Bug 1484683

Summary: [RFE] Support Windows Server 2016 Domain/Forest Functional Levels
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: unspecified    
Version: 7.5CC: abokovoy, distortedbsd, enewland, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.4-10.el7 Doc Type: Enhancement
Doc Text:
Windows Server 2016 forest and domain functional levels now supported for trust When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run at the Windows Server 2016 forest and domain functional levels.
 Story Points: ---
Clone Of:
: 1485952 (view as bug list) Environment:
Last Closed: 2018-03-26 14:44:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1485952    

Description Martin Kosek 2017-08-24 06:47:31 UTC 
Description of problem:
IdM Server currently supports Windows 2016, but only with maximum Windows 2012 R2 Forest/Domain Functional Level:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-during.html#platforms-trust

"""
* You can establish a trust relationship with the following Active Directory functional levels:
  * Forest functional level range: Windows Server 2008 - Windows Server 2012 R2
Domain functional level range: Windows Server 2008 - Windows Server 2012 R2
* The following operating systems are explicitly supported and tested for establishing a trust using the mentioned functional levels:
  * Windows Server 2012 R2
  * Windows Server 2016
⁠"""

Related level description documentation:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

This RFE is to add a support of Windows Server 2016 Forest/Domain Functional Levels:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional-levels

The primary goal is IdM-AD Trust functionality. Secondary (optional) goal is Winsync agreement functionality.
Comment 4 Martin Kosek 2017-09-08 12:05:55 UTC 
This work requires switching to use of Kerberos when establishing trust as this will help us working with SMB1-disabled Windows Server 2016:

https://pagure.io/freeipa/issue/4960

Linked to this Bugzilla.
Comment 7 Petr Vobornik 2018-03-26 14:07:45 UTC 
Based on Alexander's comment, unlining Pagure issue 4960 (Use Kerberos to establish trust) because it is strictly speaking unrelated.
Comment 8 Martin Kosek 2018-03-26 14:44:29 UTC 
The RFE was tested in RHEL-7.5 with Windows Server 2016, there should not be anything preventing it from working. Unfortunately, it was not added to the RHEL-7.5 IPA errata, so the bug stayed in NEW state. As we can no longer add the bug to errata cleanly, I am manually switching the bug to CLOSED.