samba - May 2021 - doc suggestion / question on adding native win 2012R2 DC

On 17/05/2021 13:14, mj via samba wrote:
> Hi,
>
> I am studying the wiki and trying and testing, in order to better 
> understand the situation on adding native windows DCs to an otherwise 
> samba managed AD domain.
>
> On the wiki page
>
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
>
> is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD 
> breaks the AD replication.", with two bug reports linked.
>
> Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2
> DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD
replication"?

Probably now, but not when the note was originally added to the wiki page.
>
> I have just tested this with a samba (4.13.7) AD with functional level 
> 2008_R2 and adding a native windows 2012R2 DC (through a windows 
> 2008R2 DC) seems to have worked out. Our domain functional level is 
> still 2008R2, and the samba AD schema is at version 56, and it seems 
> they are all replicating to each other.

Good to know.
>
> In the aforementioned bug report 
> (https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett 
> says: "Thankfully Windows 2012 can join a down-level domain, just not 
> at FL 2012, provided the schema is updated, which we can do."

that was something that he was seemingly keeping to himself.
>
> I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support 
> to upgrade the schema, but it seems to have failed:
>
>> root at dc2:~# samba-tool domain schemaupgrade
>> Temporarily overriding 'dsdb:schema update allowed' setting
>> ERROR: Failed to upgrade schema. Check if 'patch' is installed.

That could be because the default schema is now 2012R2
>
> Plus samba-tool dbcheck now throws some errors that are probably 
> related to the failed schemaupgrade:
>
>> root at dc3:~# samba-tool dbcheck --cross-ncs
>> Checking 5813 objects
>> ERROR: wrong instanceType 5 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: wrong instanceType 5 on 
>> CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: incorrect DN string component for serverReference in object 
>>
CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com
>> - 
>>
<GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
>> Not fixing string component mismatch
>> Please use --fix to fix these errors
>> Checked 5813 objects (3 errors)
>> root at dc3:~# 
>
> Feedback on the above dbcheck errors? Just fix them, or do they 
> indicate something bigger..?

I would fix them. Then check again.
>
> Also: samba-tool ldapcmp works between the native samba DCs, but 
> reports errors when comparing between samba <-> windows DCs. Perhaps 
> that is expected?

I do not know, never tried it, but I think it should work, what are the 
errors you get ?

>
> So, all in all what I tried seems to have worked out fairly well. It 
> just feels a bit eerie, because of the warnings and specifics on the way.

Did you make any notes ? If so, can I have a (sanitised) copy of them, 
then I can update the wiki page ?

Rowland

Hi Rowland, list,

On 17/05/2021 14:58, Rowland penny via samba wrote:
>>> root at dc2:~# samba-tool domain schemaupgrade
>>> Temporarily overriding 'dsdb:schema update allowed' setting
>>> ERROR: Failed to upgrade schema. Check if 'patch' is
installed.
> 
> 
> That could be because the default schema is now 2012R2
I suddenly realised that the error is quite litural: patch is not 
installed on the server! :-)

As the DCs are fully isolated now, I cannot easily install it. I will 
install patch on my production DCs, isolate them again, and rerun 
everything I have done so far.

I will try also to better keep and share the notes of everything done.
>> Feedback on the above dbcheck errors? Just fix them, or do they 
>> indicate something bigger..?
> 
> 
> I would fix them. Then check again.
So, I did that. And now the dbcheck errors are gone, but now also: 5835 
objects on samba_DC2 vs 5836 objects on samba_DC3. :-|

While ldapcmp reports NO differences between the two samba DCs.

That is interesting? I am used to seeing the same number of objects on 
my DCs.
> I do not know, never tried it, but I think it should work, what are the 
> errors you get ?
See here: https://pad.ceph.com/p/ldapcmp

There are around 33 users showing differences. (of the total of 600+)
> Did you make any notes ? If so, can I have a (sanitised) copy of them, 
> then I can update the wiki page ?
I intend to do everything over, hopefully follow a straighter path this 
time, document better, and then share with you.

MJ