[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

[mj]

Hi Andrew,

We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it 
worked, but with one exception: the password hashes never synced to 
azure plus samba showed continuous high cpu usage.

So what I ended up doing: i added a native windows DC to our AD 
specifically for Azure AD Connect cloud sync. During cloud sync install, 
you can point it to that dedicated windows dc.

I setup firewalling, so that this windows DC can only be used for that, 
and regular clients cannot connect to it. (as it also does not have a 
synced sysvol)

This has been working quite nicely for a couple of weeks now.

One thing to keep in mind also is that the Azure AD Connect cloud sync 
also syncs your on-prem UPN to azure. But you probably want your azure 
UPN to match email address.

To do that, you need to edit (in azure admin) the mapping for 
UserPrincipalName to:

> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]), Join("@", [sAMAccountName], %DomainFQDN%), Error("AccountName is not present")))

We've just completed this all and everything is now working nicely, it's 
just a pity we had to add a windows DC to make it all work.

And on the functional level: our samba AD is:

> root at samdc2:~# samba-tool domain level show
> Domain and forest function level for domain 'DC=samba,DC=company,DC=com'
> 
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2

but we have completed the steps in the linked doc. (func prep / 
schemaupgrade)

Two interesting readson the subject:
https://blog.astashin.com/blog/Bring-em-all-in-p3/
and
https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/

Ask if you have more questions.

MJ


On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
> Hello,
> 
> I am interested in following the instructions here to test out Azure AD Connect
> with local Samba DCs:
> https://wiki.samba.org/index.php/Azure_AD_Sync
> 
> Per the above instructions, it looks like the domain functional level needs to
> be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet
> on Samba DCs:
> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
> https://lists.samba.org/archive/samba/2019-June/223643.html
> 
> Is there an ETA for support for 2012_R2?
> 
> Or, does Azure AD Connect only require that the Schema Level and Preparation
> Level be raised to 2012_R2, but not the Functional Level? (the difference
> between these 3 features is defined in the link below)
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
> 
> If so, what are the consequences of running the Schema Level and Preparation
> Level at different values from the Functional Level (leaving the latter at
> 2008_R2)? It seems like running these at different values wouldn't be a
> recommended configuration.
> 
> Moreover, what is the safe and correct way to raise any of these levels?
> According to the following page, using samba-tool is not safe or recommended for
> raising the Functional Level:
> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
> 
> Yet it appears the Windows RSAT tool is also not supported:
> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
> 
> Thanks for the help on all of these questions!
> 
> Andrew
>