[Samba] Status of Samba 4 DC or RODC with Exchange

me at tdiehl.org me at tdiehl.org
Wed Sep 8 19:43:51 UTC 2021


On Tue, 7 Sep 2021, Earl Tom via samba wrote:

> I was looking at the Samba wiki, and I want to clarify my understanding of
> what should work and what is not likely to work.
>
> As a background - we are considering putting a microserver at every remote
> work location that would run a VM of Samba as DC and a VM of Samba as file
> server.
>
> We have some Samba domain member file servers already, and they work great
> so I'm not worried about them.  All of our DCs have been Windows, though.
> Also, we run Exchange so the AD schema has been extended with the Exchange
> schema.

>From my experience migrating a windows domain that was previously extended for
Exchange I would say don't do samba DC's with Exchange. Even current samba
versions (4.14.7) dbcheck will throw warnings and errors related to Exchange
and NT Security descriptors.

Things like the following:

WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=example,DC=com - B:32:354B603D92D95541AAFD8C0AE688EA0F:<GUID=2abe3da2-8944-4e50-98e8-1f08dfb3c3e2>;<SID=S-1-5-21-619667644-1604242038-736796184-1620>;CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=example,DC=com
and
Not fixing nTSecurityDescriptor on CN=4c93ad42-178a-4275-8600-16811d28f3aa,CN=Operations,CN=DomainUpdates,CN=System,DC=example,DC=com

To be clear this is a small domain 25 or so users but dbcheck shows 308 errors
every time it is run. I simply ignore them given that the domain works and dbcheck
will fix other errors as it is supposed to.

In addition, I have had numerous permission issues that I spent large amounts
of time with adsiedit trying to fix just to get things working.

Honestly if I had it to do over again I would have never migrated the domain.
The domain is small enough that I would have rebuilt it since in our case we no
longer run on prem Exchange.

The domain works as far as the users can tell but...

Also keep in mind that Samba DC's still do not replicate the sysvol. That is
something else you would need to setup between the windows and samba DC's.

> In any case, any advice would be greatly appreciated.

Good luck!!

Regards,

-- 
Tom			me at tdiehl.org



More information about the samba mailing list