Windows 2000 domain level

Matthieu Patou mat at
Sun Mar 9 14:49:44 MDT 2014

Have a look at

samba-tool domain level raise --help

It might work, we don't support too well 2k Forest level.


On 03/09/2014 01:03 AM, gulikoza wrote:
> Hello,
> I'm starting with samba4 so please excuse me if I ask something 
> obvious, but I'll try not to bother everyone with n00b questions :-)
> I'm trying to replace a failed W2K8 AD server with samba4. The server 
> has been temporary made available in virtual environment so a simple 
> join samba/transfer roles/demote plan is made. Why this is posted to a 
> technical list, follows...
> I have found out that the domain and forest are actually windows 2000 
> level (must have been migrated from some previous server without 
> raising the levels). Now here is what makes it interesting. I could 
> not raise forest/domain level either from samba or w2k8.
> samba-tool domain level show and raise, showed error:
> ERROR: Could not retrieve the actual domain, forest level and/or 
> lowest DC function level!
>   File "/usr/lib64/python2.6/site-packages/samba/netcmd/", 
> line 865, in run
>     min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init 
> value
> After checking with ADSI Edit, the samba4 entry in the Configuration 
> NTDS had msDS-Behavior-Version <not set>. I was searching how to force 
> samba4 reported dc level as w2k8 raise was failing with the same 
> problem ("The following Active Directory Domain Controllers are 
> running earlier versions of windows..."). At this point I also updated 
> to latest version 4.1.5 (I'm using Centos6, tried samba4 4.0.1 compile 
> from SoGo, but then rebuilt the RPM with 4.1.5). For some reason samba 
> did not set msDS-Behavior-Version. I couldn't modify the entry with 
> ADSI ("Illegal modify operation"). That's problem no. 1 - it seems as 
> if samba4 does not correctly set DC reported level when joined to a 
> windows 2000 domain.
> I tried demoting samba4 and raising the level when W2k8 would be the 
> only AD controller. The demote failed with:
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028: 
> LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on 
> integrity checking if SSL\TLS are not already active on the 
> connection, data 0, v1772> <>
> I could not find the option how to specify samba-tool to sign ldap 
> requests or use tls (I did set "client ldap sasl wrapping = sign" to 
> smb.conf as a last resort, but this probably does not influence 
> samba-tool).
> I ended up deleting everything from samba and doing metadata cleanup. 
> Just for the test, I re-joined the domain with version 4.1.5 cleanly 
> and it showed the same problems (domain level show not working, 
> msDS-Behavior-Version <not set>). I repeated clean/delete procedure 
> and raised the domain level to windows 2003. After joining samba4, the 
> msDS-Behavior-Version of samba4 server is now set to 4. Domain level 
> show works and correctly shows 2003 domain level. Raising the level to 
> 2008 would probably work now, but I wanted to work in steps.
> I started with all of this because the samba4 dns did not want to 
> resolve it's hostname for some reason. When I wanted to switch to 
> BIND, it said that domain level is too low (I haven't even noticed 
> that before). It could resolve other hosts and dns forwarding worked, 
> but it's own hostname could not be resolved (and yes, the W2k8 server 
> was resolving samba hostname and showing it in the zone). With the 
> current 2003 level domain, samba resolves it's hostname correctly and 
> dns console from w2k8 shows the dns zones on samba4.
> All this shows certain problems with windows 2000 level forest/domain. 
> As much as this is probably outdated and the focus of development is 
> on newer features, there are probably a lot of setups where domains 
> were migrated from older hardware without raising the levels. A 
> warning would be nice before joining samba4, that certain features 
> would not work as it would save the admin a lot of time debugging and 
> demoting/re-joining samba4 because the level cannot be raised. Ideally 
> of course, it should be possible to raise the level of windows 2000 
> domain with samba4 joined as DC.
> Regards,
> gulikoza

Matthieu Patou
Samba Team

More information about the samba-technical mailing list