[Samba] Azure AD Connect but domain functional level 2012_R2 not yet supported?
lists at merit.unu.edu
Tue Jun 29 09:27:12 UTC 2021
On 6/28/21 7:40 PM, Andrew Martin wrote:
> * how exactly did you setup firewall rules to block other clients? Did this
> cause issues, e.g. with DNS records in AD?
So far so good: no issues. I put the WINDC on a seperate subnet to be
able to firewall it. I also did some local firewalling on the WINDC. I
DENY rather than DROP, to avoid having to wait for timeouts.
Not a windows guru, but perhaps you could also use the concept of
"sites" to seperate the WINDC from your local LAN DCs. Perhaps you could
test that, and let us know.
> * when joining the Windows DC to the domain, did you need to do anything to
> tell it to create the 2012_R2 schema? I'm guessing it thought that the AD was
> at 2008_R2 since that's the Functional Level still, so how did you replicate
> the 2012_R2 schema objects to it from the other DCs (or maybe it just worked)?
No, all we did was:
samba-tool domain functionalprep --function-level=2012_R2
samba-tool domain schemaupgrade
This keeps the functional level at 2008_R2.
Then we were able to add a WIN2008R2 DC to the AD domain.
> * any other issues you ran into with turning your pure Samba AD into a hybrid?
Yes, one. We tried to add a more recent (2012R2) windows DC as well.
Never tried 2016 because of warning on the samba wiki. Adding a 2012R2
DC caused problems which I was unable to resolve, namely:
The number of objects reported by samba-tool dbcheck kept increasing
every few minutes. So after a week of just letting it run/replicate with
no client traffic, our total objects had almost doubled. I wrote about
that on the list, but no solution.
After shutting down the 2012R2 DC, the number of objects stopped
increasing. So I decided to continue to use the WIN2008_R2 DC for the
time being. Perhaps in the future I will work on this again. I know we
should not run a WIN2008 DC. (the strict firewalling is also because of
> Asking the list more generally (but also you too if you know), is the
> combination of 2012_R2 for the Schema Level and Functional Prep but 2008_R2 for
> the Functional Level really safe? Moreover, it seems that only 2003 is required
It seems to work here for a couple of weeks now.
> Despite the warning below, is it safe to run "samba-tool domain level raise" if
> you have already made sure that the Schema Level and Functional Prep have been
Would love an answer on that too.
Generally it would be nice to see more dialogue on those kinds of
subjects, like: mixing windows/samba DCs, functional levels, interacting
with azure/O365, etc.
More information about the samba