Bug 1484683 - [RFE] Support Windows Server 2016 Domain/Forest Functional Levels
[RFE] Support Windows Server 2016 Domain/Forest Functional Levels
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
ipa-qe
Aneta Šteflová Petrová
: FutureFeature
Depends On:
Blocks: 1485952
  Show dependency treegraph
 
Reported: 2017-08-24 02:47 EDT by Martin Kosek
Modified: 2018-05-30 08:53 EDT (History)
8 users (show)

See Also:
Fixed In Version: ipa-4.5.4-10.el7
Doc Type: Enhancement
Doc Text:
Windows Server 2016 forest and domain functional levels now supported for trust When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run at the Windows Server 2016 forest and domain functional levels.
Story Points: ---
Clone Of:
: 1485952 (view as bug list)
Environment:
Last Closed: 2018-03-26 10:44:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Kosek 2017-08-24 02:47:31 EDT
Description of problem:
IdM Server currently supports Windows 2016, but only with maximum Windows 2012 R2 Forest/Domain Functional Level:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-during.html#platforms-trust

"""
* You can establish a trust relationship with the following Active Directory functional levels:
  * Forest functional level range: Windows Server 2008 - Windows Server 2012 R2
Domain functional level range: Windows Server 2008 - Windows Server 2012 R2
* The following operating systems are explicitly supported and tested for establishing a trust using the mentioned functional levels:
  * Windows Server 2012 R2
  * Windows Server 2016
⁠"""

Related level description documentation:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

This RFE is to add a support of Windows Server 2016 Forest/Domain Functional Levels:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional-levels

The primary goal is IdM-AD Trust functionality. Secondary (optional) goal is Winsync agreement functionality.
Comment 4 Martin Kosek 2017-09-08 08:05:55 EDT
This work requires switching to use of Kerberos when establishing trust as this will help us working with SMB1-disabled Windows Server 2016:

https://pagure.io/freeipa/issue/4960

Linked to this Bugzilla.
Comment 7 Petr Vobornik 2018-03-26 10:07:45 EDT
Based on Alexander's comment, unlining Pagure issue 4960 (Use Kerberos to establish trust) because it is strictly speaking unrelated.
Comment 8 Martin Kosek 2018-03-26 10:44:29 EDT
The RFE was tested in RHEL-7.5 with Windows Server 2016, there should not be anything preventing it from working. Unfortunately, it was not added to the RHEL-7.5 IPA errata, so the bug stayed in NEW state. As we can no longer add the bug to errata cleanly, I am manually switching the bug to CLOSED.

Note You need to log in before you can comment on or make changes to this bug.