[Samba] Unable to transfer ForestDns/DomainDNS

Jason Waters jason at geeknocity.com
Tue Jul 12 12:07:05 UTC 2016 

So you are saying samba-tool domain level raise --forest-level=2008_R2 does
nothing with the schema, just changes the value that is returned when doing
samba-tool domain level show?

If that is the case I think it would be nice to put something like that on
the wiki page about raising the functional level!  I spent a ton of time
trying to go from Windows 2003 directly to samba.  Granted learned a ton
about AD along the way but I think showing the clear paths to samba from
windows would make the transition easier.

So if samba at some point supports AD's 2012 schema will we need to join
2012 as a DC upgrade, move the fsmo roles to the 2012 machine running the
2008_R2 schema, upgrade the schema and then wait until the changes sync and
then move the fsmo roles back?  Either that or actually upgrade the schema?

Thanks for letting me and the community know.

Jason

On Tue, Jul 12, 2016 at 6:31 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Thu, 2016-07-07 at 16:13 -0400, Jason Waters wrote:
> > So I joined with samba's internal DNS, then converted to BIND, then
> > tested.  Seems like it was working.  I forced the 2003 machine out,
> > cleaned
> > up the meta data and everything seemed to be working ok.  So I raised
> > the
> > domain level like this
> >
> > samba-tool domain level raise
> > samba-tool domain level raise --domain-level=2008_R2
> > samba-tool domain level raise --forest-level=2008_R2
> >
> > everything shows as 2008_R2
> >
> > so now I think I'm making progress.  I spin up another linux box, get
> > it
> > ready to join, starts to join, then fails
> >
> > says LDAP error 16 LDAP_NO_SUCH_ATTRIBUTE - <0000200A:
> > objectclass_attrs:
> > attribute 'msDS-SupportedEncryptionTypes' on entry 'CN=DC04,OU=Domain
> > Controllers,DC=example,DC=local' was not found in the schema
> >
> > so I thought well I'm going to try having a windows 2008 r2 server
> > join as
> > a DC, run dcpromo and it says I need to run /forestprep on the AD.
> >  Well I
> > can't do that now that it is on linux right?
>
> Correct.  Currently nobody has coded the magic to allow us to upgrade a
> schema in Samba, and dbcheck can't help with that at the moment either.
>  The cleanest option would be to do it before joining Samba to the 2003
> domain with the MS tools.  We really should have a minimum schema level
> check on the FL raise code (bugs welcome).
> Sorry,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>

More information about the samba mailing list