Windows 2000 domain level
gulikoza
gulikoza at users.sourceforge.net
Mon Mar 10 04:37:39 MDT 2014
On Sun, 09 Mar 2014 22:18:37 +0100, gulikoza
<gulikoza at users.sourceforge.net> wrote:
> The problem is that it is impossible to move from windows 2000 and use
> samba to raise the domain level after w2k dc is retired as
> msDS-Behavior-Version is incorrectly (not) set. This seems like a bug to
> me. If you already have a higher dc, domain level needs to be raised
> before samba4 is joined as DC.
The commit that changed (introduced) this behavior is:
https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=e59bf5efb5cf23ff21f2a2ac7dff8d211070a916
s4-join: modify join behaviour according to domain level
The code only sets msDS-Behavior-Version attribute if domain level >=
samba.dsdb.DS_DOMAIN_FUNCTION_2003.
Some references I found state that msDS-Behavior-Version not set is equal
to being set to 0. If this is the case, then:
- samba-tool domain level show should not bomb out with exception error
if msDS-Behavior-Version is not set, see also:
https://lists.samba.org/archive/samba/2014-January/178019.html
- if having msDS-Behavior-Version not set (or alternatively set to 0) is
desired functionality at windows 2000 level, then there should be some
path of upgrading samba reported DC level in order to be able to raise the
domain level:
Commit
https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=162975a6f3369566dd36c28b5b6328f07b5aa605
sets msDS-Behavior-Version to DS_DOMAIN_FUNCTION_2008_R2 for all domains
>= DS_DOMAIN_FUNCTION_2003; for domains at WINDOWS 2000 level, the
msDS-Behavior-Version is not set at all.
To be able to raise domain level, samba should not be the lowest reported
DC level as it can clearly support higher level domains. Unfortunately,
there seems to be a lot of cases where the domain level was never raised.
Regards,
gulikoza
More information about the samba-technical
mailing list