[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
mj
lists at merit.unu.edu
Tue Jun 29 09:27:12 UTC 2021
Hi Andrew,
On 6/28/21 7:40 PM, Andrew Martin wrote:
> * how exactly did you setup firewall rules to block other clients? Did this
> cause issues, e.g. with DNS records in AD?
So far so good: no issues. I put the WINDC on a seperate subnet to be
able to firewall it. I also did some local firewalling on the WINDC. I
DENY rather than DROP, to avoid having to wait for timeouts.
Not a windows guru, but perhaps you could also use the concept of
"sites" to seperate the WINDC from your local LAN DCs. Perhaps you could
test that, and let us know.
> * when joining the Windows DC to the domain, did you need to do anything to
> tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was
> at 2008_R2 since that's the Functional Level still, so how did you replicate
> the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?
No, all we did was:
samba-tool domain functionalprep --function-level=2012_R2
samba-tool domain schemaupgrade
This keeps the functional level at 2008_R2.
Then we were able to add a WIN2008R2 DC to the AD domain.
> * any other issues you ran into with turning your pure Samba AD into a hybrid?
Yes, one. We tried to add a more recent (2012R2) windows DC as well.
Never tried 2016 because of warning on the samba wiki. Adding a 2012R2
DC caused problems which I was unable to resolve, namely:
The number of objects reported by samba-tool dbcheck kept increasing
every few minutes. So after a week of just letting it run/replicate with
no client traffic, our total objects had almost doubled. I wrote about
that on the list, but no solution.
After shutting down the 2012R2 DC, the number of objects stopped
increasing. So I decided to continue to use the WIN2008_R2 DC for the
time being. Perhaps in the future I will work on this again. I know we
should not run a WIN2008 DC. (the strict firewalling is also because of
that)
> Asking the list more generally (but also you too if you know), is the
> combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
> the Functional Level really safe? Moreover, it seems that only 2003 is required
It seems to work here for a couple of weeks now.
> Despite the warning below, is it safe to run "samba-tool domain level raise" if
> you have already made sure that the Schema Level and Functional Prep have been
> updated?
Would love an answer on that too.
Generally it would be nice to see more dialogue on those kinds of
subjects, like: mixing windows/samba DCs, functional levels, interacting
with azure/O365, etc.
MJ
More information about the samba
mailing list