[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Andrew Martin
amartin at xes-inc.com
Mon Jul 12 20:15:53 UTC 2021
----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "Dr. Hansjörg Maurer" <hansjoerg.maurer at itsd.de>
> Cc: "samba" <samba at lists.samba.org>
> Sent: Monday, July 12, 2021 1:06:39 PM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
> ----- Original Message -----
>> From: "samba" <samba at lists.samba.org>
>> To: "samba" <samba at lists.samba.org>
>> Sent: Thursday, July 8, 2021 5:45:19 AM
>> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not
>> yet supported?
>> Hi
>> Hi
>> Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:
>>>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require
>>>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain
>>>> Member also or does it require running on a DC too (or only if you want to do
>>>> two-way password sync)?
>>> I did have the new tool working, but couldn't get password-hash syncs
>>> to work or rather update after the initial sync. And this was
>>> following the Samba wiki without deviation.
>> I can confirm, that a password changed on the samba-ad was synched to
>> azure (azure logs below)
>> We created the wiki page you mention and we retested it right now again.
>> "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration
>> (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType"
>> "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
>> AD Provisioning
>> Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active
>> Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active
>> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
>> Hubert","User"
>> "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
>> AD Provisioning
>> Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active
>> Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active
>> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
>> Hubert","User"
>> The Azure AD Connect Cloud Syncs runs on a member server (no DC)
>> We did an
>> samba-tool domain functionalprep --function-level=2012_R2
>> and the User who performs the sync is member of the Enterprise Admins Group
>> If a password is changed in azure , the sync back does not work and the
>> passwords differ.
>> If you change it again in samba-ad, it is synched again to azure
>> Best Regards
>> Hansjörg
> Hi Hansjörg,
> Great, thank you for the clarification. I hope to test this out on a domain
> member server soon as well; I'll reach back out to the list if I run into
> problems with the sync.
> Andrew
When performing the Schema Level and Functional Prep upgrades today, it
appears to have been successful however I encountered a few errors:
# samba-tool domain schemaupgrade --schema=2012_R2
Unable to find attribute msDS-MembersOfResourcePropertyList in the schema
Unable to find attribute msDNS-KeymasterZones in the schema
Unable to find attribute 1.2.840.113556.1.4.2214 in the schema
Unable to find attribute 1.2.840.113556.1.4.2246 in the schema
Unable to find attribute 1.2.840.113556.1.4.2246 in the schema
Unable to find attribute 1.2.840.113556.1.4.2244 in the schema
Unable to find attribute 1.2.840.113556.1.4.2244 in the schema
Schema successfully updated
# samba-tool domain functionalprep --function-level=2012_R2
Temporarily overriding 'dsdb:schema update allowed' setting
ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): ndr_pull_relative_ptr1 rel_offset(1347566395) > ndr->data_size(86) at ../../librpc/ndr/ndr.c:1911
< last line repeated many times >
Are these anything to be concerned about? When running the following command,
it returns "objectVersion: 69" as expected:
More information about the samba
mailing list