Web lists-archives.com

Re: [Samba] Windows 2019 DC and samba dc




On Tue, 12 Feb 2019 12:21:29 +0100
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> On 12.02.2019 11:16, Rowland Penny via samba wrote:
> > On Tue, 12 Feb 2019 14:28:44 +0500
> > Шигапов Денис Вильданович via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> I joined the windows 2019 domain, where among the controllers there
> >> is a Samba DC version 4.8.5, and after that the replica stopped
> >> working windows servers <--> samba DC. Upgrading to version 4.9.4
> >> did not help
> >>
> >> Errors:
> >>
> >> ```
> >>
> >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872,
> >> 0] ../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema)
> >> фев 12 14:15:28 srv-dc01 samba[24637]:   Can't continue Schema
> >> load: didn't manage to convert any objects: all 1 remaining of 133
> >> objects failed to convert
> >> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036,
> >> 0] ../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema)
> >> фев 12 14:15:28 srv-dc01 samba[24637]:
> >> ../source4/dsdb/repl/replicated_objects.c:361:
> >> dsdb_repl_resolve_working_schema() failed:
> >> WERR_INTERNAL_ERRORFailed to create working schema:
> >> WERR_INTERNAL_ERROR
> >>
> >> ```
> >>
> >>
> >>
> > Samba hasn't got to Windows 2016 yet, never mind  2019. You may be
> > able to fix your domain by demoting the Windows 2019 DC. If this
> > doesn't work, stop the Windows 2019 DC and forcibly remove it from
> > the domain with 'samba-tool domain demote
> > --remove-other-dead-server=<THE_2019_DC_SHORTHOSTNAME>
> >
> > I fear that you may have terminally mangled your AD.
> >
> I never had to deal with this but the topic is of interest to me. 
> According to the Samba Wiki (see 1), Samba supports a domain
> functional level of up to 2012_R2 with restrictions, and 2008_R2
> without restrictions. According to Microsoft (see 2), both Win16 and
> Win19 require a minimum domain functional level of 2008_R2. So why is
> it not possible to join a Win19 DC to a Samba domain, or the other
> way round, without negatively affecting the AD?
> 
> If I read on in the Wiki (see 3), it seems that the only version that 
> will work without breaking something is Win Server 2008. One big
> issue seems to be that newer Win Servers expect WMI to work in order
> to join a domain, something that Samba doesn't support so having a
> running 2008 DC is a requirement in order to join Win2012. But the
> bigger issue seems to be that versions 2012+ will break replication
> in any case. Is that all still accurate?
> 
> By the way, the main reason this topic interests me is because more
> and more businesses I work with are using or plan to introduce MS
> Office 365. When talking about a very small user base (<10) it's fine
> to manage O365 separately from the AD but with bigger ones there
> clearly are benefits of syncing on-premise AD with Azure/O365.
> Currently, this only seems possible from Win DCs (please do correct
> me if this information is not accurate) which is why it may become
> necessary to install one. However, with version 2008 approaching EOL,
> this may become a critical issue.
> 
> (1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels
> (2) 
> https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
> (3) 
> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
> 
> Viktor
> 
> 

It is all down to the schema version support, Samba supports version 47
and experimentally version 69, more info here:

https://wiki.samba.org/index.php/AD_Schema_Version_Support

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba