samba - Jun 2021 - Azure AD Connect but domain functional level 2012_R2 not yet supported?

Hi Andrew,

We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it 
worked, but with one exception: the password hashes never synced to 
azure plus samba showed continuous high cpu usage..

So what I ended up doing: i added a native windows DC specifically for 
Azure AD Connect cloud sync. During cloud sync install, you can point it 
to that dedicated windows dc.

I setup firewalling, so that this windows DC is only used for that, and 
regular clients cannot connect to it. (it also does not have a synced 
sysvol)

This has been working quite nicely for a couple of weeks now.

One thing to keep in mind also is that the Azure AD Connect cloud sync 
also syncs your on-prem UPN to azure. But you probably want your azure 
UPN to match email address.

To do that, you need to edit (in azure admin) the mapping for 
UserPrincipalName to:
> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]),
Join("@", [sAMAccountName], %DomainFQDN%), Error("AccountName is
not present")))
We've just completed this all and everything is now working nicely, it's
just a pity we had to add a windows DC to make it all work.

Ask if you have more questions.

MJ


On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
> Hello,
> 
> I am interested in following the instructions here to test out Azure AD
Connect
> with local Samba DCs:
> https://wiki.samba.org/index.php/Azure_AD_Sync
> 
> Per the above instructions, it looks like the domain functional level needs
to
> be raised to 2012_R2, but according to these pages, 2012_R2 is not
supported yet
> on Samba DCs:
>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
> https://lists.samba.org/archive/samba/2019-June/223643.html
> 
> Is there an ETA for support for 2012_R2?
> 
> Or, does Azure AD Connect only require that the Schema Level and
Preparation
> Level be raised to 2012_R2, but not the Functional Level? (the difference
> between these 3 features is defined in the link below)
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
> 
> If so, what are the consequences of running the Schema Level and
Preparation
> Level at different values from the Functional Level (leaving the latter at
> 2008_R2)? It seems like running these at different values wouldn't be a
> recommended configuration.
> 
> Moreover, what is the safe and correct way to raise any of these levels?
> According to the following page, using samba-tool is not safe or
recommended for
> raising the Functional Level:
>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
> 
> Yet it appears the Windows RSAT tool is also not supported:
>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
> 
> Thanks for the help on all of these questions!
> 
> Andrew
>

On Fri, 2021-06-25 at 12:05 +0200, mj via samba wrote:
> Hi Andrew,
> 
> We followed https://wiki.samba.org/index.php/Azure_AD_Sync?and it 
> worked, but with one exception: the password hashes never synced to 
> azure plus samba showed continuous high cpu usage..
BTW, just a reminder that I would love to see this fixed, but it needs
some user or a group of users to step forward to a Samba commercial
support provider to get this dug into and fixed.

Likewise if anybody does really have the passwords being synced please
pin down exactly what is the specific tweaks needed.

Per my SambaXP talk, at least for Catalyst we already have any 'spare'
or 'upstream undirected development' time we have swamped by a
currently overwhelming security maintenance task.  Funding for that
also really welcome.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba