Bug 1484683 - [RFE] Support Windows Server 2016 Domain/Forest Functional Levels
Summary: [RFE] Support Windows Server 2016 Domain/Forest Functional Levels
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa   
(Show other bugs)
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1485952
TreeView+ depends on / blocked
 
Reported: 2017-08-24 06:47 UTC by Martin Kosek
Modified: 2018-05-30 12:53 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.4-10.el7
Doc Type: Enhancement
Doc Text:
Windows Server 2016 forest and domain functional levels now supported for trust When using Identity Management, you can now establish a supported forest trust to Active Directory forests that run at the Windows Server 2016 forest and domain functional levels.
Story Points: ---
Clone Of:
: 1485952 (view as bug list)
Environment:
Last Closed: 2018-03-26 14:44:29 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Martin Kosek 2017-08-24 06:47:31 UTC
Description of problem:
IdM Server currently supports Windows 2016, but only with maximum Windows 2012 R2 Forest/Domain Functional Level:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-during.html#platforms-trust

"""
* You can establish a trust relationship with the following Active Directory functional levels:
  * Forest functional level range: Windows Server 2008 - Windows Server 2012 R2
Domain functional level range: Windows Server 2008 - Windows Server 2012 R2
* The following operating systems are explicitly supported and tested for establishing a trust using the mentioned functional levels:
  * Windows Server 2012 R2
  * Windows Server 2016
⁠"""

Related level description documentation:
https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

This RFE is to add a support of Windows Server 2016 Forest/Domain Functional Levels:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/windows-server-2016-functional-levels

The primary goal is IdM-AD Trust functionality. Secondary (optional) goal is Winsync agreement functionality.

Comment 4 Martin Kosek 2017-09-08 12:05:55 UTC
This work requires switching to use of Kerberos when establishing trust as this will help us working with SMB1-disabled Windows Server 2016:

https://pagure.io/freeipa/issue/4960

Linked to this Bugzilla.

Comment 7 Petr Vobornik 2018-03-26 14:07:45 UTC
Based on Alexander's comment, unlining Pagure issue 4960 (Use Kerberos to establish trust) because it is strictly speaking unrelated.

Comment 8 Martin Kosek 2018-03-26 14:44:29 UTC
The RFE was tested in RHEL-7.5 with Windows Server 2016, there should not be anything preventing it from working. Unfortunately, it was not added to the RHEL-7.5 IPA errata, so the bug stayed in NEW state. As we can no longer add the bug to errata cleanly, I am manually switching the bug to CLOSED.


Note You need to log in before you can comment on or make changes to this bug.