Windows 2000 domain level

Matthias Dieter Wallnöfer mdw at
Fri Mar 14 12:42:14 MDT 2014

Hi gulikoza,

you are right, we have an error in our domain raise implementation.
Could you please have a look at this patch:;a=commitdiff;h=c250548b6f749c3de3b59d3b5e8a6b6093a84476

Matthias Wallnöfer

gulikoza schrieb:
> On Sun, 09 Mar 2014 22:18:37 +0100, gulikoza
> <gulikoza at> wrote:
>> The problem is that it is impossible to move from windows 2000 and use
>> samba to raise the domain level after w2k dc is retired as
>> msDS-Behavior-Version is incorrectly (not) set. This seems like a bug
>> to me. If you already have a higher dc, domain level needs to be
>> raised before samba4 is joined as DC.
> The commit that changed (introduced) this behavior is:
> s4-join: modify join behaviour according to domain level
> The code only sets msDS-Behavior-Version attribute if domain level >=
> samba.dsdb.DS_DOMAIN_FUNCTION_2003.
> Some references I found state that msDS-Behavior-Version not set is
> equal to being set to 0. If this is the case, then:
>  - samba-tool domain level show should not bomb out with exception error
> if msDS-Behavior-Version is not set, see also:
>  - if having msDS-Behavior-Version not set (or alternatively set to 0)
> is desired functionality at windows 2000 level, then there should be
> some path of upgrading samba reported DC level in order to be able to
> raise the domain level:
> Commit
> sets msDS-Behavior-Version to DS_DOMAIN_FUNCTION_2008_R2 for all domains
>> = DS_DOMAIN_FUNCTION_2003; for domains at WINDOWS 2000 level, the 
> msDS-Behavior-Version is not set at all.
> To be able to raise domain level, samba should not be the lowest
> reported DC level as it can clearly support higher level domains.
> Unfortunately, there seems to be a lot of cases where the domain level
> was never raised.
> Regards,
> gulikoza

More information about the samba-technical mailing list