[Samba] adding windows DC to samba AD

[mj]

On 5/11/21 11:25 AM, mj via samba wrote:
> Hence the question: Is it possible at all to add a current (not EOL-ed) 
> version of windows as a DC in a samba AD on level 2008_R2 ?

Replying to my own question, with some anecdotal evidence.

For the record:
  Forest function level: (Windows) 2008 R2
  Domain function level: (Windows) 2008 R2
  Lowest function level of a DC: (Windows) 2008 R2

and with these commands run successfully:
  samba-tool domain functionalprep --function-level=2012_R2
and
  samba-tool domain schemaupgrade --schema=2012_R2

I cloned my production (pure samba 4.13.7) domain, then first I added a 
win2008R2 DC, and then a win2016 server as an additional *DC* to it.

After adding the win2016 DC, the functional level is still 2008R2, and:

Replication seems to work, as a quick test I added a user on the win2016 
DC, and it showed up on the samba DC. Samba (drs showrepl) reports no 
replication errors.

samba-tool ldapcmp does not work between windows and samba DCs. I have 
asked here about it, and got no replies. So not sure if that is supposed 
to work or not. I would appreciate anyone with mixed windows/samba DCs 
to try and report their ldapcmp findings.

The only issue is that dbcheck reports 1432 of these errors:

> Not fixing nTSecurityDescriptor on CN=user0,OU=disabled,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=860c3173,CN=Operations,CN=DomainUpdates,CN=System,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=user1,CN=Users,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=user2,CN=Users,DC=samdom,DC=company,DC=com

--fix does not actually fix them, even when run --fix multiple times.

even though DSDB Change [Modify] at [Thu, 27 May 2021 21:35:05.832214 
CEST] status [Success]

I'm pretty sure they started after adding the 2016 DC. Not sure if these 
errors are serious..?

More logs if anyone is interested.

MJ