[Samba] adding windows DC to samba AD
mj
lists at merit.unu.edu
Thu May 27 19:43:00 UTC 2021
On 5/11/21 11:25 AM, mj via samba wrote:
> Hence the question: Is it possible at all to add a current (not EOL-ed)
> version of windows as a DC in a samba AD on level 2008_R2 ?
Replying to my own question, with some anecdotal evidence.
For the record:
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
and with these commands run successfully:
samba-tool domain functionalprep --function-level=2012_R2
and
samba-tool domain schemaupgrade --schema=2012_R2
I cloned my production (pure samba 4.13.7) domain, then first I added a
win2008R2 DC, and then a win2016 server as an additional *DC* to it.
After adding the win2016 DC, the functional level is still 2008R2, and:
Replication seems to work, as a quick test I added a user on the win2016
DC, and it showed up on the samba DC. Samba (drs showrepl) reports no
replication errors.
samba-tool ldapcmp does not work between windows and samba DCs. I have
asked here about it, and got no replies. So not sure if that is supposed
to work or not. I would appreciate anyone with mixed windows/samba DCs
to try and report their ldapcmp findings.
The only issue is that dbcheck reports 1432 of these errors:
> Not fixing nTSecurityDescriptor on CN=user0,OU=disabled,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=860c3173,CN=Operations,CN=DomainUpdates,CN=System,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=user1,CN=Users,DC=samdom,DC=company,DC=com
> Not fixing nTSecurityDescriptor on CN=user2,CN=Users,DC=samdom,DC=company,DC=com
--fix does not actually fix them, even when run --fix multiple times.
even though DSDB Change [Modify] at [Thu, 27 May 2021 21:35:05.832214
CEST] status [Success]
I'm pretty sure they started after adding the 2016 DC. Not sure if these
errors are serious..?
More logs if anyone is interested.
MJ
More information about the samba
mailing list