Windows 2000 domain level

Matthias Dieter Wallnöfer mdw at samba.org
Sun Mar 30 04:11:50 MDT 2014 

Hi gulikoza,

yes, indeed you raise a serious issue. The problem is that
"msDS-Behavior-Version" does not get set on DC's ntDSDSA object if the
behaviour is still Windows 2000 (our implementation). Since back there,
the schema did not provide this attribute.

How to solve this? I think there exists more than one solution. One
possibility is, as you have guessed, is to check against schema's
version (attribute "objectVersion"). But in "python/samba/join.py" we do
have other checks based on "msDS-Behavior-Version", how to handle those?
And how to remediate existing joins?

Or should we provide some "msDS-Behavior-Version" recalculation tool? We
have a Windows 2000 Forest + Domain with Windows 2000 schema. No DC is
able to set "msDS-Behavior-Version". Now a schema update takes place,
say to Windows 2008. But all DCs remain Windows 2000, since they could
not set the attribute. Should they all be unjoined and rejoinded - which
seems the most plausbile approach to me?

You are right, it is not that easy. What do others think?

Matthias

gulikoza schrieb:
> On Fri, 14 Mar 2014 19:42:14 +0100, Matthias Dieter Wallnöfer
> <mdw at samba.org> wrote:
> 
>> Hi gulikoza,
> 
> Hello,
> 
>> you are right, we have an error in our domain raise implementation.
>> Could you please have a look at this patch:
>> https://git.samba.org/?p=mdw/samba.git;a=commitdiff;h=c250548b6f749c3de3b59d3b5e8a6b6093a84476
>>
> 
> I checked the patch. It fixes the first part of the problem.
> Before the patch:
> 
> [root at samba4-ad home]# samba-tool domain level show
> ERROR: Could not retrieve the actual domain, forest level and/or lowest
> DC function level!
> 
> After the patch:
> 
> [root at samba4-ad home]# samba-tool domain level show
> Domain and forest function level for domain 'DC=domain,DC=local'
> 
> Forest function level: (Windows) 2000
> Domain function level: (Windows) 2000
> Lowest function level of a DC: (Windows) 2000
> 
> The problem however remains, that is is not possible to raise the domain
> level:
> 
> [root at samba4-ad home]# samba-tool domain level raise --forest-level=2008
> --domain-level=2008
> ERROR: Domain function level can't be higher than the lowest function
> level of a DC!
> 
> Note that the other DC in this domain is W2K8 and has this attribute set:
> 
> # record 1110
> dn: CN=NTDS
> Settings,CN=W2K8SRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
> 
> objectClass: top
> objectClass: applicationSettings
> objectClass: nTDSDSA
> cn: NTDS Settings
> msDS-Behavior-Version: 3
> 
> While samba4 does not set this attribute:
> 
> # record 1302
> dn: CN=NTDS
> Settings,CN=SAMBA4-AD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
> 
> objectClass: top
> objectClass: applicationSettings
> objectClass: nTDSDSA
> cn: NTDS Settings
> 
> The problem is this piece of code in join.py:
> 
>  462         if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
>  463             rec["msDS-Behavior-Version"] =
> str(samba.dsdb.DS_DOMAIN_FUNCTION_2008_R2)
> 
> For the 2000 level domains, samba4 will not set msDS-Behavior-Version
> and will be considered the lowest function level DC (at 2000 level). I'm
> sorry but here I do not have enough knowledge of MS AD domains of how &
> when this attribute is set when raising domain level. Perhaps instead of
> checking samba.dsdb.DS_DOMAIN_FUNCTION_2003, the schema version should
> be checked in join.py and msDS-Behavior-Version set based on that (I
> assume that's what adprep does, extends the schema so that these new
> attributes can be added, I'm reading this
> http://technet.microsoft.com/en-us/library/ed42abd5-24c7-4b5a-8165-dbd96727ec84
> - Verify the schema extension).
> 
> Or maybe there should be "samba-tool domain dc level raise" or perhaps
> even an implicit raise of DC level for all samba4 DCs when doing a
> domain/forest raise?
> 
> I'm doing this from a saved snapshot of the W2K8 DC, this particular
> domain was successfully raised to 2003 level after samba4 was demoted
> and deleted from the domain so that it's not considered the lowest
> function level DC.
> 
> A similar problem would apply for the second patch (2012 level). I
> haven't tested it yet, but how is the domain supposed to be raised to
> 2012 level when samba4 DC will be at the 2008_R2 level?
> 
>> Regards,
>> Matthias Wallnöfer
>>
> 
> Regards,
> gulikoza
>

More information about the samba-technical mailing list