mj
2021-Jun-29 09:27 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hi Andrew, On 6/28/21 7:40 PM, Andrew Martin wrote:> * how exactly did you setup firewall rules to block other clients? Did this > cause issues, e.g. with DNS records in AD?So far so good: no issues. I put the WINDC on a seperate subnet to be able to firewall it. I also did some local firewalling on the WINDC. I DENY rather than DROP, to avoid having to wait for timeouts. Not a windows guru, but perhaps you could also use the concept of "sites" to seperate the WINDC from your local LAN DCs. Perhaps you could test that, and let us know.> * when joining the Windows DC to the domain, did you need to do anything to > tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was > at 2008_R2 since that's the Functional Level still, so how did you replicate > the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?No, all we did was: samba-tool domain functionalprep --function-level=2012_R2 samba-tool domain schemaupgrade This keeps the functional level at 2008_R2. Then we were able to add a WIN2008R2 DC to the AD domain.> * any other issues you ran into with turning your pure Samba AD into a hybrid?Yes, one. We tried to add a more recent (2012R2) windows DC as well. Never tried 2016 because of warning on the samba wiki. Adding a 2012R2 DC caused problems which I was unable to resolve, namely: The number of objects reported by samba-tool dbcheck kept increasing every few minutes. So after a week of just letting it run/replicate with no client traffic, our total objects had almost doubled. I wrote about that on the list, but no solution. After shutting down the 2012R2 DC, the number of objects stopped increasing. So I decided to continue to use the WIN2008_R2 DC for the time being. Perhaps in the future I will work on this again. I know we should not run a WIN2008 DC. (the strict firewalling is also because of that)> Asking the list more generally (but also you too if you know), is the > combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for > the Functional Level really safe? Moreover, it seems that only 2003 is requiredIt seems to work here for a couple of weeks now.> Despite the warning below, is it safe to run "samba-tool domain level raise" if > you have already made sure that the Schema Level and Functional Prep have been > updated?Would love an answer on that too. Generally it would be nice to see more dialogue on those kinds of subjects, like: mixing windows/samba DCs, functional levels, interacting with azure/O365, etc. MJ
Andrew Martin
2021-Jun-29 15:20 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
----- Original Message -----> From: "mj" <lists at merit.unu.edu> > To: "Andrew Martin" <amartin at xes-inc.com> > Cc: "samba" <samba at lists.samba.org> > Sent: Tuesday, June 29, 2021 4:27:12 AM > Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?> Hi Andrew, > > On 6/28/21 7:40 PM, Andrew Martin wrote: >> * how exactly did you setup firewall rules to block other clients? Did this >> cause issues, e.g. with DNS records in AD? > > So far so good: no issues. I put the WINDC on a seperate subnet to be > able to firewall it. I also did some local firewalling on the WINDC. I > DENY rather than DROP, to avoid having to wait for timeouts. > > Not a windows guru, but perhaps you could also use the concept of > "sites" to seperate the WINDC from your local LAN DCs. Perhaps you could > test that, and let us know. > >> * when joining the Windows DC to the domain, did you need to do anything to >> tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was >> at 2008_R2 since that's the Functional Level still, so how did you replicate >> the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)? > > No, all we did was: > samba-tool domain functionalprep --function-level=2012_R2 > samba-tool domain schemaupgrade > This keeps the functional level at 2008_R2. > > Then we were able to add a WIN2008R2 DC to the AD domain. > >> * any other issues you ran into with turning your pure Samba AD into a hybrid? > > Yes, one. We tried to add a more recent (2012R2) windows DC as well. > Never tried 2016 because of warning on the samba wiki. Adding a 2012R2 > DC caused problems which I was unable to resolve, namely: > The number of objects reported by samba-tool dbcheck kept increasing > every few minutes. So after a week of just letting it run/replicate with > no client traffic, our total objects had almost doubled. I wrote about > that on the list, but no solution. > > After shutting down the 2012R2 DC, the number of objects stopped > increasing. So I decided to continue to use the WIN2008_R2 DC for the > time being. Perhaps in the future I will work on this again. I know we > should not run a WIN2008 DC. (the strict firewalling is also because of > that) > >> Asking the list more generally (but also you too if you know), is the >> combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for >> the Functional Level really safe? Moreover, it seems that only 2003 is required > > It seems to work here for a couple of weeks now. > >> Despite the warning below, is it safe to run "samba-tool domain level raise" if >> you have already made sure that the Schema Level and Functional Prep have been >> updated? > > Would love an answer on that too. > > Generally it would be nice to see more dialogue on those kinds of > subjects, like: mixing windows/samba DCs, functional levels, interacting > with azure/O365, etc. > > MJHi MJ and Ralph, Thanks for the additional information! I went back and read this thread and this bug report: https://www.spinics.net/lists/samba/msg166681.html https://bugzilla.samba.org/show_bug.cgi?id=10635 Is the following correct that there are two different working methods for syncing from Samba to Azure AD with these tradeoffs? * Azure AD Connect Cloud Sync can be used for syncing password hashes and is simpler to setup and doesn't rely on your local DCs being online * Azure AD Connect (old tool) can be used but only in pass-through mode until the above bug is fixed (password hash mode is not reliably working, except maybe with a brand new domain). Moreover, it is a more complex setup and requires a local SQL server, agents running to handle the authentication, etc Does Azure AD Connect Cloud Sync require that it be run on a Windows DC in the domain? MJ, your experience in this thread seems to indicate that it does, but the Samba wiki page seems to say that only a Windows Server 2016 domain member is needed? https://wiki.samba.org/index.php/Azure_AD_Sync Are there any other major pros and cons between the above two methods? Thanks, Andrew