[Samba] Create backup DC failed
Stephen Atkins
satkins at mdwainwright.ca
Mon Jul 26 14:14:47 UTC 2021
On 7/25/2021 12:03 PM, Andrew Bartlett wrote:
> On Fri, 2021-07-16 at 13:56 -0600, Stephen Atkins via samba wrote:
>> Hello. I'm getting the following when trying to join my new Samba
>> 4.14.6 Arch Linux box to the DC.
>>
>> DsAddEntry failed with status WERR_ACCESS_DENIED info (8567,
>> 'WERR_DS_INCOMPATIBLE_VERSION')
>>
>> What I'm trying to do is create a backup DC. I suspect that it's
>> because my current DC is running at function level "Windows Server
>> 2016"
>> at a schema version 88.
>
> The issue is the functional level, we should be able to import the
> schema, but unless we lie (always an option!) the functional level is
> the blocker.
>
> The result of the lie would be to not implement features that the other
> DCs are expecting, like FAST (Kerberos Armoring) and claims (a feature
> in the Kerberos PAC where the combination of the user's PC and their
> own groups is recorded).
>
> We are actively working on the Heimdal upgrade required to get to
> Windows 2012 (to implement FAST) but there is still work required
> beyond that. Windows 2016 would be further still, I've not quantified
> that work.
>
>> Just wanted to confirm that this level isn't currently supported
>> before
>> I band my head on the wall to much.
>
> Correct. Sorry!
>
> If this is an attempt to migrate 100% to Samba, then I think folks have
> found a way to downgrade the functional level.
>
> Andrew Bartlett
>
Thanks for the explanation. I would offer to help but my C/C++ coding
is so old it would take me a long time to figure out what I'm doing now
days. I've been out of the coding game for almost 10 years now. But if
there is anything else I can help with let me know.
--
Stephen Atkins
More information about the samba
mailing list