[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

Mon Jul 12 18:06:39 UTC 2021

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Thursday, July 8, 2021 5:45:19 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

> Hi
> 
> Hi
> 
> Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:
>>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require
>>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain
>>> Member also or does it require running on a DC too (or only if you want to do
>>> two-way password sync)?
>> I did have the new tool working, but couldn't get password-hash syncs
>> to work or rather update after the initial sync. And this was
>> following the Samba wiki without deviation.
> I can confirm, that a password changed on the samba-ad was synched to
> azure (azure logs below)
> 
> We created the wiki page you mention and we retested it right now again.
> 
> 
> "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration
> (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType"
> "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
> AD Provisioning
> Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active
> Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active
> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
> Hubert","User"
> "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
> AD Provisioning
> Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active
> Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active
> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
> Hubert","User"
> 
> 
> 
> The Azure AD Connect Cloud Syncs runs on a member server (no DC)
> We did an
> 
> samba-tool domain functionalprep --function-level=2012_R2
> and the User who performs the sync is member of the Enterprise Admins Group
> 
> If a password is changed in azure , the sync back does not work and the
> passwords differ.
> 
> If you change it again in samba-ad, it is synched again to azure
> 
> Best Regards
> 
> Hansjörg
> 

Hi Hansjörg,

Great, thank you for the clarification. I hope to test this out on a domain 
member server soon as well; I'll reach back out to the list if I run into 
problems with the sync.

Andrew