Windows 2000 domain level
Matthieu Patou
mat at samba.org
Sun Mar 9 14:49:44 MDT 2014
Have a look at
samba-tool domain level raise --help
It might work, we don't support too well 2k Forest level.
Matthieu
On 03/09/2014 01:03 AM, gulikoza wrote:
> Hello,
>
> I'm starting with samba4 so please excuse me if I ask something
> obvious, but I'll try not to bother everyone with n00b questions :-)
>
> I'm trying to replace a failed W2K8 AD server with samba4. The server
> has been temporary made available in virtual environment so a simple
> join samba/transfer roles/demote plan is made. Why this is posted to a
> technical list, follows...
>
> I have found out that the domain and forest are actually windows 2000
> level (must have been migrated from some previous server without
> raising the levels). Now here is what makes it interesting. I could
> not raise forest/domain level either from samba or w2k8.
>
> samba-tool domain level show and raise, showed error:
>
> ERROR: Could not retrieve the actual domain, forest level and/or
> lowest DC function level!
> File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 865, in run
> min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init
> value
>
> After checking with ADSI Edit, the samba4 entry in the Configuration
> NTDS had msDS-Behavior-Version <not set>. I was searching how to force
> samba4 reported dc level as w2k8 raise was failing with the same
> problem ("The following Active Directory Domain Controllers are
> running earlier versions of windows..."). At this point I also updated
> to latest version 4.1.5 (I'm using Centos6, tried samba4 4.0.1 compile
> from SoGo, but then rebuilt the RPM with 4.1.5). For some reason samba
> did not set msDS-Behavior-Version. I couldn't modify the entry with
> ADSI ("Illegal modify operation"). That's problem no. 1 - it seems as
> if samba4 does not correctly set DC reported level when joined to a
> windows 2000 domain.
>
> I tried demoting samba4 and raising the level when W2k8 would be the
> only AD controller. The demote failed with:
>
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028:
> LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on
> integrity checking if SSL\TLS are not already active on the
> connection, data 0, v1772> <>
>
> I could not find the option how to specify samba-tool to sign ldap
> requests or use tls (I did set "client ldap sasl wrapping = sign" to
> smb.conf as a last resort, but this probably does not influence
> samba-tool).
>
> I ended up deleting everything from samba and doing metadata cleanup.
> Just for the test, I re-joined the domain with version 4.1.5 cleanly
> and it showed the same problems (domain level show not working,
> msDS-Behavior-Version <not set>). I repeated clean/delete procedure
> and raised the domain level to windows 2003. After joining samba4, the
> msDS-Behavior-Version of samba4 server is now set to 4. Domain level
> show works and correctly shows 2003 domain level. Raising the level to
> 2008 would probably work now, but I wanted to work in steps.
>
> I started with all of this because the samba4 dns did not want to
> resolve it's hostname for some reason. When I wanted to switch to
> BIND, it said that domain level is too low (I haven't even noticed
> that before). It could resolve other hosts and dns forwarding worked,
> but it's own hostname could not be resolved (and yes, the W2k8 server
> was resolving samba hostname and showing it in the zone). With the
> current 2003 level domain, samba resolves it's hostname correctly and
> dns console from w2k8 shows the dns zones on samba4.
>
> All this shows certain problems with windows 2000 level forest/domain.
> As much as this is probably outdated and the focus of development is
> on newer features, there are probably a lot of setups where domains
> were migrated from older hardware without raising the levels. A
> warning would be nice before joining samba4, that certain features
> would not work as it would save the admin a lot of time debugging and
> demoting/re-joining samba4 because the level cannot be raised. Ideally
> of course, it should be possible to raise the level of windows 2000
> domain with samba4 joined as DC.
>
> Regards,
> gulikoza
>
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list