Joining Zentyal 3.5 to Windows 2003 SBS Domain

[javanet]

When I try to join my Zentyal Server to my existing Microsoft 2003 SBS Domain I get the following error in the usual pink box:



Some modules reported error when saving changes . More information on the logs in /var/log/zentyal/

The forest functional level must be Windows Server 2003 or higher. Please raise your forest functional level. The forest functional level must be Windows Server 2003 or higher. Please raise your forest functional level. at The forest functional level must be Windows Server 2003 or higher. Please raise your forest functional level. at /usr/share/perl5/EBox/Samba/Provision.pm line 872 EBox::Samba::Provision::checkFunctionalLevels('EBox::Samba::Provision=HASH(0x70cb2d8)', 10.0.0.2) called at /usr/share/perl5/EBox/Samba/Provision.pm line 1250 EBox::Samba::Provision::provisionADC('EBox::Samba::Provision=HASH(0x70cb2d8)') called at /usr/share/perl5/EBox/Samba/Provision.pm line 374 EBox::Samba::Provision::provision('EBox::Samba::Provision=HASH(0x70cb2d8)') called at /usr/share/perl5/EBox/Samba.pm line 830 EBox::Samba::_setConfInternal('EBox::Samba=HASH(0x58d7ae0)', undef) called at /usr/share/perl5/EBox/Samba.pm line 788 EBox::Samba::_setConf('EBox::Samba=HASH(0x58d7ae0)') called at /usr/share/perl5/EBox/Module/Base.pm line 994 EBox::Module::Base::_regenConfig('EBox::Samba=HASH(0x58d7ae0)') called at /usr/share/perl5/EBox/Module/Service.pm line 972 EBox::Module::Service::_regenConfig('EBox::Samba=HASH(0x58d7ae0)') called at /usr/share/perl5/EBox/Samba.pm line 766 EBox::Samba::_regenConfig('EBox::Samba=HASH(0x58d7ae0)') called at /usr/share/perl5/EBox/Module/Base.pm line 234 eval {...} at /usr/share/perl5/EBox/Module/Base.pm line 233 EBox::Module::Base::save('EBox::Samba=HASH(0x58d7ae0)') called at /usr/share/perl5/EBox/GlobalImpl.pm line 651 eval {...} at /usr/share/perl5/EBox/GlobalImpl.pm line 650 EBox::GlobalImpl::saveAllModules('EBox::GlobalImpl=HASH(0x427b550)', 'progress', 'EBox::ProgressIndicator=HASH(0x1c9c938)') called at /usr/share/perl5/EBox/Global.pm line 95 EBox::Global::AUTOLOAD('EBox::Global=HASH(0x42a34a0)', 'progress', 'EBox::ProgressIndicator=HASH(0x1c9c938)') called at /usr/share/zentyal/global-action line 32 eval {...} at /usr/share/zentyal/global-action line 30

I've included as many of the .pm files that I can post on a single post.

Will post a second article with the Global.pm and Globalllmpl.pm

It's a mystery that I can't join the existing domain as it tells me my forsest has to be at 2003 level, well I'm running 2003 Small Business Server?

Thanks for any assistance, trying to migrate an existing server that is being decommisioned due to bankruptcy, but want to archive their e-mail so they can still communicate with creditors, customers, etc during the proceedings.

Thanks for any help!

Tom

I've

[javanet]

Here are the two additional .pm files that someone might need to look at to provide me with any assistance?

Thanks Heaps in advance for anyone that has run into this issue before.

If need be I can create a new domain and just dump e-mail manually, but would rather have some integration to import users, etc.

Kind Regards,

Mr. Thomas

[caltec]

Your domain could be running at a windows 2000 functional level (Mine was). Go into "Active Directory Domains and Trusts" right click on your domain and choose "Raise Domain Functional Level".

There are some losses that occur going from 2000 -> 2003 but they are explained in a warning dialog if I remember correctly.

Hope this helps

[javanet]

Yeah, that is the first think I checked.

I think it might have had something to do with not having fully configured my DNS.

