[Samba] doc suggestion / question on adding native win 2012R2 DC
Rowland penny
rpenny at samba.org
Mon May 17 12:58:27 UTC 2021
On 17/05/2021 13:14, mj via samba wrote:
> Hi,
>
> I am studying the wiki and trying and testing, in order to better
> understand the situation on adding native windows DCs to an otherwise
> samba managed AD domain.
>
> On the wiki page
> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
>
> is warned "Joining a Windows Server 2012 or 2012 R2 DC to a Samba AD
> breaks the AD replication.", with two bug reports linked.
>
> Is that not supposed to say: "Joining a Windows Server 2012 or 2012 R2
> DC to a Samba AD WITH FUNCTIONAL LEVEL 2012R2 breaks the AD replication"?
Probably now, but not when the note was originally added to the wiki page.
>
> I have just tested this with a samba (4.13.7) AD with functional level
> 2008_R2 and adding a native windows 2012R2 DC (through a windows
> 2008R2 DC) seems to have worked out. Our domain functional level is
> still 2008R2, and the samba AD schema is at version 56, and it seems
> they are all replicating to each other.
Good to know.
>
> In the aforementioned bug report
> (https://bugzilla.samba.org/show_bug.cgi?id=13619) Andrew Bartlett
> says: "Thankfully Windows 2012 can join a down-level domain, just not
> at FL 2012, provided the schema is updated, which we can do."
that was something that he was seemingly keeping to himself.
>
> I followed https://wiki.samba.org/index.php/AD_Schema_Version_Support
> to upgrade the schema, but it seems to have failed:
>
>> root at dc2:~# samba-tool domain schemaupgrade
>> Temporarily overriding 'dsdb:schema update allowed' setting
>> ERROR: Failed to upgrade schema. Check if 'patch' is installed.
That could be because the default schema is now 2012R2
>
> Plus samba-tool dbcheck now throws some errors that are probably
> related to the failed schemaupgrade:
>
>> root at dc3:~# samba-tool dbcheck --cross-ncs
>> Checking 5813 objects
>> ERROR: wrong instanceType 5 on
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on
>> CN=Schema,CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: wrong instanceType 5 on
>> CN=Configuration,DC=samba,DC=company,DC=com, should be 13
>> Not changing instanceType from 5 to 13 on
>> CN=Configuration,DC=samba,DC=company,DC=com
>> ERROR: incorrect DN string component for serverReference in object
>> CN=WIN-R0ILVLOBVN9,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samba,DC=company,DC=com
>> -
>> <GUID=b6218cf7-3404-4fdc-982f-d58755ce9fea>;<RMD_ADDTIME=132657230530000000>;<RMD_CHANGETIME=132657230530000000>;<RMD_FLAGS=0>;<RMD_INVOCID=30a5c9e9-8a98-4d98-89df-076dc3bd6775>;<RMD_LOCAL_USN=6914362>;<RMD_ORIGINATING_USN=57446>;<RMD_VERSION=1>;<SID=S-1-5-21-90839350-988488634-868425949-135701>;CN=WIN-R0ILVLOBVN9,CN=Computers,DC=samba,DC=company,DC=com
>> Not fixing string component mismatch
>> Please use --fix to fix these errors
>> Checked 5813 objects (3 errors)
>> root at dc3:~#
>
> Feedback on the above dbcheck errors? Just fix them, or do they
> indicate something bigger..?
I would fix them. Then check again.
>
> Also: samba-tool ldapcmp works between the native samba DCs, but
> reports errors when comparing between samba <-> windows DCs. Perhaps
> that is expected?
I do not know, never tried it, but I think it should work, what are the
errors you get ?
>
> So, all in all what I tried seems to have worked out fairly well. It
> just feels a bit eerie, because of the warnings and specifics on the way.
Did you make any notes ? If so, can I have a (sanitised) copy of them,
then I can update the wiki page ?
Rowland
More information about the samba
mailing list