Windows 2000 domain level

gulikoza gulikoza at
Sun Mar 9 03:03:40 MDT 2014


I'm starting with samba4 so please excuse me if I ask something obvious,  
but I'll try not to bother everyone with n00b questions :-)

I'm trying to replace a failed W2K8 AD server with samba4. The server has  
been temporary made available in virtual environment so a simple join  
samba/transfer roles/demote plan is made. Why this is posted to a  
technical list, follows...

I have found out that the domain and forest are actually windows 2000  
level (must have been migrated from some previous server without raising  
the levels). Now here is what makes it interesting. I could not raise  
forest/domain level either from samba or w2k8.

samba-tool domain level show and raise, showed error:

ERROR: Could not retrieve the actual domain, forest level and/or lowest DC  
function level!
   File "/usr/lib64/python2.6/site-packages/samba/netcmd/", line  
865, in run
     min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init  

After checking with ADSI Edit, the samba4 entry in the Configuration NTDS  
had msDS-Behavior-Version <not set>. I was searching how to force samba4  
reported dc level as w2k8 raise was failing with the same problem ("The  
following Active Directory Domain Controllers are running earlier versions  
of windows..."). At this point I also updated to latest version 4.1.5 (I'm  
using Centos6, tried samba4 4.0.1 compile from SoGo, but then rebuilt the  
RPM with 4.1.5). For some reason samba did not set msDS-Behavior-Version.  
I couldn't modify the entry with ADSI ("Illegal modify operation"). That's  
problem no. 1 - it seems as if samba4 does not correctly set DC reported  
level when joined to a windows 2000 domain.

I tried demoting samba4 and raising the level when W2k8 would be the only  
AD controller. The demote failed with:

Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -  <00002028:  
LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on  
integrity checking if SSL\TLS are not already active on the connection,  
data 0, v1772> <>

I could not find the option how to specify samba-tool to sign ldap  
requests or use tls (I did set "client ldap sasl wrapping = sign" to  
smb.conf as a last resort, but this probably does not influence  

I ended up deleting everything from samba and doing metadata cleanup. Just  
for the test, I re-joined the domain with version 4.1.5 cleanly and it  
showed the same problems (domain level show not working,  
msDS-Behavior-Version <not set>). I repeated clean/delete procedure and  
raised the domain level to windows 2003. After joining samba4, the  
msDS-Behavior-Version of samba4 server is now set to 4. Domain level show  
works and correctly shows 2003 domain level. Raising the level to 2008  
would probably work now, but I wanted to work in steps.

I started with all of this because the samba4 dns did not want to resolve  
it's hostname for some reason. When I wanted to switch to BIND, it said  
that domain level is too low (I haven't even noticed that before). It  
could resolve other hosts and dns forwarding worked, but it's own hostname  
could not be resolved (and yes, the W2k8 server was resolving samba  
hostname and showing it in the zone). With the current 2003 level domain,  
samba resolves it's hostname correctly and dns console from w2k8 shows the  
dns zones on samba4.

All this shows certain problems with windows 2000 level forest/domain. As  
much as this is probably outdated and the focus of development is on newer  
features, there are probably a lot of setups where domains were migrated  
 from older hardware without raising the levels. A warning would be nice  
before joining samba4, that certain features would not work as it would  
save the admin a lot of time debugging and demoting/re-joining samba4  
because the level cannot be raised. Ideally of course, it should be  
possible to raise the level of windows 2000 domain with samba4 joined as  


More information about the samba-technical mailing list