samba - Jun 2021 - Azure AD Connect but domain functional level 2012_R2 not yet supported?

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, June 25, 2021 5:12:51 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2
not yet supported?
> Hi Andrew,
> 
> We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it
> worked, but with one exception: the password hashes never synced to
> azure plus samba showed continuous high cpu usage.
> 
> So what I ended up doing: i added a native windows DC to our AD
> specifically for Azure AD Connect cloud sync. During cloud sync install,
> you can point it to that dedicated windows dc.
> 
> I setup firewalling, so that this windows DC can only be used for that,
> and regular clients cannot connect to it. (as it also does not have a
> synced sysvol)
> 
> This has been working quite nicely for a couple of weeks now.
> 
> One thing to keep in mind also is that the Azure AD Connect cloud sync
> also syncs your on-prem UPN to azure. But you probably want your azure
> UPN to match email address.
> 
> To do that, you need to edit (in azure admin) the mapping for
> UserPrincipalName to:
> 
>> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]),
Join("@",
>> [sAMAccountName], %DomainFQDN%), Error("AccountName is not
present")))
> 
> We've just completed this all and everything is now working nicely,
it's
> just a pity we had to add a windows DC to make it all work.
> 
> And on the functional level: our samba AD is:
> 
>> root at samdc2:~# samba-tool domain level show
>> Domain and forest function level for domain
'DC=samba,DC=company,DC=com'
>> 
>> Forest function level: (Windows) 2008 R2
>> Domain function level: (Windows) 2008 R2
>> Lowest function level of a DC: (Windows) 2008 R2
> 
> but we have completed the steps in the linked doc. (func prep /
> schemaupgrade)
> 
> Two interesting readson the subject:
> https://blog.astashin.com/blog/Bring-em-all-in-p3/
> and
>
https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/
> 
> Ask if you have more questions.
> 
> MJ
> 
> 
> On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
>> Hello,
>> 
>> I am interested in following the instructions here to test out Azure AD
Connect
>> with local Samba DCs:
>> https://wiki.samba.org/index.php/Azure_AD_Sync
>> 
>> Per the above instructions, it looks like the domain functional level
needs to
>> be raised to 2012_R2, but according to these pages, 2012_R2 is not
supported yet
>> on Samba DCs:
>>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
>> https://lists.samba.org/archive/samba/2019-June/223643.html
>> 
>> Is there an ETA for support for 2012_R2?
>> 
>> Or, does Azure AD Connect only require that the Schema Level and
Preparation
>> Level be raised to 2012_R2, but not the Functional Level? (the
difference
>> between these 3 features is defined in the link below)
>>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
>> 
>> If so, what are the consequences of running the Schema Level and
Preparation
>> Level at different values from the Functional Level (leaving the latter
at
>> 2008_R2)? It seems like running these at different values wouldn't
be a
>> recommended configuration.
>> 
>> Moreover, what is the safe and correct way to raise any of these
levels?
>> According to the following page, using samba-tool is not safe or
recommended for
>> raising the Functional Level:
>>
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
>> 
>> Yet it appears the Windows RSAT tool is also not supported:
>>
https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
>> 
>> Thanks for the help on all of these questions!
>> 
>> Andrew
>> 
Hi MJ,

Thanks for the information on how you successfully setup Azure AD sync. I have
a couple of questions:

* how exactly did you setup firewall rules to block other clients? Did this
cause issues, e.g. with DNS records in AD?

* when joining the Windows DC to the domain, did you need to do anything to
tell it to create the 2012_R2 schema? I'm guessing it thought that the AD
was
at 2008_R2 since that's the Functional Level still, so how did you replicate
the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?

* any other issues you ran into with turning your pure Samba AD into a hybrid?


Asking the list more generally (but also you too if you know), is the
combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
the Functional Level really safe? Moreover, it seems that only 2003 is required
for Azure AD Connect?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

Despite the warning below, is it safe to run "samba-tool domain level
raise" if
you have already made sure that the Schema Level and Functional Prep have been
updated?
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level

Thanks,

Andrew

Hi Andrew,

On 6/28/21 7:40 PM, Andrew Martin wrote:
> * how exactly did you setup firewall rules to block other clients? Did this
> cause issues, e.g. with DNS records in AD?
So far so good: no issues. I put the WINDC on a seperate subnet to be 
able to firewall it. I also did some local firewalling on the WINDC. I 
DENY rather than DROP, to avoid having to wait for timeouts.

Not a windows guru, but perhaps you could also use the concept of 
"sites" to seperate the WINDC from your local LAN DCs. Perhaps you
could
test that, and let us know.
> * when joining the Windows DC to the domain, did you need to do anything to
> tell it to create the 2012_R2 schema? I'm guessing it thought that the
AD was
> at 2008_R2 since that's the Functional Level still, so how did you
replicate
> the 2012_R2 schema objects to it from the other DCs (or maybe it just
worked)?
No, all we did was:
  samba-tool domain functionalprep --function-level=2012_R2
  samba-tool domain schemaupgrade
This keeps the functional level at 2008_R2.

Then we were able to add a WIN2008R2 DC to the AD domain.
> * any other issues you ran into with turning your pure Samba AD into a
hybrid?
Yes, one. We tried to add a more recent (2012R2) windows DC as well. 
Never tried 2016 because of warning on the samba wiki. Adding a 2012R2 
DC caused problems which I was unable to resolve, namely:
The number of objects reported by samba-tool dbcheck kept increasing 
every few minutes. So after a week of just letting it run/replicate with 
no client traffic, our total objects had almost doubled. I wrote about 
that on the list, but no solution.

After shutting down the 2012R2 DC, the number of objects stopped 
increasing. So I decided to continue to use the WIN2008_R2 DC for the 
time being. Perhaps in the future I will work on this again. I know we 
should not run a WIN2008 DC. (the strict firewalling is also because of 
that)
> Asking the list more generally (but also you too if you know), is the
> combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2
for
> the Functional Level really safe? Moreover, it seems that only 2003 is
required
It seems to work here for a couple of weeks now.
> Despite the warning below, is it safe to run "samba-tool domain level
raise" if
> you have already made sure that the Schema Level and Functional Prep have
been
> updated?
Would love an answer on that too.

Generally it would be nice to see more dialogue on those kinds of 
subjects, like: mixing windows/samba DCs, functional levels, interacting 
with azure/O365, etc.

MJ