Andrew Bartlett
2022-Mar-22 08:32 UTC
[Samba] can windows server 2012 R2 join samba ad directly
I would need to see the logs on the Samba side. Do other changes replicate? It may just be normal replication issues, check DNS in particular. Andrew Bartlett On Tue, 2022-03-22 at 16:25 +0800, Adam Xu via samba wrote:> Hi Andrew, > > I have joined my windows AD to samba AD successfully. But, > > when I change one user's password in windoiws AD. the password was not > synced to other samba AD DCs. > > Is this a compatibility issue? > > ? 2022/3/19 12:57, Andrew Bartlett via samba ??: > > On Sat, 2022-03-19 at 09:24 +0800, Adam Xu via samba wrote: > > > Hi samba list, > > > > > > accroding to samba wiki, > > > https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD > > > > > > Windows server 2012 R2 can't join to samba AD directly. I need to join a > > > windows server 2018 R2 to samba AD first and then join windows server > > > 2012 R2 to samba AD. > > > > > > but a searched for a document. > > > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html > > > > > > In that document, we can join windows server 2012 R2 to samba directly. > > > > > > Which document is more reliable? My samba version is 4.15.6. > > Why not try it? > > > > If it works, update the wiki. > > > > It's the weekend, so this is just from memory, but while we did a pile > > of work on our 'adprep' reimplementation (using the public script files > > MS published, thanks MS!), to allow this, and before that recommended > > going via a MS server to run their adprep, Microsoft fixed some bugs we > > alerted them to. > > > > That I understand now allows a join directly. > > > > Andrew Bartlett > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
In windows DC, when I ran "repadmin /showrepl", No error occured. Some possible related samba dc errors: [2022/03/20 11:25:13.940775,? 0] ../../source4/dsdb/repl/replicated_objects.c:735(dsdb_replicated_objects_convert) ? dsdb_replicated_objects_convert: Ignoring object outside partition f846aa31-2ee0-4596-8ee2-44be210bfacd DC=ForestDnsZones,DC=ntbaobei,DC=com: WERR_DS_ADD_REPLICA_INHIBITED [2022/03/20 11:25:13.941671,? 0] ../../source4/dsdb/repl/replicated_objects.c:735(dsdb_replicated_objects_convert) ? dsdb_replicated_objects_convert: Ignoring object outside partition 53c67ead-f463-4fe0-b1f0-54259edd1598 DC=DomainDnsZones,DC=ntbaobei,DC=com: WERR_DS_ADD_REPLICA_INHIBITED ? 2022/3/22 16:32, Andrew Bartlett via samba ??:> I would need to see the logs on the Samba side. Do other changes > replicate? > > It may just be normal replication issues, check DNS in particular. > > Andrew Bartlett > > On Tue, 2022-03-22 at 16:25 +0800, Adam Xu via samba wrote: >> Hi Andrew, >> >> I have joined my windows AD to samba AD successfully. But, >> >> when I change one user's password in windoiws AD. the password was not >> synced to other samba AD DCs. >> >> Is this a compatibility issue? >> >> ? 2022/3/19 12:57, Andrew Bartlett via samba ??: >>> On Sat, 2022-03-19 at 09:24 +0800, Adam Xu via samba wrote: >>>> Hi samba list, >>>> >>>> accroding to samba wiki, >>>> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD >>>> >>>> Windows server 2012 R2 can't join to samba AD directly. I need to join a >>>> windows server 2018 R2 to samba AD first and then join windows server >>>> 2012 R2 to samba AD. >>>> >>>> but a searched for a document. >>>> https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html >>>> >>>> In that document, we can join windows server 2012 R2 to samba directly. >>>> >>>> Which document is more reliable? My samba version is 4.15.6. >>> Why not try it? >>> >>> If it works, update the wiki. >>> >>> It's the weekend, so this is just from memory, but while we did a pile >>> of work on our 'adprep' reimplementation (using the public script files >>> MS published, thanks MS!), to allow this, and before that recommended >>> going via a MS server to run their adprep, Microsoft fixed some bugs we >>> alerted them to. >>> >>> That I understand now allows a join directly. >>> >>> Andrew Bartlett >>>