[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
Andrew Martin
amartin at xes-inc.com
Mon Jun 28 17:40:53 UTC 2021
----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, June 25, 2021 5:12:51 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
> Hi Andrew,
>
> We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it
> worked, but with one exception: the password hashes never synced to
> azure plus samba showed continuous high cpu usage.
>
> So what I ended up doing: i added a native windows DC to our AD
> specifically for Azure AD Connect cloud sync. During cloud sync install,
> you can point it to that dedicated windows dc.
>
> I setup firewalling, so that this windows DC can only be used for that,
> and regular clients cannot connect to it. (as it also does not have a
> synced sysvol)
>
> This has been working quite nicely for a couple of weeks now.
>
> One thing to keep in mind also is that the Azure AD Connect cloud sync
> also syncs your on-prem UPN to azure. But you probably want your azure
> UPN to match email address.
>
> To do that, you need to edit (in azure admin) the mapping for
> UserPrincipalName to:
>
>> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]), Join("@",
>> [sAMAccountName], %DomainFQDN%), Error("AccountName is not present")))
>
> We've just completed this all and everything is now working nicely, it's
> just a pity we had to add a windows DC to make it all work.
>
> And on the functional level: our samba AD is:
>
>> root at samdc2:~# samba-tool domain level show
>> Domain and forest function level for domain 'DC=samba,DC=company,DC=com'
>>
>> Forest function level: (Windows) 2008 R2
>> Domain function level: (Windows) 2008 R2
>> Lowest function level of a DC: (Windows) 2008 R2
>
> but we have completed the steps in the linked doc. (func prep /
> schemaupgrade)
>
> Two interesting readson the subject:
> https://blog.astashin.com/blog/Bring-em-all-in-p3/
> and
> https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/
>
> Ask if you have more questions.
>
> MJ
>
>
> On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
>> Hello,
>>
>> I am interested in following the instructions here to test out Azure AD Connect
>> with local Samba DCs:
>> https://wiki.samba.org/index.php/Azure_AD_Sync
>>
>> Per the above instructions, it looks like the domain functional level needs to
>> be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet
>> on Samba DCs:
>> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
>> https://lists.samba.org/archive/samba/2019-June/223643.html
>>
>> Is there an ETA for support for 2012_R2?
>>
>> Or, does Azure AD Connect only require that the Schema Level and Preparation
>> Level be raised to 2012_R2, but not the Functional Level? (the difference
>> between these 3 features is defined in the link below)
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
>>
>> If so, what are the consequences of running the Schema Level and Preparation
>> Level at different values from the Functional Level (leaving the latter at
>> 2008_R2)? It seems like running these at different values wouldn't be a
>> recommended configuration.
>>
>> Moreover, what is the safe and correct way to raise any of these levels?
>> According to the following page, using samba-tool is not safe or recommended for
>> raising the Functional Level:
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
>>
>> Yet it appears the Windows RSAT tool is also not supported:
>> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
>>
>> Thanks for the help on all of these questions!
>>
>> Andrew
>>
Hi MJ,
Thanks for the information on how you successfully setup Azure AD sync. I have
a couple of questions:
* how exactly did you setup firewall rules to block other clients? Did this
cause issues, e.g. with DNS records in AD?
* when joining the Windows DC to the domain, did you need to do anything to
tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was
at 2008_R2 since that's the Functional Level still, so how did you replicate
the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?
* any other issues you ran into with turning your pure Samba AD into a hybrid?
Asking the list more generally (but also you too if you know), is the
combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
the Functional Level really safe? Moreover, it seems that only 2003 is required
for Azure AD Connect?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites
Despite the warning below, is it safe to run "samba-tool domain level raise" if
you have already made sure that the Schema Level and Functional Prep have been
updated?
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
Thanks,
Andrew
More information about the samba
mailing list