[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

Andrew Martin amartin at xes-inc.com
Mon Jul 12 20:15:53 UTC 2021



----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "Dr. Hansjörg Maurer" <hansjoerg.maurer at itsd.de>
> Cc: "samba" <samba at lists.samba.org>
> Sent: Monday, July 12, 2021 1:06:39 PM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

> ----- Original Message -----
>> From: "samba" <samba at lists.samba.org>
>> To: "samba" <samba at lists.samba.org>
>> Sent: Thursday, July 8, 2021 5:45:19 AM
>> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not
>> yet supported?
> 
>> Hi
>> 
>> Hi
>> 
>> Am 29.06.21 um 19:14 schrieb ralph strebbing via samba:
>>>> Thanks; it's clear to me that Azure AD Connect (the "old" tool) doesn't require
>>>> a DC, but can the new Azure AD Connect Cloud Sync tool be run on a Domain
>>>> Member also or does it require running on a DC too (or only if you want to do
>>>> two-way password sync)?
>>> I did have the new tool working, but couldn't get password-hash syncs
>>> to work or rather update after the initial sync. And this was
>>> following the Samba wiki without deviation.
>> I can confirm, that a password changed on the samba-ad was synched to
>> azure (azure logs below)
>> 
>> We created the wiki page you mention and we retested it right now again.
>> 
>> 
>> "DateTime","TenantId","JobId","CycleId","ChangeId","Action","Duration
>> (ms)","ServicePrincipalId","ServicePrincipalName","InitiatedById","InitiatedByName","InitiatedByType","StatusInfoStatus","StatusInfoErrorCode","StatusInfoReason","StatusInfoAdditionalDetails","StatusInfoErrorCategory","StatusInfoRecommendedAction","SourceSystemId","SourceSystemName","TargetSystemId","TargetSystemName","SourceIdentityId","SourceIdentityName","SourceIdentityType","TargetIdentityId","TargetIdentityName","TargetIdentityType"
>> "2021-07-08T10:21:47Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADProvisioning.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","c5bf7338-44c6-428e-af52-6c60c0358e8d","98a99871-fb27-4f67-bc17-f948beb93274","Update","234","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
>> AD Provisioning
>> Service","system","success","","","","","","69b6c952-a136-4118-9449-0d136eb102fa","Active
>> Directory","0d0e9d06-b33f-42d6-9885-51851a1c9d79","Azure Active
>> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
>> Hubert","User"
>> "2021-07-08T10:20:27Z","49d3de9b-86a9-4d0d-9ed5-ca5f49ecbd98","AD2AADPasswordHash.49d3de9b86a94d0d9ed5ca5f49ecbd98.cc84be8a-a20e-42dc-8a22-f01b7ed87e5b","b8cf3719-89ea-4940-9864-56c326b878ff","f957b625-2a23-46a9-994b-03632c412c9f","Update","359","ac30a16f-f46e-4ec7-a334-36d76403b3fe","ad-itsd.lan","","Azure
>> AD Provisioning
>> Service","system","success","","","","","","535768db-f6c2-4c13-b689-9fd5ed9cadee","Active
>> Directory","b922fd42-0800-414d-aead-3ab7b001523d","Azure Active
>> Directory","b74bd534-b150-459d-8f82-c5bb623cff82","","user","a68cbc51-744d-4437-b733-a07836c8e37d","Hans
>> Hubert","User"
>> 
>> 
>> 
>> The Azure AD Connect Cloud Syncs runs on a member server (no DC)
>> We did an
>> 
>> samba-tool domain functionalprep --function-level=2012_R2
>> and the User who performs the sync is member of the Enterprise Admins Group
>> 
>> If a password is changed in azure , the sync back does not work and the
>> passwords differ.
>> 
>> If you change it again in samba-ad, it is synched again to azure
>> 
>> Best Regards
>> 
>> Hansjörg
>> 
> 
> Hi Hansjörg,
> 
> Great, thank you for the clarification. I hope to test this out on a domain
> member server soon as well; I'll reach back out to the list if I run into
> problems with the sync.
> 
> Andrew
> 

When performing the Schema Level and Functional Prep upgrades today, it 
appears to have been successful however I encountered a few errors:

# samba-tool domain schemaupgrade --schema=2012_R2
...
Unable to find attribute msDS-MembersOfResourcePropertyList in the schema
Unable to find attribute msDNS-KeymasterZones in the schema
Unable to find attribute 1.2.840.113556.1.4.2214 in the schema
Unable to find attribute 1.2.840.113556.1.4.2246 in the schema
Unable to find attribute 1.2.840.113556.1.4.2246 in the schema
Unable to find attribute 1.2.840.113556.1.4.2244 in the schema
Unable to find attribute 1.2.840.113556.1.4.2244 in the schema
...
Schema successfully updated

# samba-tool domain functionalprep --function-level=2012_R2
Temporarily overriding 'dsdb:schema update allowed' setting
ndr_pull_relative_ptr1: ndr_pull_error(Buffer Size Error): ndr_pull_relative_ptr1 rel_offset(1347566395) > ndr->data_size(86) at ../../librpc/ndr/ndr.c:1911
< last line repeated many times >

Are these anything to be concerned about? When running the following command, 
it returns "objectVersion: 69" as expected:
https://wiki.samba.org/index.php/AD_Schema_Version_Support#Determine_the_AD_Schema_Version_on_a_Samba_DC

Thanks,

Andrew



More information about the samba mailing list