[Samba] doc suggestion / question on adding native win 2012R2 DC

Rowland penny rpenny at samba.org
Mon May 17 12:58:27 UTC 2021


On 17/05/2021 13:14, mj via samba wrote:
> Hi,
>
> I am studying the wiki and trying and testing, in order to better 
> understand the situation on adding native windows DCs to an otherwise 
> samba managed AD domain.
>
> On the wiki page
> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD 
>
> is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD 
> breaks the AD replication.", with two bug reports linked.
>
> Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2 
> DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD replication"?


Probably now, but not when the note was originally added to the wiki page.

>
> I have just tested this with a samba (4.13.7) AD with functional level 
> 2008_R2 and adding a native windows 2012R2 DC (through a windows 
> 2008R2 DC) seems to have worked out. Our domain functional level is 
> still 2008R2, and the samba AD schema is at version 56, and it seems 
> they are all replicating to each other.


Good to know.

>
> In the aforementioned bug report 
> (https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett 
> says: "Thankfully Windows 2012 can join a down-level domain, just not 
> at FL 2012, provided the schema is updated, which we can do."


that was something that he was seemingly keeping to himself.

>
> I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support 
> to upgrade the schema, but it seems to have failed:
>
>> root at dc2:~# samba-tool domain schemaupgrade
>> Temporarily overriding 'dsdb:schema update allowed' setting
>> ERROR: Failed to upgrade schema. Check if 'patch' is installed.


That could be because the default schema is now 2012R2

>
> Plus samba-tool dbcheck now throws some errors that are probably 
> related to the failed schemaupgrade:
>
>> root at dc3:~# samba-tool dbcheck --cross-ncs
>> Checking 5813 objects
>> ERROR: wrong instanceType 5 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: wrong instanceType 5 on 
>> CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on 
>> CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: incorrect DN string component for serverReference in object 
>> CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com 
>> - 
>> <GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
>> Not fixing string component mismatch
>> Please use --fix to fix these errors
>> Checked 5813 objects (3 errors)
>> root at dc3:~# 
>
> Feedback on the above dbcheck errors? Just fix them, or do they 
> indicate something bigger..?


I would fix them. Then check again.

>
> Also: samba-tool ldapcmp works between the native samba DCs, but 
> reports errors when comparing between samba <-> windows DCs. Perhaps 
> that is expected?


I do not know, never tried it, but I think it should work, what are the 
errors you get ?


>
> So, all in all what I tried seems to have worked out fairly well. It 
> just feels a bit eerie, because of the warnings and specifics on the way.


Did you make any notes ? If so, can I have a (sanitised) copy of them, 
then I can update the wiki page ?

Rowland






More information about the samba mailing list