Making  a new domain anyway with Zentyal as PDC, so far all is going well with exception of OpenChange conflict with Samba module.  Just going to use built in UNIX mail for now until they come up with a fix from OpenSource community.

Thank You,

Mr. Thomas

[caltec]

What is the samba openchange issue???

[StuartNaylor]

Code: [Select]

sub checkFunctionalLevels
{
    my ($self, $adServerIp) = @_;

    EBox::info("Checking forest and domain functional levels...");
    my $adLdap = new Net::LDAP($adServerIp);
    my $rootDse = $adLdap->root_dse(attrs => $self->rootDseAttributes());
    my $forestLevel = $rootDse->get_value('forestFunctionality');
    unless ($forestLevel >= 2) {
        throw EBox::Exceptions::External(
            __('The forest functional level must be Windows Server 2003 ' .
               'or higher. Please raise your forest functional level.'));
    }
    my $domainLevel = $rootDse->get_value('domainFunctionality');
    unless ($domainLevel >= 2) {
        throw EBox::Exceptions::External(
            __('The domain functional level must be Windows Server 2003 ' .
               'or higher. Please raise your domain functional level.'));
    }
}


domainFunctionality >= 2

http://directory.apache.org/studio/


My zentyal Root DSE

Code: [Select]

supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1341
dnsHostName: zent1.office.zentyal.lan
serverName: CN=ZENT1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
 guration,DC=office,DC=zentyal,DC=lan
configurationNamingContext: CN=Configuration,DC=office,DC=zentyal,DC=lan
currentTime: 20140714024110.0Z
defaultNamingContext: DC=office,DC=zentyal,DC=lan
domainControllerFunctionality: 4
domainFunctionality: 2
dsServiceName: CN=NTDS Settings,CN=ZENT1,CN=Servers,CN=Default-First-Site-Na
 me,CN=Sites,CN=Configuration,DC=office,DC=zentyal,DC=lan
forestFunctionality: 2
highestCommittedUSN: 4410
isGlobalCatalogReady: TRUE
isSynchronized: TRUE
ldapServiceName: office.zentyal.lan:zent1$@OFFICE.ZENTYAL.LAN
namingContexts: CN=Configuration,DC=office,DC=zentyal,DC=lan
namingContexts: CN=Schema,CN=Configuration,DC=office,DC=zentyal,DC=lan
namingContexts: DC=DomainDnsZones,DC=office,DC=zentyal,DC=lan
namingContexts: DC=ForestDnsZones,DC=office,DC=zentyal,DC=lan
namingContexts: DC=office,DC=zentyal,DC=lan
rootDomainNamingContext: DC=office,DC=zentyal,DC=lan
schemaNamingContext: CN=Schema,CN=Configuration,DC=office,DC=zentyal,DC=lan
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=office,DC=zent
 yal,DC=lan
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.800
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: NTLM
vendorName: Samba Team (http://samba.org)
vendorVersion: 4.1.7-Zentyal

[chmuri]

We have the same issue. After we rise the AD and forest level we have error called The domain schema does not meet RFC 2307. You will need to upgrade to Windows Server 2003 R2 or greater. But we have 2003 sbs:/ Its there a way do add secondary AD in 2003 sbs?

[robb]

Correct me if I am wrong here, but I always thought you could only have 1 DC (the SBS server) when you use MS SBS. You can have more servers, but not more DC's

[StuartNaylor]

I thought the same robb and someone corrected me on the forum.

SBS has to be the PDC but you can have ADC's as well as guests.

For some reason I was certain like you that it was just a singular DC but it was an official M$ page saying it was myth.

Its a strange one as if you do a samba-tool domain level show then it says 2003.

Lowest function level of a DC: (Windows) 2008 R2?

Problem is if you add rfc2703 then only 2003r2 supported it so really the domain level should report this.

Its a samba4 thing and not zentyal really.

