[Samba] Is it possible to lower the domain and forest functional level

Denis Cardon dcardon at tranquil.it
Thu Feb 15 17:50:48 UTC 2018 

Hi Christophe,

> I checked all the attributes and objectclass defined in
> /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt
> and /usr/share/samba/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt
> exists in my samba 4 ldap.
> Nothing is missing.
> Can you give me some inputs to "recreate a Samba 4.7 domain with same SID by piping in all the objects" ?

you create a new domain with the same SID. Then you use python-ldap to 
recreate the objects with same attributes, use python-ldb to fix RID, 
and pdbedit to re-inject ntlm hashes (that will also recreate the 
RC4-HMAC kerberos hashes). The best documentation for all this is still 
the samba source code itself.

Cheers,

Denis

> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "samba" <samba at lists.samba.org>
> Cc: "samba" <samba at lists.samba.org>, "Denis Cardon" <dcardon at tranquil.it>
> Envoyé: Mercredi 14 Février 2018 17:11:02
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional level
>
> Ok I did the test of joining a new samba 4.7.5 as a domain controller.
> Unfortunatly we have the exact same error using dcpromo !
> So now I need help to "recreate a Samba 4.7 domain with same SID by piping in all the objects".
>
> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "samba" <samba at lists.samba.org>
> À: "Denis Cardon" <dcardon at tranquil.it>
> Cc: "samba" <samba at lists.samba.org>
> Envoyé: Mercredi 14 Février 2018 14:11:53
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional level
>
> Hi Denis,
>
> We are using the latest version of sharepoint.
> samba-tool domain level show :
> Domain and forest function level for domain 'DC=removed,DC=com'
>
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
>
> I did not have to change the revision attributes by hand.
>
> I think the MSAD2K3 was an upgrade from MSAD2K.
>
> We did not do anything with partition. So everything has been setup by default.
>
> I'm going to try to join another samba 4.7.5 DC and switch all the fsmo roles.
>
> If needed, I'll need assistance to "recreate a Samba 4.7 domain with same SID by piping in all the objects".
>
> Thanks for your inputs, lets see how it goes with another samba 4.7 dc.
>
> ---------------------------------------------
> Christophe Borivant
> Responsable d'exploitation informatique
> +33 5 62 20 71 71 (Poste 503)
>
> Devinlec - Groupe Leclerc
> --------------------------------------------
>
> ----- Mail original -----
> De: "Denis Cardon" <dcardon at tranquil.it>
> À: "Christophe BORIVANT" <cborivant at devinlec.com>
> Cc: "samba" <samba at lists.samba.org>
> Envoyé: Mercredi 14 Février 2018 12:52:04
> Objet: Re: [Samba] Is it possible to lower the domain and forest functional level
>
> Hi Christophe,
>
>> I don't know exactly, but there were problems with indexes ( as the user said ).
>
> since you have issues with your domain, perhaps fixing you domain would
> fix the sharepoint compatibility. What version of sharepoint are you
> trying to integrate?
>
>> We did not try with the current release and our manager wants to go back to Microsoft :-(
>> Our samba version is 4.7.5.
>
> What do you get when you try a "samba-tool domain level show"? Did you
> had to change the revision attribute by hand because it was not changed
> during "samba-tool domain level raise"?
>
> Your MSAD2k3, was it and upgrade from a MSAD2k? The forest DNS zone was
> in its own partition or not before the switch to Samba-AD? [1]
>
>> I've been able to go one step further. We first were not able to join a Windows 2008 R2 as a domain controller because it was asking for adprep.
>> I found the missing datas in the ldap and added them. But know dcpromo fails replicating the configuration partition.
