Windows 2000 domain level

gulikoza gulikoza at users.sourceforge.net
Sat Mar 15 06:04:59 MDT 2014 

On Fri, 14 Mar 2014 19:42:14 +0100, Matthias Dieter Wallnöfer  
<mdw at samba.org> wrote:

> Hi gulikoza,

Hello,

> you are right, we have an error in our domain raise implementation.
> Could you please have a look at this patch:
> https://git.samba.org/?p=mdw/samba.git;a=commitdiff;h=c250548b6f749c3de3b59d3b5e8a6b6093a84476

I checked the patch. It fixes the first part of the problem.
Before the patch:

[root at samba4-ad home]# samba-tool domain level show
ERROR: Could not retrieve the actual domain, forest level and/or lowest DC  
function level!

After the patch:

[root at samba4-ad home]# samba-tool domain level show
Domain and forest function level for domain 'DC=domain,DC=local'

Forest function level: (Windows) 2000
Domain function level: (Windows) 2000
Lowest function level of a DC: (Windows) 2000

The problem however remains, that is is not possible to raise the domain  
level:

[root at samba4-ad home]# samba-tool domain level raise --forest-level=2008  
--domain-level=2008
ERROR: Domain function level can't be higher than the lowest function  
level of a DC!

Note that the other DC in this domain is W2K8 and has this attribute set:

# record 1110
dn: CN=NTDS  
Settings,CN=W2K8SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
msDS-Behavior-Version: 3

While samba4 does not set this attribute:

# record 1302
dn: CN=NTDS  
Settings,CN=SAMBA4-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings

The problem is this piece of code in join.py:

  462         if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
  463             rec["msDS-Behavior-Version"] =  
str(samba.dsdb.DS_DOMAIN_FUNCTION_2008_R2)

For the 2000 level domains, samba4 will not set msDS-Behavior-Version and  
will be considered the lowest function level DC (at 2000 level). I'm sorry  
but here I do not have enough knowledge of MS AD domains of how & when  
this attribute is set when raising domain level. Perhaps instead of  
checking samba.dsdb.DS_DOMAIN_FUNCTION_2003, the schema version should be  
checked in join.py and msDS-Behavior-Version set based on that (I assume  
that's what adprep does, extends the schema so that these new attributes  
can be added, I'm reading this  
http://technet.microsoft.com/en-us/library/ed42abd5-24c7-4b5a-8165-dbd96727ec84  
- Verify the schema extension).

Or maybe there should be "samba-tool domain dc level raise" or perhaps  
even an implicit raise of DC level for all samba4 DCs when doing a  
domain/forest raise?

I'm doing this from a saved snapshot of the W2K8 DC, this particular  
domain was successfully raised to 2003 level after samba4 was demoted and  
deleted from the domain so that it's not considered the lowest function  
level DC.

A similar problem would apply for the second patch (2012 level). I haven't  
tested it yet, but how is the domain supposed to be raised to 2012 level  
when samba4 DC will be at the 2008_R2 level?

> Regards,
> Matthias Wallnöfer
>

Regards,
gulikoza

More information about the samba-technical mailing list