NethServer 7 as additional Domain Controller in existing Windows 2016 AD

Good day guys,

I hope all is well on your side.

We are looking at implementing Samba4 on NethServer 7 to function as a (secondary) domain controller in an existing Active Directory environment currently managed by an existing single Windows Server 2016 server.

Aside from fairly easily-addressed sysvol replication challenges - looking at the official Samba documentation, it seems that nothing higher than a Domain/Forest Function Level of 2008r2 is supported, if Samba4 is to function as Domain Controller in an existing (Windows Server controlled) Active Directory environment?
The information available seems to indicate that the reason for this is due to changes within the Windows Server Kerberos services, that are possibly not available within MIT or Heimdal Kerberos?

Has anyone within the community had experience with this?

References:
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
https://groups.google.com/forum/#!topic/linux.samba/kAbGkR4CGLg
https://docs.microsoft.com/cs-cz/windows-server/identity/ad-ds/active-directory-functional-levels

I would be most grateful for any guidance and feedback, if possible please.

Many thanks!

This is a good question… I’ll read the links above!

Meanwhile: did you already ask the Samba user mailing list? They are surely aware of a such limitation, if it exists.

Thank you for your response David.

**Meanwhile: did you already ask the Samba user mailing list?
**They are surely aware of a such limitation, if it exists.
I haven’t contacted the Samba user list and I could be wrong but I felt that the information online pretty much confirmed the limitation. To be safe, I’ll go ahead and pose the question to the list members anyway.
A really long shot here but does NethServer include any custom Samba patches, that possibly address this issue?

No, and I wouldn’t like it! It’s a “vanilla” Samba compilation. Build logs are available here:

Releases · NethServer/ns-samba · GitHub

Yes, now I read it and this answer is pretty clear: https://groups.google.com/d/msg/linux.samba/kAbGkR4CGLg/CQdlfPsYDgAJ

However it is almost two years ago: the things could have evolved hopefully…

As from the link you gave, the domain functional level supported by Samba 4 is 2012_R2 for Samba4.4 and later.
So if you use AD functional level of Windows Server 2016 you have to downgrade your domain/forest functional level: https://blogs.technet.microsoft.com/canitpro/2016/01/20/step-by-step-downgrading-a-windows-server-domain-and-forest-functional-level/

Thank you David.

Yes - also hoping that things have evolved a bit in the two years.

There’s been no responses to my Samba list post. Let’s see if anyone responds in the coming days.

Thank you Rob.

I appreciate your response.

Please see the footnote from that URL:

• Functional level is included for use against Windows, but not supported in Samba . Kerberos improvements from Windows Server 2012 and 2012 R2 are not implemented in Samba.

I understand that this possibly means that Samba4.4 or newer can join a Windows-controlled AD environment, but possibly not as a DC?
The early part of the discussion at the following URL, seems to validate this?
http://samba.2283325.n4.nabble.com/Compatibility-with-Windows-Server-2012-R2-td4704760.html

The following URL provides some additional information, but I am not sure if it provides any further clarification though?
https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD

I’ll wait on responses to my Samba email list post, but at this point, it seems that 2008r2 is the highest level supported, if Samba4 is to be involved in DC replication?

I over read the footnotes…
Please keep us posted on responses from the Samba mailing list.