[Samba] doc suggestion / question on adding native win 2012R2 DC

mj lists at merit.unu.edu
Mon May 17 12:14:29 UTC 2021 

Hi,

I am studying the wiki and trying and testing, in order to better 
understand the situation on adding native windows DCs to an otherwise 
samba managed AD domain.

On the wiki page
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD 
breaks the AD replication.", with two bug reports linked.

Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2 
DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD replication"?

I have just tested this with a samba (4.13.7) AD with functional level 
2008_R2 and adding a native windows 2012R2 DC (through a windows 2008R2 
DC) seems to have worked out. Our domain functional level is still 
2008R2, and the samba AD schema is at version 56, and it seems they are 
all replicating to each other.

In the aforementioned bug report 
(https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett says: 
"Thankfully Windows 2012 can join a down-level domain, just not at FL 
2012, provided the schema is updated, which we can do."

I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support to 
upgrade the schema, but it seems to have failed:

> root at dc2:~# samba-tool domain schemaupgrade
> Temporarily overriding 'dsdb:schema update allowed' setting
> ERROR: Failed to upgrade schema. Check if 'patch' is installed.

Plus samba-tool dbcheck now throws some errors that are probably related 
to the failed schemaupgrade:

> root at dc3:~# samba-tool dbcheck --cross-ncs
> Checking 5813 objects
> ERROR: wrong instanceType 5 on CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
> Not changing instanceType from 5 to 13 on CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
> ERROR: wrong instanceType 5 on CN=Configuration,DC=samba,DC=company,DC=com, should be 13
> Not changing instanceType from 5 to 13 on CN=Configuration,DC=samba,DC=company,DC=com
> ERROR: incorrect DN string component for serverReference in object CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com - <GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
> Not fixing string component mismatch
> Please use --fix to fix these errors
> Checked 5813 objects (3 errors)
> root at dc3:~# 

Feedback on the above dbcheck errors? Just fix them, or do they indicate 
something bigger..?

Also: samba-tool ldapcmp works between the native samba DCs, but reports 
errors when comparing between samba <-> windows DCs. Perhaps that is 
expected?

So, all in all what I tried seems to have worked out fairly well. It 
just feels a bit eerie, because of the warnings and specifics on the way.

MJ

More information about the samba mailing list