Code: [Select]

root@zent1:~# samba-tool domain level show
params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf"
ldb_wrap open of secrets.ldb
Domain and forest function level for domain 'DC=office,DC=zentyal,DC=lan'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2008 R2

I just wonder if the checks that zentyal make should be there and let the provision decide?
http://technet.microsoft.com/library/understanding-active-directory-functional-levels%28v=WS.10%29.aspx

This is just wild guess work and some barking and howling.

http://www.microsoft.com/en-gb/download/details.aspx?id=274
Windows Services for UNIX Version 3.5 install on 2003?

[robb]

You are right. I took the liberty to get the details:
http://blogs.technet.com/b/sbs/archive/2007/10/04/debunking-the-myth-about-additional-domain-controllers-replica-dcs-in-an-sbs-domain.aspx

Most important detail (and the one that probably causes the confusion):
- There can only be 1 SBS server in the domain

There can be more servers, and even more domain controllers.

[StuartNaylor]

I haven't tried any of this but the links look pretty solid from a read.

http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/

Now it looks like it wasn't so mad to suggest using SFU (Services for Linux) http://www.microsoft.com/en-gb/download/details.aspx?id=274

http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

The last two articles are fairly old and just included for a bit of reference.

If samba4 is joining as an ADC then from 2000 to 2008r2 it should be able to.

If you provision Samba with RFC2307 its going to use the 2008r2 schema which is a bit of a gotcha.

The only difference in terms of a functional AD between 2003 and 2003r2 is RFC2307 which doesn't really matter as that forces 2008r2.

Lol confused.com

The short story might be because Zentyal uses RFC2307 then it is only 2008r2 and above compatible.

?

samba4 can join 2000/2003/2008 but the code of zentyal uses rfc2307 specifics so maybe this aint true of Zentyal.

[caltec]

"The short story might be because Zentyal uses RFC2307 then it is only 2008r2 and above compatible."

If this is the case then doesn't it defeat the whole purpose of Zentyal as such which is to be a replacement for SBS 2003. If you can not successfully join Zentyal to an SBS 2003 domain and then migrate email then it would not really be a replacement but more of an alternative to.

[StuartNaylor]

I think Robb is reply about ADC's being allowed into SBS domain.

Its just samba-tool that is confusing me at the moment.

It keeps reporting Lowest function level of a DC: (Windows) 2008 R2

With 3.5 and I don't know why?

Haven't done enough checking I was wondering what others have found.

?

samba4 can join 2000/2003/2008 but the code of zentyal uses rfc2307 specifics so maybe this aint true of Zentyal.

Going to run up some vm's and see, but if anybody has any results why samba-tool is reporting Lowest function level of a DC: (Windows) 2008 R2

I admit I am a bit confused about this and it might just be an incorrect display message.

If samba4 is going to be an ADC then it will inherit the schema from the master on first replication.

I think code wise some of the rfc2307 stuff is used by zentyal and this will cause problems.

http://www.microsoft.com/en-gb/download/details.aspx?id=274
Windows Services for UNIX Version 3.5 install on 2003?

So your PDC needs to have the schema added and the above should do it.

When Zentyal is the PDC then the first replication will be from and not to Zentyal so all should be OK.

The other way round is more problematic but adding Windows Services for UNIX Version 3.5 should solve that.

I don't know what schema Openchange and other items are using so maybe someone at Zentyal can say.

The important thing is that any existing PDC should have the schema classes and attributes added.

So its more a matter of at the moment a few schema problems could hinder Zentyal as an ADC

Then there is a non zentyal matter of samba-tool always saying Lowest function level of a DC: (Windows) 2008 R2

[puma]

Hello,

I installed the Windows Services for UNIX Version 3.5 on my SBS 2003 R2 and rebooted the server as requested but i keep having the  the same error  "The domain schema does not meet RFC 2307" from Zentyal 3.5. do i have do any extra step to solve this?

Tank you in advance

[theyguy]

Same problem here, installed SFU on an SBS server, and it is still asking for RFC 2307. The default samba install does not require it but does Zentyal? That is, is it possible to disable the check for RFC 2307 and not break any other modules?