[Samba] Windows 2019 DC and samba dc

Viktor Trojanovic viktor at troja.ch
Tue Feb 12 11:21:29 UTC 2019


On 12.02.2019 11:16, Rowland Penny via samba wrote:
> On Tue, 12 Feb 2019 14:28:44 +0500
> Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote:
>
>> I joined the windows 2019 domain, where among the controllers there
>> is a Samba DC version 4.8.5, and after that the replica stopped
>> working windows servers <--> samba DC. Upgrading to version 4.9.4 did
>> not help
>>
>> Errors:
>>
>> ```
>>
>> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.679872,
>> 0] ../source4/dsdb/repl/replicated_objects.c:248(dsdb_repl_resolve_working_schema)
>> фев 12 14:15:28 srv-dc01 samba[24637]:   Can't continue Schema load:
>> didn't manage to convert any objects: all 1 remaining of 133 objects
>> failed to convert
>> фев 12 14:15:28 srv-dc01 samba[24637]: [2019/02/12 14:15:28.680036,
>> 0] ../source4/dsdb/repl/replicated_objects.c:361(dsdb_repl_make_working_schema)
>> фев 12 14:15:28 srv-dc01 samba[24637]:
>> ../source4/dsdb/repl/replicated_objects.c:361:
>> dsdb_repl_resolve_working_schema() failed: WERR_INTERNAL_ERRORFailed
>> to create working schema: WERR_INTERNAL_ERROR
>>
>> ```
>>
>>
>>
> Samba hasn't got to Windows 2016 yet, never mind  2019. You may be able
> to fix your domain by demoting the Windows 2019 DC. If this doesn't
> work, stop the Windows 2019 DC and forcibly remove it from the domain
> with 'samba-tool domain demote
> --remove-other-dead-server=<THE_2019_DC_SHORTHOSTNAME>
>
> I fear that you may have terminally mangled your AD.
>
I never had to deal with this but the topic is of interest to me. 
According to the Samba Wiki (see 1), Samba supports a domain functional 
level of up to 2012_R2 with restrictions, and 2008_R2 without 
restrictions. According to Microsoft (see 2), both Win16 and Win19 
require a minimum domain functional level of 2008_R2. So why is it not 
possible to join a Win19 DC to a Samba domain, or the other way round, 
without negatively affecting the AD?

If I read on in the Wiki (see 3), it seems that the only version that 
will work without breaking something is Win Server 2008. One big issue 
seems to be that newer Win Servers expect WMI to work in order to join a 
domain, something that Samba doesn't support so having a running 2008 DC 
is a requirement in order to join Win2012. But the bigger issue seems to 
be that versions 2012+ will break replication in any case. Is that all 
still accurate?

By the way, the main reason this topic interests me is because more and 
more businesses I work with are using or plan to introduce MS Office 
365. When talking about a very small user base (<10) it's fine to manage 
O365 separately from the AD but with bigger ones there clearly are 
benefits of syncing on-premise AD with Azure/O365. Currently, this only 
seems possible from Win DCs (please do correct me if this information is 
not accurate) which is why it may become necessary to install one. 
However, with version 2008 approaching EOL, this may become a critical 
issue.

(1) https://wiki.samba.org/index.php/Raising_the_Functional_Levels
(2) 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
(3) 
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

Viktor




More information about the samba mailing list