Windows 2022 joined to Samba 4.20

I joined Windows Server 2022 to Samba 4.20. For those who are familiar with Samba based Active Directory, you might be a little surprised. Historically this would of not been possible as Samba AD is only at a 2008 functional level. However, starting with Samba 4.19 there is a new smb.conf option called ad dc functional level. I set this to 2012_R2 as Samba mostly meets that 2012_R2 functional level anyway. After I did this I was able to join a Windows Server 2022. (I had to increase the domain and forest functional level with samba-tool)

When you join the server, make sure you do the additional setup. Here is some documentation Adding a Windows AD to your Samba Active Directory domain — Samba-AD 4.19 documentation

I am going to assume that you already setup DNS and joined the controller to the domain. After you have joined it you need to force enable the sysvol. Run this Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value "1". Next, force activate the time sync. This is the most important step so do not skip this. Run Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value "NTP"

After that setup the replication with the Robocopy workaround.

I just want to make a note that Samba 4.20 is to new to be deployed in production. Furthermore, the 2012_R2 functional level is not as well tested as the 2008 functional level. If you are deploying Samba AD stick with the well tested.

Ugg! Highest functional level is at 2016 and I’m guessing it will increase with the Server 2025 version when it arrives (just a guess). There are some improvements going up to this change, but I can’t remember exactly what was better when I got my domain up to this level, I was at 2008r2 level for a long time.

It’s funny that you bring this up, I don’t remember Zentyal saying anything about setting the functional level down to 2008r2 when it joins an existing Windows DC as another DC member, are they doing something different? I haven’t tried setting it up, but I’ve read a little bit on it as Iike to keep certain things as backup knowledge for the next time Microsoft really gives us the shaft! An open source KMS host would be really sweet, but I guess I can run that on an extra Windows workstation if I really need to.

Maybe if I get time I’ll have to build a Zentyal DC in my lab that works with my 2022 eval and see what happens. I’ve been meaning to do this, but never seem to get enough time.

To be honest with you I have never trusted Zentyal server or anything similar due to security concerns. These server distros are easy to use and come with a full desktop but because everything is integrated you do not see as much of the internals. This means there could be massive security holes and you would not know anything was wrong. On Samba it is technically possible to make it lie about its functional level. However, this is a very bad idea for both security and reliability reasons.

As far as functional levels go, I don’t really see an issue with the 2008 functional level. As long as you make sure to harden the setup and disable insecure protocols you should not have an issue. In fact, Samba states that it is NIST 800-171 compliant so you should be fine using it from a security perspective.

The reason I am using the 2012 R2 functional level in my test environment is just for experimentation and fun. I am also looking into writing a setup script for Samba that automatically sets up rsync. I am really interested about how Linux can fit into an AD setup.

And your interest in creating an AD system on anything but Windows could pay off in the near future for all we know. MS could really make life difficult if you aren’t Azure (or whatever it is called now).

Group Policy is the only real issue, you’ll need a Windows machine running RSAT tools to gain access to GPO, but the global catalog should handle storing the policies once they are set (so says Zentyal).

1 Like

Honestly as long as Samba AD exists Microsoft should be worried. People could spin of Domain controllers on site and in the cloud with minimal overhead. The very existence of good alternatives benefits all of us.

As far as Windows RSAT tools go, I do not think it is a good idea to admin Windows polices from non WIndows devices. If you are suggesting that we should build RSAT alternatives for Windows and other platforms then I have some good new for you. The next part of this project is to create FOSS alternatives to Microsoft tools. I am going to write a python script that setups up Samba and joins it to a domain or optionally creates it from scratch. I am also going to work on automating replication setup. On the Windows side I am going to create a powershell script that joins a DC to Samba and sets up robocopy replication and time settings.

This is a long term project that I am working on in my spare time.

RSAT must run on a windows client, microsoft is probably fearful of bringing out a Linux version. Probably because a whole lot of people want it and then I could switch to Linux on the little computer at my desk that was built mostly just for running things like RSAT. It’s terribly under powered and I need to put a thin Linux OS on it that only needs web browser, remote desktop, and RSAT. I hate to build something powerful enough to run Win11 just for those features, but I might need to do this.

I use Linux at home so anything that only works in Windows I run a VM just for that.

I am still running operational level 2008 R2 as it’s been working fine and currently in hybrid setup with Azure and on-prem ADs. I am working on moving everything to Azure and get rid of the on-prem servers. This isn’t my choice but it’s the direction that Microsoft is heading towards anyway.

My Linux servers at work will remain as on-prem as like to keep control over my stuffs.

So are you just moving your domain controllers to the cloud?

It seems like the average company these days moves everything to the cloud and then realizes its expensive so they do the hybrid approach.

Theoretically you could setup a Samba AD controller on site and then tie it into Azure. You could do this with a Wireguard uplink or you could have a Windows Server on prem and then use the Azure tools. The important thing to note is that the traditional Samba AD with the 2008_R2 functional level is not compatible with anything newer than a 2012 server. That is why I’m testing the higher functional level as it is compatible with 2022.

If you have anything you want me to test let me know as I’m trying to find stability issues. (Theoretically, it doesn’t say that in the docs)

I would love to raise the operational level higher than 2008 R2 but we also have an old Exchange 2010 SP3 on prem which we’re in the process of decommissioning. All the users are using online exchange but keeping the on-prem exchange due to being in hybrid environment currently. I don’t allow OWA access to 2010 exchange as I can’t patch it anymore.

Once the on-prem exchange is gone I can raise the forest level.

I would get rid of your exchange server today. It is a incredibly bad idea to have something that old in production.

It will sting but chances are it is already compromised. You really should eliminate it right now. It will cause an outage but you could do it overnight to try to minimize downtime.

As far as Linux goes the closest equivalent to Exchange is Proxmox mail server. I’ve never used it but if you want to keep you need mail server on prem it might work.

As far as Azure goes it should be a relatively simple migration as Microsoft would love to have your business.

It sounds like you have your work cut out for you. I don’t normally tell people what to do at there job but in this case it sounds like feet are being dragged. Running EOL software should never happen in well managed IT departments. At some point you need to get aggressive.

I’m sorry if this comment feels like a slap in the face.

Just stand up a 2016 Exchange server, run the hybrid wizard on it and then remove the 2010. You get a free 2016/2019 hybrid license so the only cost is your win server licensing which you probably already have. Then just stand up a 2019 when the 2010 is gone, then remove 2016.

We use easy 365 manager on our on prem DC’s in places of exchange, hybrid with Azure and exchange online, works a treat.