Dr. Hansjörg Maurer
2021-Jul-08 10:45 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Hi Hi Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require >> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain >> Member also or does it require running on a DC too (or only if you want to do >> two-way password sync)? > I did have the new tool working, but couldn't get password-hash syncs > to work or rather update after the initial sync. And this was > following the Samba wiki without deviation.I can confirm, that a password changed on the samba-ad was synched to azure (azure logs below) We created the wiki page you mention and we retested it right now again. "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType" "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure AD Provisioning Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans Hubert","User" "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure AD Provisioning Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans Hubert","User" The Azure AD Connect Cloud Syncs runs on a member server (no DC) We did an samba-tool domain functionalprep --function-level=2012_R2 and the User who performs the sync is member of the Enterprise Admins Group If a password is changed in azure , the sync back does not work and the passwords differ. If you change it again in samba-ad, it is synched again to azure Best Regards Hansj?rg> >> Did you set up the "old" tool on 3 different Domain Members as the docs >> recommend for redundancy? If so, was the setup process easier on the subsequent >> two ( all of the settings had already been configured on the first instance)? > I did not, I'm just running this on one Windows Server 2019 VM in our cluster. > > Regards, > Ralph >-- Dr. Hansj?rg Maurer itsystems Deutschland AG Erzgie?ereistr. 22 80335 M?nchen Tel: +49-89-52 04 68-41 Fax: +49-89-52 04 68-59 E-Mail: hansjoerg.maurer at itsd.de Web: http://www.itsd.de Amtsgericht M?nchen HRB 132146 USt-IdNr. DE 812991301 Steuer-Nr. 143/100/81575 Aufsichtsratsvorsitzender: Stefan Adam Vorstand: Dr. Michael Krocka Dr. Hansj?rg Maurer
Andrew Martin
2021-Jul-12 18:06 UTC
[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Thursday, July 8, 2021 5:45:19 AM > Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?> Hi > > Hi > > Am 29.06.21 um 19:14 schrieb ralph strebbing via samba: >>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require >>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain >>> Member also or does it require running on a DC too (or only if you want to do >>> two-way password sync)? >> I did have the new tool working, but couldn't get password-hash syncs >> to work or rather update after the initial sync. And this was >> following the Samba wiki without deviation. > I can confirm, that a password changed on the samba-ad was synched to > azure (azure logs below) > > We created the wiki page you mention and we retested it right now again. > > > "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration > (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType" > "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure > AD Provisioning > Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active > Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active > Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans > Hubert","User" > "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure > AD Provisioning > Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active > Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active > Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans > Hubert","User" > > > > The Azure AD Connect Cloud Syncs runs on a member server (no DC) > We did an > > samba-tool domain functionalprep --function-level=2012_R2 > and the User who performs the sync is member of the Enterprise Admins Group > > If a password is changed in azure , the sync back does not work and the > passwords differ. > > If you change it again in samba-ad, it is synched again to azure > > Best Regards > > Hansj?rg >Hi Hansj?rg, Great, thank you for the clarification. I hope to test this out on a domain member server soon as well; I'll reach back out to the list if I run into problems with the sync. Andrew