0

I'm busy migrating my Active Directory to a Linux server (Centos 7) running Sernet's enterprise samba packackes (Version 4.1.14-SerNet-RedHat-9.el7)

The Domain Controller seems to be working well for all authentication, except Exchange. The Informatino Store starts, then hangs on "Starting".

The event log shows the following warning:

Process STORE.EXE (PID=3100). The domain controller pdc.*.*.*is running 
Windows (Unknown Operating System) (Unknown Service Pack). 
Exchange Active Directory Provider requires that domain controllers are running 
Windows Server 2003 Service Pack 1 or later versions of Windows.

How can I configure Samba to trick Exchange into thinking this server meets its requirements?

P.S. I'm running Exchange 2010

Richard C
  • 321
  • 1
  • 7
  • 19
  • 5
    I don't believe you can because Exchange relies on a lot of Active Directory things that Sernet won't provide properly. I really advise against this. – Nathan C Dec 10 '14 at 20:36
  • 1
    There are some times where "near enough" just isn't good enough. This is one of those times. – Rob Moir Dec 10 '14 at 20:52
  • The SAMBA [project status page](https://wiki.samba.org/index.php/Samba/Status) shows Exchange support as being in development, noting it is "very much a work in progress" - although the [page history](https://wiki.samba.org/index.php?title=Samba/Status&action=history) suggests that line hasn't been updated in 2 years. – Adam Thompson Dec 11 '14 at 00:06

3 Answers3

1

Have you tried to "Raise domain functional level"?

By default samba4 look like "Windows server 2003"

Alejandro Llanes
  • 11
  • 1
0

To just fake a Windows Operating System signature, find the computer account of your samba DC. In a properly configured Directory you would find this at OU=Domain Controllers,DC=mydomain,DC=myforest,DC=mytld. Edit the following attributes:

  • operatingSystem
  • operatingSystemServicePack
  • operatingSystemServicePackLevel

You are going to run into further trouble when the Exchange prep tools start probing into what's OS level your infrastructure is really running on.

According to the Active Directory Technical Specification, this information is stored on the nTDSDSA object that represents the Directory Service Agent on each DC, in the Configuration NC.

The attribute in question is msDS-Behavior-Version, and the docs provide a list of possible values and the corresponding OS levels.

I really don't believe this is feasible, but if you want to try, you'll probably have to emulate Windows behavior in a number of other places as well.

The msDS-Behavior-Version attribute is used to store the Forest Functional Level on the forest crossRefContainer (found in CN=Partitions,CN=Configurations,DC=myforest,DC=tld) and the Domain Functional Level on the Domain NC root object of each domain

There are some constraints as to which versions can coexist:

  • The Domain Functional Level of each domain cannot exceed that of the "oldest" DC in that domain
  • The Forest Functional Level cannot exceed that of the "oldest" Domain

To get a better understanding of what Exchange is "expecting", you might want to read through this chapter about special objects and behaviors in an Active Directory forest

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
0

Exchange does lots of checks. One very specific check is looking at the Schema version (i.e.: in the Schema partition). Out of interest, what's the rationale behind moving to Samba-based DCs?

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20