Windows 2000 domain level
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Mar 14 12:42:14 MDT 2014
Hi gulikoza,
you are right, we have an error in our domain raise implementation.
Could you please have a look at this patch:
https://git.samba.org/?p=mdw/samba.git;a=commitdiff;h=c250548b6f749c3de3b59d3b5e8a6b6093a84476
Regards,
Matthias Wallnöfer
gulikoza schrieb:
> On Sun, 09 Mar 2014 22:18:37 +0100, gulikoza
> <gulikoza at users.sourceforge.net> wrote:
>
>> The problem is that it is impossible to move from windows 2000 and use
>> samba to raise the domain level after w2k dc is retired as
>> msDS-Behavior-Version is incorrectly (not) set. This seems like a bug
>> to me. If you already have a higher dc, domain level needs to be
>> raised before samba4 is joined as DC.
>
> The commit that changed (introduced) this behavior is:
>
> https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=e59bf5efb5cf23ff21f2a2ac7dff8d211070a916
>
> s4-join: modify join behaviour according to domain level
>
> The code only sets msDS-Behavior-Version attribute if domain level >=
> samba.dsdb.DS_DOMAIN_FUNCTION_2003.
>
> Some references I found state that msDS-Behavior-Version not set is
> equal to being set to 0. If this is the case, then:
>
> - samba-tool domain level show should not bomb out with exception error
> if msDS-Behavior-Version is not set, see also:
> https://lists.samba.org/archive/samba/2014-January/178019.html
>
> - if having msDS-Behavior-Version not set (or alternatively set to 0)
> is desired functionality at windows 2000 level, then there should be
> some path of upgrading samba reported DC level in order to be able to
> raise the domain level:
>
> Commit
> https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=162975a6f3369566dd36c28b5b6328f07b5aa605
> sets msDS-Behavior-Version to DS_DOMAIN_FUNCTION_2008_R2 for all domains
>> = DS_DOMAIN_FUNCTION_2003; for domains at WINDOWS 2000 level, the
> msDS-Behavior-Version is not set at all.
>
> To be able to raise domain level, samba should not be the lowest
> reported DC level as it can clearly support higher level domains.
> Unfortunately, there seems to be a lot of cases where the domain level
> was never raised.
>
> Regards,
> gulikoza
>
More information about the samba-technical
mailing list