible progress) > > I'll leave it for the night, perhaps it just takes *very* long. > > (the status is: Replicating data CN=Configuration,DC=samba... Received > 1625 out of approx 1625 objects, and 18 out of approx 18 DN values) > > The new windows DC shows up in samba-tool drs showrepl as > "WERR_FILE_NOT_FOUND" > > Not sure about adding win2012 (or win2012R2) because of the warning > listed here: > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD > > ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks the > AD replication! Do not use this documentation until the problem is fixed! > For more details, see Bug #13618 and Bug #13619.") > > Besides (I tried it anyway...) and it showed that adding a win2012 DC > directly does not work, because of the incompatible (WMI) protocol used. > I read it has to be done 'through' a win2008 DC anyway. > > My goal is to test the azure cloud provisioning agent, and connect it to > this new dedicated windows DC. For the rest I'd like my network to > remain samba. > > I will try adding the 2008R2 DC again tomorrow with a higher samba log > level, because at the moment it is unclear why CPU usage is high, and > what it is hanging on. > > If anyone has insights to share, they would be welcomed and appreciated. > :-) > > Thanks, > MJ >
On 11/05/2021 10:25, mj via samba wrote:> Hi, > > This morning, I simply tried adding the 2008R2 DC again, and the DC > was added successfully. Domain logons work, etc. Not sure why it > didn't work yesterday. I also transferred fsmo roles to the 2008R2 DC. > > Next step was trying to add a win2012R2 DC following >> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD >> > but it fails with: > > The attempt to join this computer to the "samba.company.com" domain > failed. "This operation is only allowed for the Primary Domain > Controller of the domain." > > I did not know that there are primary (and thus also secondary?) DCs > in AD.There aren't, I think it is referring to the PDC_Emulator FSMO role, perhaps it is trying to join using the wrong DC ?> > Thing is: I would prefer not to include a (EOLed) win2008R2 DC in our > samba domain. > > Hence the question: Is it possible at all to add a current (not > EOL-ed) version of windows as a DC in a samba AD on level 2008_R2 ? > > Also asking because of the warning on the samba wiki. >> ("Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD breaks >> the AD replication! Do not use this documentation until the problem >> is fixed! >> For more details, see Bug #13618 and Bug #13619.")Try reading this: https://dev.tranquil.it/samba/en/samba_advanced_methods/samba_add_windows_active_directory.html Perhaps it will help. Rowland
On 5/11/21 11:25 AM, mj via samba wrote:> Hence the question: Is it possible at all to add a current (not EOL-ed) > version of windows as a DC in a samba AD on level 2008_R2 ?Replying to my own question, with some anecdotal evidence. For the record: Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 and with these commands run successfully: samba-tool domain functionalprep --function-level=2012_R2 and samba-tool domain schemaupgrade --schema=2012_R2 I cloned my production (pure samba 4.13.7) domain, then first I added a win2008R2 DC, and then a win2016 server as an additional *DC* to it. After adding the win2016 DC, the functional level is still 2008R2, and: Replication seems to work, as a quick test I added a user on the win2016 DC, and it showed up on the samba DC. Samba (drs showrepl) reports no replication errors. samba-tool ldapcmp does not work between windows and samba DCs. I have asked here about it, and got no replies. So not sure if that is supposed to work or not. I would appreciate anyone with mixed windows/samba DCs to try and report their ldapcmp findings. The only issue is that dbcheck reports 1432 of these errors:> Not fixing nTSecurityDescriptor on CN=user0,OU=disabled,DC=samdom,DC=company,DC=com > Not fixing nTSecurityDescriptor on CN=860c3173,CN=Operations,CN=DomainUpdates,CN=System,DC=samdom,DC=company,DC=com > Not fixing nTSecurityDescriptor on CN=user1,CN=Users,DC=samdom,DC=company,DC=com > Not fixing nTSecurityDescriptor on CN=user2,CN=Users,DC=samdom,DC=company,DC=com--fix does not actually fix them, even when run --fix multiple times. even though DSDB Change [Modify] at [Thu, 27 May 2021 21:35:05.832214 CEST] status [Success] I'm pretty sure they started after adding the 2016 DC. Not sure if these errors are serious..? More logs if anyone is interested. MJ