Windows 2000 support

Thomas Schulz schulz at
Mon Apr 11 16:04:57 UTC 2016

> On 08/04/16 18:52, Thomas Schulz wrote:
> > In the thread titled
> > '[PATCH] samba-tool throws error if there is an empty FSMO role'
> > Rowland asked:
> >
> >> Also would this be a good time to start discussing dropping support for
> >> '2000', Microsoft dropped support for it nearly 6yrs ago, you have to
> >> actively select the 2000 function level at provision and who is likely
> >> to do that ?
> > We have a domain with a Windows 2000 Server system as the domain controller.
> > Awhile back I tried to set up Samba 4.1.something as an additional
> > domain controller to provide some redundancy if the Windows 2000 machine
> > went down. I was not sucessfull as replication did not work from the
> > Samba DC back to the Windows DC. After working on it for awhile I gave
> > up on it. Is there some special 2000 function level that I could have
> > selected that would have made things work?
> >
> > I know that it is a very bad thing to rely on Windows 2000 Serever on a
> > 15 year old computer, but for several reasons we can not update it.
> > We reciently went out and bought a full set of spare parts for the
> > machine so that we can fix any failures.
> >
> > Tom Schulz
> What I meant was, and said so in a roundabout way, should we drop 
> support for 'provisioning' a *new* domain as function level '2000'. 
> Obviously there will be cases of people wanting to join a Samba AD 
> machine to a 2000 server and this should be supported as a way for users 
> to upgrade to an higher function level.
>   It sounds like I need to re-visit the code and make it (if 
> possible) 2000 aware (i.e. no DNS roles)
> Rowland

When I tried it, there were three problems that I remember.
One was that the DNS information was not picked up by the Windows 2000 DC.
I worked around that by manually entering the information on the 2000 DC.
The second was that if I added a new user on the Samba DC, the information
was not replicated to the Windows 2000 DC. Adding a new user on the Windows
DC did replicate to the Samba DC.
The third problem was that if I set up the Samba file server machines to
use security=domain then the file servers would often be unable to
authenticate a user. They did work before I manually added the DNS
records on the Windows 2000 DC. They also did work with security=domain
and specifying the server with 'password server=machine'.

I decided that I did not want to trust the Samba DC so I demoted it.
This was with Samba 4.1.something. I see that there has been some work
to make Samba tolerate missing information when becomming a DC, so perhaps
I should try again.

Tom Schulz
Applied Dynamics Intl.
schulz at

More information about the samba-technical mailing list