>> The most relevant error I can find in the dcpromo.log is :
>
> Joining a win2k8r2 to a samba 4.7 should go without any issue. You have
> some corrupted entries somewhere (which may actually have been copied
> over from your MSAD2k3).
>
> Have you tried to join a secondary DC, and demote the original one? DC
> replication does not sync all the DIT tree, and if your corrupted stuff
> is not to be sync'ed, then it may help. Be sure to switch all the FSMO
> role in between.
>
> And if the issue is not yet resolved, then the last resort thing is to
> recreate a Samba 4.7 domain with same SID by piping in all the objects.
>
> Cheers,
>
> Denis
>
> [1]
> https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application
>
>
>>
>> Valeur de l’erreur principale :
>> 8451 L’opération de réplication a rencontré une erreur dans la base de données.
>>
>> Valeur de l’erreur secondaire :
>> -1507 JET_errColumnNotFound, No such column
>>
>> 02/13/2018 18:27:35 [INFO] EVENTLOG (Warning): NTDS General / Traitement interne : 1173
>> Internal event: Active Directory Domain Services has encountered the following exception and associated parameters.
>>
>>
>>
>> Exception:
>> e0010002
>>
>> Parameter:
>> 0
>>
>>
>>
>> Additional Data
>>
>> Error value:
>> 8451
>>
>> Internal ID:
>> 106027e
>>
>> 02/13/2018 18:27:35 [INFO] Error - Les services de domaine Active Directory n’ont pas pu répliquer la partition d’annuaire CN=Configuration,DC=removed,DC=com du contrôleur de domaine Active Directory distant frtlse-srv018.removed.com. (8451)
>> 02/13/2018 18:27:35 [INFO] EVENTLOG (Error): NTDS General / Traitement interne : 1168
>> Internal error: An Active Directory Domain Services error has occurred.
>>
>>
>>
>> Additional Data
>>
>> Error value (decimal):
>> -1073741823
>>
>> Error value (hex):
>> c0000001
>>
>> Internal ID:
>> 300162a
>>
>> 02/13/2018 18:27:36 [INFO] EVENTLOG (Informational): NTDS General / Contrôle du service : 1004
>> Les services de domaine Active Directory ont été arrêtés correctement.
>>
>> 02/13/2018 18:27:37 [INFO] NtdsInstall for removed.com returned 8451
>> 02/13/2018 18:27:37 [INFO] DsRolepInstallDs returned 8451
>> 02/13/2018 18:27:37 [ERROR] Failed to install to Directory Service (8451)
>> 02/13/2018 18:27:43 [INFO] Démarrage du service NETLOGON
>> 02/13/2018 18:27:43 [INFO] Configuring service NETLOGON to 2 returned 0
>> 02/13/2018 18:27:43 [INFO] La tentative de promotion du contrôleur de domaine est terminée
>> 02/13/2018 18:27:43 [INFO] DsRolepSetOperationDone returned 0
>>
>>
>> ---------------------------------------------
>> Christophe Borivant
>> Responsable d'exploitation informatique
>> +33 5 62 20 71 71 (Poste 503)
>>
>> Devinlec - Groupe Leclerc
>> --------------------------------------------
>>
>> ----- Mail original -----
>> De: "Andrew Bartlett" <abartlet at samba.org>
>> À: "Christophe BORIVANT" <cborivant at devinlec.com>, "samba" <samba at lists.samba.org>
>> Envoyé: Mardi 13 Février 2018 23:20:15
>> Objet: Re: [Samba] Is it possible to lower the domain and forest functional level
>>
>> On Tue, 2018-02-13 at 10:38 +0100, Christophe Borivant via samba wrote:
>>> Hello all,
>>>
>>> We have a samba 4 domain controller.
>>> The domain controller was at first a secondary domain controller.
>>> We joined it to a domain were the first controller was a windows 2003 server.
>>> Then we have transfer the fsmo roles to the linux controller and demote the 2003 server.
>>> I then ran all the ldf files from the 2008 R2 dcpromo and raised the functional levels.
>>> Now we need to go back to windows domain controller because we need to use sharepoint.
>>
>> Out of curiosity, what breaks with sharepoint?  Have you tried with the
>> current release?
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba mailing list