Andrew Martin
2021-Jun-24 14:40 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hello, I am interested in following the instructions here to test out Azure AD Connect with local Samba DCs: https://wiki.samba.org/index.php/Azure_AD_Sync Per the above instructions, it looks like the domain functional level needs to be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet on Samba DCs: https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels https://lists.samba.org/archive/samba/2019-June/223643.html Is there an ETA for support for 2012_R2? Or, does Azure AD Connect only require that the Schema Level and Preparation Level be raised to 2012_R2, but not the Functional Level? (the difference between these 3 features is defined in the link below) https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview If so, what are the consequences of running the Schema Level and Preparation Level at different values from the Functional Level (leaving the latter at 2008_R2)? It seems like running these at different values wouldn't be a recommended configuration. Moreover, what is the safe and correct way to raise any of these levels? According to the following page, using samba-tool is not safe or recommended for raising the Functional Level: https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level Yet it appears the Windows RSAT tool is also not supported: https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility Thanks for the help on all of these questions! Andrew
mj
2021-Jun-25 10:05 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hi Andrew, We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it worked, but with one exception: the password hashes never synced to azure plus samba showed continuous high cpu usage.. So what I ended up doing: i added a native windows DC specifically for Azure AD Connect cloud sync. During cloud sync install, you can point it to that dedicated windows dc. I setup firewalling, so that this windows DC is only used for that, and regular clients cannot connect to it. (it also does not have a synced sysvol) This has been working quite nicely for a couple of weeks now. One thing to keep in mind also is that the Azure AD Connect cloud sync also syncs your on-prem UPN to azure. But you probably want your azure UPN to match email address. To do that, you need to edit (in azure admin) the mapping for UserPrincipalName to:> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]), Join("@", [sAMAccountName], %DomainFQDN%), Error("AccountName is not present")))We've just completed this all and everything is now working nicely, it's just a pity we had to add a windows DC to make it all work. Ask if you have more questions. MJ On 6/24/21 4:40 PM, Andrew Martin via samba wrote:> Hello, > > I am interested in following the instructions here to test out Azure AD Connect > with local Samba DCs: > https://wiki.samba.org/index.php/Azure_AD_Sync > > Per the above instructions, it looks like the domain functional level needs to > be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet > on Samba DCs: > https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels > https://lists.samba.org/archive/samba/2019-June/223643.html > > Is there an ETA for support for 2012_R2? > > Or, does Azure AD Connect only require that the Schema Level and Preparation > Level be raised to 2012_R2, but not the Functional Level? (the difference > between these 3 features is defined in the link below) > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview > > If so, what are the consequences of running the Schema Level and Preparation > Level at different values from the Functional Level (leaving the latter at > 2008_R2)? It seems like running these at different values wouldn't be a > recommended configuration. > > Moreover, what is the safe and correct way to raise any of these levels? > According to the following page, using samba-tool is not safe or recommended for > raising the Functional Level: > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level > > Yet it appears the Windows RSAT tool is also not supported: > https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility > > Thanks for the help on all of these questions! > > Andrew >
mj
2021-Jun-25 10:12 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hi Andrew, We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it worked, but with one exception: the password hashes never synced to azure plus samba showed continuous high cpu usage. So what I ended up doing: i added a native windows DC to our AD specifically for Azure AD Connect cloud sync. During cloud sync install, you can point it to that dedicated windows dc. I setup firewalling, so that this windows DC can only be used for that, and regular clients cannot connect to it. (as it also does not have a synced sysvol) This has been working quite nicely for a couple of weeks now. One thing to keep in mind also is that the Azure AD Connect cloud sync also syncs your on-prem UPN to azure. But you probably want your azure UPN to match email address. To do that, you need to edit (in azure admin) the mapping for UserPrincipalName to:> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]), Join("@", [sAMAccountName], %DomainFQDN%), Error("AccountName is not present")))We've just completed this all and everything is now working nicely, it's just a pity we had to add a windows DC to make it all work. And on the functional level: our samba AD is:> root at samdc2:~# samba-tool domain level show > Domain and forest function level for domain 'DC=samba,DC=company,DC=com' > > Forest function level: (Windows) 2008 R2 > Domain function level: (Windows) 2008 R2 > Lowest function level of a DC: (Windows) 2008 R2but we have completed the steps in the linked doc. (func prep / schemaupgrade) Two interesting readson the subject: https://blog.astashin.com/blog/Bring-em-all-in-p3/ and https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/ Ask if you have more questions. MJ On 6/24/21 4:40 PM, Andrew Martin via samba wrote:> Hello, > > I am interested in following the instructions here to test out Azure AD Connect > with local Samba DCs: > https://wiki.samba.org/index.php/Azure_AD_Sync > > Per the above instructions, it looks like the domain functional level needs to > be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet > on Samba DCs: > https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels > https://lists.samba.org/archive/samba/2019-June/223643.html > > Is there an ETA for support for 2012_R2? > > Or, does Azure AD Connect only require that the Schema Level and Preparation > Level be raised to 2012_R2, but not the Functional Level? (the difference > between these 3 features is defined in the link below) > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview > > If so, what are the consequences of running the Schema Level and Preparation > Level at different values from the Functional Level (leaving the latter at > 2008_R2)? It seems like running these at different values wouldn't be a > recommended configuration. > > Moreover, what is the safe and correct way to raise any of these levels? > According to the following page, using samba-tool is not safe or recommended for > raising the Functional Level: > https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level > > Yet it appears the Windows RSAT tool is also not supported: > https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility > > Thanks for the help on all of these questions! > > Andrew >