Windows 2000 domain level
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Mar 14 12:45:50 MDT 2014
In addition I provide also this patch which adds the new AD function
levels:
https://git.samba.org/?p=mdw/samba.git;a=commitdiff;h=d266cfda400961d4e679053b781f7d54e2c0b7a5
A review of both would be appreciated!
Matthias
Matthias Dieter Wallnöfer schrieb:
> Hi gulikoza,
>
> you are right, we have an error in our domain raise implementation.
> Could you please have a look at this patch:
> https://git.samba.org/?p=mdw/samba.git;a=commitdiff;h=c250548b6f749c3de3b59d3b5e8a6b6093a84476
>
> Regards,
> Matthias Wallnöfer
>
> gulikoza schrieb:
>> On Sun, 09 Mar 2014 22:18:37 +0100, gulikoza
>> <gulikoza at users.sourceforge.net> wrote:
>>
>>> The problem is that it is impossible to move from windows 2000 and use
>>> samba to raise the domain level after w2k dc is retired as
>>> msDS-Behavior-Version is incorrectly (not) set. This seems like a bug
>>> to me. If you already have a higher dc, domain level needs to be
>>> raised before samba4 is joined as DC.
>>
>> The commit that changed (introduced) this behavior is:
>>
>> https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=e59bf5efb5cf23ff21f2a2ac7dff8d211070a916
>>
>> s4-join: modify join behaviour according to domain level
>>
>> The code only sets msDS-Behavior-Version attribute if domain level >=
>> samba.dsdb.DS_DOMAIN_FUNCTION_2003.
>>
>> Some references I found state that msDS-Behavior-Version not set is
>> equal to being set to 0. If this is the case, then:
>>
>> - samba-tool domain level show should not bomb out with exception error
>> if msDS-Behavior-Version is not set, see also:
>> https://lists.samba.org/archive/samba/2014-January/178019.html
>>
>> - if having msDS-Behavior-Version not set (or alternatively set to 0)
>> is desired functionality at windows 2000 level, then there should be
>> some path of upgrading samba reported DC level in order to be able to
>> raise the domain level:
>>
>> Commit
>> https://git.samba.org/?p=ab/samba-autobuild/.git;a=commitdiff;h=162975a6f3369566dd36c28b5b6328f07b5aa605
>> sets msDS-Behavior-Version to DS_DOMAIN_FUNCTION_2008_R2 for all domains
>>> = DS_DOMAIN_FUNCTION_2003; for domains at WINDOWS 2000 level, the
>> msDS-Behavior-Version is not set at all.
>>
>> To be able to raise domain level, samba should not be the lowest
>> reported DC level as it can clearly support higher level domains.
>> Unfortunately, there seems to be a lot of cases where the domain level
>> was never raised.
>>
>> Regards,
>> gulikoza
>>
>
More information about the samba-technical
mailing list