Re: [Samba] Windows 2019 DC and samba dc

On 12.02.2019 11:16, Rowland Penny via samba wrote:
On Tue, 12 Feb 2019 14:28:44 +0500
Шигапов Денис Вильданович via samba <samba@xxxxxxxxxxxxxxx> wrote:

I joined the windows 2019 domain, where among the controllers there
is a Samba DC version 4.8.5, and after that the replica stopped
working windows servers <--> samba DC. Upgrading to version 4.9.4 did
not help



фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872,
0] ../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema)
фев 12 14:15:28 srv-dc01 samba[24637]:   Can't continue Schema load:
didn't manage to convert any objects: all 1 remaining of 133 objects
failed to convert
фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036,
0] ../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema)
фев 12 14:15:28 srv-dc01 samba[24637]:
dsdb_repl_resolve_working_schema() failed: WERR_INTERNAL_ERRORFailed
to create working schema: WERR_INTERNAL_ERROR


Samba hasn't got to Windows 2016 yet, never mind  2019. You may be able
to fix your domain by demoting the Windows 2019 DC. If this doesn't
work, stop the Windows 2019 DC and forcibly remove it from the domain
with 'samba-tool domain demote

I fear that you may have terminally mangled your AD.

I never had to deal with this but the topic is of interest to me. According to the Samba Wiki (see 1), Samba supports a domain functional level of up to 2012_R2 with restrictions, and 2008_R2 without restrictions. According to Microsoft (see 2), both Win16 and Win19 require a minimum domain functional level of 2008_R2. So why is it not possible to join a Win19 DC to a Samba domain, or the other way round, without negatively affecting the AD?

If I read on in the Wiki (see 3), it seems that the only version that will work without breaking something is Win Server 2008. One big issue seems to be that newer Win Servers expect WMI to work in order to join a domain, something that Samba doesn't support so having a running 2008 DC is a requirement in order to join Win2012. But the bigger issue seems to be that versions 2012+ will break replication in any case. Is that all still accurate?

By the way, the main reason this topic interests me is because more and more businesses I work with are using or plan to introduce MS Office 365. When talking about a very small user base (<10) it's fine to manage O365 separately from the AD but with bigger ones there clearly are benefits of syncing on-premise AD with Azure/O365. Currently, this only seems possible from Win DCs (please do correct me if this information is not accurate) which is why it may become necessary to install one. However, with version 2008 approaching EOL, this may become a critical issue.

(1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels
(2) https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels (3) https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD


