[Samba] Create backup DC failed

Andrew Bartlett abartlet at samba.org
Sun Jul 25 18:03:51 UTC 2021

On Fri, 2021-07-16 at 13:56 -0600, Stephen Atkins via samba wrote:
> Hello.  I'm getting the following when trying to join my new Samba 
> 4.14.6 Arch Linux box to the DC.
> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567, 
> What I'm trying to do is create a backup DC.  I suspect that it's 
> because my current DC is running at function level "Windows Server
> 2016" 
> at a schema version 88.

The issue is the functional level, we should be able to import the
schema, but unless we lie (always an option!) the functional level is
the blocker.

The result of the lie would be to not implement features that the other
DCs are expecting, like FAST (Kerberos Armoring) and claims (a feature
in the Kerberos PAC where the combination of the user's PC and their
own groups is recorded).

We are actively working on the Heimdal upgrade required to get to
Windows 2012 (to implement FAST) but there is still work required
beyond that.  Windows 2016 would be further still, I've not quantified
that work.

> Just wanted to confirm that this level isn't currently supported
> before 
> I band my head on the wall to much.

Correct.  Sorry!

If this is an attempt to migrate 100% to Samba, then I think folks have
found a way to downgrade the functional level. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list