[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

Dr. Hansjörg Maurer hansjoerg.maurer at itsd.de
Thu Jul 8 10:45:19 UTC 2021 

Hi

Hi

Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:
>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require
>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain
>> Member also or does it require running on a DC too (or only if you want to do
>> two-way password sync)?
> I did have the new tool working, but couldn't get password-hash syncs
> to work or rather update after the initial sync. And this was
> following the Samba wiki without deviation.
I can confirm, that a password changed on the samba-ad was synched to 
azure (azure logs below)

We created the wiki page you mention and we retested it right now again.


"DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration 
(ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType"
"2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure 
AD Provisioning 
Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active 
Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active 
Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans 
Hubert","User"
"2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure 
AD Provisioning 
Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active 
Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active 
Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans 
Hubert","User"



The Azure AD Connect Cloud Syncs runs on a member server (no DC)
We did an

samba-tool domain functionalprep --function-level=2012_R2
and the User who performs the sync is member of the Enterprise Admins Group

If a password is changed in azure , the sync back does not work and the 
passwords differ.

If you change it again in samba-ad, it is synched again to azure

Best Regards

Hansjörg







>
>> Did you set up the "old" tool on 3 different Domain Members as the docs
>> recommend for redundancy? If so, was the setup process easier on the subsequent
>> two ( all of the settings had already been configured on the first instance)?
> I did not, I'm just running this on one Windows Server 2019 VM in our cluster.
>
> Regards,
> Ralph
>


-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Erzgießereistr. 22
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer

More information about the samba mailing list