Windows 2000 domain level
Matthias Dieter Wallnöfer
mdw at samba.org
Fri Mar 14 12:45:50 MDT 2014
In addition I provide also this patch which adds the new AD function
A review of both would be appreciated!
Matthias Dieter Wallnöfer schrieb:
> Hi gulikoza,
> you are right, we have an error in our domain raise implementation.
> Could you please have a look at this patch:
> Matthias Wallnöfer
> gulikoza schrieb:
>> On Sun, 09 Mar 2014 22:18:37 +0100, gulikoza
>> <gulikoza at users.sourceforge.net> wrote:
>>> The problem is that it is impossible to move from windows 2000 and use
>>> samba to raise the domain level after w2k dc is retired as
>>> msDS-Behavior-Version is incorrectly (not) set. This seems like a bug
>>> to me. If you already have a higher dc, domain level needs to be
>>> raised before samba4 is joined as DC.
>> The commit that changed (introduced) this behavior is:
>> s4-join: modify join behaviour according to domain level
>> The code only sets msDS-Behavior-Version attribute if domain level >=
>> Some references I found state that msDS-Behavior-Version not set is
>> equal to being set to 0. If this is the case, then:
>> - samba-tool domain level show should not bomb out with exception error
>> if msDS-Behavior-Version is not set, see also:
>> - if having msDS-Behavior-Version not set (or alternatively set to 0)
>> is desired functionality at windows 2000 level, then there should be
>> some path of upgrading samba reported DC level in order to be able to
>> raise the domain level:
>> sets msDS-Behavior-Version to DS_DOMAIN_FUNCTION_2008_R2 for all domains
>>> = DS_DOMAIN_FUNCTION_2003; for domains at WINDOWS 2000 level, the
>> msDS-Behavior-Version is not set at all.
>> To be able to raise domain level, samba should not be the lowest
>> reported DC level as it can clearly support higher level domains.
>> Unfortunately, there seems to be a lot of cases where the domain level
>> was never raised.
More information about the samba-technical