[PATCH] Functional level preparation for 2012 R2
Garming Sam
garming at catalyst.net.nz
Fri Dec 15 03:43:42 UTC 2017
Hi,
On top the Windows 2012 schema work, I have been working to try and get
the functional preparation required to actually upgrade the functional
level. By performing these actions, we should finally be able to join a
Windows 2012 R2 DC to a Samba-only domain. The key part to getting past
the join is actually only the revision field, however, I quickly found
that spoofing the figure alone resulted in blue screen upon reboot due
to a missing object.
Fortunately, there is open documentation on the differences and using
them I generate all the objects required, in particular the claims
related objects which are used in the new Kerberos features.
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/RODC/Forest-Wide-Updates.md
I've added a new functionalprep command to 'samba-tool domain' in order
to apply these changes. This is currently experimental and has to be
done as a separate step after you have provisioned with 2012 R2 schema
(or ran the new experimental schemaupgrade command which has also been
added recently). There are a few little issues that need to be sorted
out before it can be made the default and apply to all provisions, but
it should happen eventually.
During this work, I've found far more strange divergences and minor
quirks and annoyances than I'd ever like to fully go into in detail.
Things we clearly did wrong. Things Microsoft clearly did wrong (which
was not noticeably fewer in proportion as I would have expected).
Hopefully in the future, a similar upgrade should all be much smoother
and easier. The 2016 documentation necessary appears to all be residing
in their Github repository and 2016 should not take nearly as much
effort (if or when that needs to be done).
Patches are on the Catalyst git repo:
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/garming-2012-FL-ready
Any thoughts welcome. I'm currently running some tests of the branch.
Assuming there aren't any issues spotted, this should hopefully going
upstream in the next week or so.
Cheers,
Garming
More information about the samba-technical
mailing list