samba - Jun 2021 - Azure AD Connect but domain functional level 2012_R2 not yet supported?

Hi Andrew,

We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it 
worked, but with one exception: the password hashes never synced to 
azure plus samba showed continuous high cpu usage.

So what I ended up doing: i added a native windows DC to our AD 
specifically for Azure AD Connect cloud sync. During cloud sync install, 
you can point it to that dedicated windows dc.

I setup firewalling, so that this windows DC can only be used for that, 
and regular clients cannot connect to it. (as it also does not have a 
synced sysvol)

This has been working quite nicely for a couple of weeks now.

One thing to keep in mind also is that the Azure AD Connect cloud sync 
also syncs your on-prem UPN to azure. But you probably want your azure 
UPN to match email address.

To do that, you need to edit (in azure admin) the mapping for 
UserPrincipalName to:
> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]),
Join("@", [sAMAccountName], %DomainFQDN%), Error("AccountName is
not present")))
We've just completed this all and everything is now working nicely, it's
just a pity we had to add a windows DC to make it all work.

And on the functional level: our samba AD is:
> root at samdc2:~# samba-tool domain level show
> Domain and forest function level for domain
'DC=samba,DC=company,DC=com'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
but we have completed the steps in the linked doc. (func prep / 
schemaupgrade)

Two interesting readson the subject:
https://blog.astashin.com/blog/Bring-em-all-in-p3/
and
https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/

Ask if you have more questions.

MJ


On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
> Hello,
> 
> I am interested in following the instructions here to test out Azure AD
Connect
> with local Samba DCs:
> https://wiki.samba.org/index.php/Azure_AD_Sync
> 
> Per the above instructions, it looks like the domain functional level needs
to
> be raised to 2012_R2, but according to these pages, 2012_R2 is not
supported yet
> on Samba DCs:
>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
> https://lists.samba.org/archive/samba/2019-June/223643.html
> 
> Is there an ETA for support for 2012_R2?
> 
> Or, does Azure AD Connect only require that the Schema Level and
Preparation
> Level be raised to 2012_R2, but not the Functional Level? (the difference
> between these 3 features is defined in the link below)
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
> 
> If so, what are the consequences of running the Schema Level and
Preparation
> Level at different values from the Functional Level (leaving the latter at
> 2008_R2)? It seems like running these at different values wouldn't be a
> recommended configuration.
> 
> Moreover, what is the safe and correct way to raise any of these levels?
> According to the following page, using samba-tool is not safe or
recommended for
> raising the Functional Level:
>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
> 
> Yet it appears the Windows RSAT tool is also not supported:
>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
> 
> Thanks for the help on all of these questions!
> 
> Andrew
>

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, June 25, 2021 5:12:51 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2
not yet supported?
> Hi Andrew,
> 
> We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it
> worked, but with one exception: the password hashes never synced to
> azure plus samba showed continuous high cpu usage.
> 
> So what I ended up doing: i added a native windows DC to our AD
> specifically for Azure AD Connect cloud sync. During cloud sync install,
> you can point it to that dedicated windows dc.
> 
> I setup firewalling, so that this windows DC can only be used for that,
> and regular clients cannot connect to it. (as it also does not have a
> synced sysvol)
> 
> This has been working quite nicely for a couple of weeks now.
> 
> One thing to keep in mind also is that the Azure AD Connect cloud sync
> also syncs your on-prem UPN to azure. But you probably want your azure
> UPN to match email address.
> 
> To do that, you need to edit (in azure admin) the mapping for
> UserPrincipalName to:
> 
>> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]),
Join("@",
>> [sAMAccountName], %DomainFQDN%), Error("AccountName is not
present")))
> 
> We've just completed this all and everything is now working nicely,
it's
> just a pity we had to add a windows DC to make it all work.
> 
> And on the functional level: our samba AD is:
> 
>> root at samdc2:~# samba-tool domain level show
>> Domain and forest function level for domain
'DC=samba,DC=company,DC=com'
>> 
>> Forest function level: (Windows) 2008 R2
>> Domain function level: (Windows) 2008 R2
>> Lowest function level of a DC: (Windows) 2008 R2
> 
> but we have completed the steps in the linked doc. (func prep /
> schemaupgrade)
> 
> Two interesting readson the subject:
> https://blog.astashin.com/blog/Bring-em-all-in-p3/
> and
>
https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/
> 
> Ask if you have more questions.
> 
> MJ
> 
> 
> On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
>> Hello,
>> 
>> I am interested in following the instructions here to test out Azure AD
Connect
>> with local Samba DCs:
>> https://wiki.samba.org/index.php/Azure_AD_Sync
>> 
>> Per the above instructions, it looks like the domain functional level
needs to
>> be raised to 2012_R2, but according to these pages, 2012_R2 is not
supported yet
>> on Samba DCs:
>>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
>> https://lists.samba.org/archive/samba/2019-June/223643.html
>> 
>> Is there an ETA for support for 2012_R2?
>> 
>> Or, does Azure AD Connect only require that the Schema Level and
Preparation
>> Level be raised to 2012_R2, but not the Functional Level? (the
difference
>> between these 3 features is defined in the link below)
>>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
>> 
>> If so, what are the consequences of running the Schema Level and
Preparation
>> Level at different values from the Functional Level (leaving the latter
at
>> 2008_R2)? It seems like running these at different values wouldn't
be a
>> recommended configuration.
>> 
>> Moreover, what is the safe and correct way to raise any of these
levels?
>> According to the following page, using samba-tool is not safe or
recommended for
>> raising the Functional Level:
>>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
>> 
>> Yet it appears the Windows RSAT tool is also not supported:
>>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
>> 
>> Thanks for the help on all of these questions!
>> 
>> Andrew
>> 
Hi MJ,

Thanks for the information on how you successfully setup Azure AD sync. I have
a couple of questions:

* how exactly did you setup firewall rules to block other clients? Did this
cause issues, e.g. with DNS records in AD?

* when joining the Windows DC to the domain, did you need to do anything to
tell it to create the 2012_R2 schema? I'm guessing it thought that the AD
was
at 2008_R2 since that's the Functional Level still, so how did you replicate
the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?

* any other issues you ran into with turning your pure Samba AD into a hybrid?


Asking the list more generally (but also you too if you know), is the
combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
the Functional Level really safe? Moreover, it seems that only 2003 is required
for Azure AD Connect?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

Despite the warning below, is it safe to run "samba-tool domain level
raise" if
you have already made sure that the Schema Level and Functional Prep have been
updated?
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level

Thanks,

Andrew