Re: [Samba] Samba 4.5.2, 4.5.3, 4.5.4 as secondary DC to Windows 2008 R2

On Sun, 2017-01-29 at 20:47 +0000, Prof. Dr. Michael Schefczyk via
samba wrote:
> Dear All,
> I am running a two location SOHO network with a Microsoft AD on a
> Windows 2008 R2 server. The only secondary DC is a Microsoft HyperV
> VM running on the same Windows machine. My aim is to become more
> independent from Microsoft products. Nevertheless, I need to upgrade
> my server to Windows 2016 sometime soon - which does not mean that
> the DC level needs to be upgraded to Server 2016 (known to
> incompatible with Samba).

The major issue at this point relates to the schema.  Your domain
functional level is a different thing to your server functional level,
so you can keep the domain functional level at 2008R2, which is what
Samba has reasonable support for. 

> In parallel, I would like to move the active directory to two
> separate servers (= one per location) running debian jessie and
> Samba. Based on previous advice via this list, I did compile myself
> and I did try 4.5.2, 4.5.3 and 4.5.4. To gain confidence, I would
> like to run the Windows and Samba DC in parallel for some time (being
> aware that sysvol replication needs to be managed).
> I found it quite doable to setup the Samba 4.5.X severs and let them
> join the Microsoft AD as DC. Running samba-tool drs showrepl on them,
> indicates no relevant issues. Things do run very well for about a
> week, but then replication does fail from the perspective of the
> Microsoft AD. The error indicates that schemas to no longer match
> (original error message in German below).
> So far, I did find no way to avoid this issue. If this stays, this
> setup is just not usable, unfortunately.
> Can someone please point me to a direction other than giving this up
> (at least for the next few versions of Samba)?

At this point what it needs is for a developer to spend some time
digging into the issue.  From your end, it is always worth re-testing
with new versions (4.6 release candidates for example), and if you are
at a larger organisation (because that is where being windows-free can
really save!), perhaps ask a commercial support vendor to push Samba
over the line in this area.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

