[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

Mon Jun 28 17:40:53 UTC 2021

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Friday, June 25, 2021 5:12:51 AM
> Subject: Re: [Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?

> Hi Andrew,
> 
> We followed https://wiki.samba.org/index.php/Azure_AD_Sync and it
> worked, but with one exception: the password hashes never synced to
> azure plus samba showed continuous high cpu usage.
> 
> So what I ended up doing: i added a native windows DC to our AD
> specifically for Azure AD Connect cloud sync. During cloud sync install,
> you can point it to that dedicated windows dc.
> 
> I setup firewalling, so that this windows DC can only be used for that,
> and regular clients cannot connect to it. (as it also does not have a
> synced sysvol)
> 
> This has been working quite nicely for a couple of weeks now.
> 
> One thing to keep in mind also is that the Azure AD Connect cloud sync
> also syncs your on-prem UPN to azure. But you probably want your azure
> UPN to match email address.
> 
> To do that, you need to edit (in azure admin) the mapping for
> UserPrincipalName to:
> 
>> IIF(IsPresent([mail]), [mail], IIF(IsPresent([sAMAccountName]), Join("@",
>> [sAMAccountName], %DomainFQDN%), Error("AccountName is not present")))
> 
> We've just completed this all and everything is now working nicely, it's
> just a pity we had to add a windows DC to make it all work.
> 
> And on the functional level: our samba AD is:
> 
>> root at samdc2:~# samba-tool domain level show
>> Domain and forest function level for domain 'DC=samba,DC=company,DC=com'
>> 
>> Forest function level: (Windows) 2008 R2
>> Domain function level: (Windows) 2008 R2
>> Lowest function level of a DC: (Windows) 2008 R2
> 
> but we have completed the steps in the linked doc. (func prep /
> schemaupgrade)
> 
> Two interesting readson the subject:
> https://blog.astashin.com/blog/Bring-em-all-in-p3/
> and
> https://evotec.xyz/azure-ad-connect-synchronizing-mail-field-with-userprincipalname-in-azure/
> 
> Ask if you have more questions.
> 
> MJ
> 
> 
> On 6/24/21 4:40 PM, Andrew Martin via samba wrote:
>> Hello,
>> 
>> I am interested in following the instructions here to test out Azure AD Connect
>> with local Samba DCs:
>> https://wiki.samba.org/index.php/Azure_AD_Sync
>> 
>> Per the above instructions, it looks like the domain functional level needs to
>> be raised to 2012_R2, but according to these pages, 2012_R2 is not supported yet
>> on Samba DCs:
>> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Supported_Functional_Levels
>> https://lists.samba.org/archive/samba/2019-June/223643.html
>> 
>> Is there an ETA for support for 2012_R2?
>> 
>> Or, does Azure AD Connect only require that the Schema Level and Preparation
>> Level be raised to 2012_R2, but not the Functional Level? (the difference
>> between these 3 features is defined in the link below)
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Overview
>> 
>> If so, what are the consequences of running the Schema Level and Preparation
>> Level at different values from the Functional Level (leaving the latter at
>> 2008_R2)? It seems like running these at different values wouldn't be a
>> recommended configuration.
>> 
>> Moreover, what is the safe and correct way to raise any of these levels?
>> According to the following page, using samba-tool is not safe or recommended for
>> raising the Functional Level:
>> https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level
>> 
>> Yet it appears the Windows RSAT tool is also not supported:
>> https://wiki.samba.org/index.php/Raising_the_Functional_Levels#Using_the_Windows_Active_Directory_Domains_and_Trusts_Utility
>> 
>> Thanks for the help on all of these questions!
>> 
>> Andrew
>> 

Hi MJ,

Thanks for the information on how you successfully setup Azure AD sync. I have
a couple of questions:

* how exactly did you setup firewall rules to block other clients? Did this
cause issues, e.g. with DNS records in AD?

* when joining the Windows DC to the domain, did you need to do anything to
tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was
at 2008_R2 since that's the Functional Level still, so how did you replicate
the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?

* any other issues you ran into with turning your pure Samba AD into a hybrid?

Asking the list more generally (but also you too if you know), is the
combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
the Functional Level really safe? Moreover, it seems that only 2003 is required
for Azure AD Connect?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

Despite the warning below, is it safe to run "samba-tool domain level raise" if
you have already made sure that the Schema Level and Functional Prep have been
updated?
https://wiki.samba.org/index.php/Windows_2012_Server_compatibility#Functional_level

Thanks,

Andrew