Windows 2000 support
repenny241155 at gmail.com
Mon Apr 11 16:40:39 UTC 2016
On 11/04/16 17:04, Thomas Schulz wrote:
>> On 08/04/16 18:52, Thomas Schulz wrote:
>>> In the thread titled
>>> '[PATCH] samba-tool throws error if there is an empty FSMO role'
>>> Rowland asked:
>>>> Also would this be a good time to start discussing dropping support for
>>>> '2000', Microsoft dropped support for it nearly 6yrs ago, you have to
>>>> actively select the 2000 function level at provision and who is likely
>>>> to do that ?
>>> We have a domain with a Windows 2000 Server system as the domain controller.
>>> Awhile back I tried to set up Samba 4.1.something as an additional
>>> domain controller to provide some redundancy if the Windows 2000 machine
>>> went down. I was not sucessfull as replication did not work from the
>>> Samba DC back to the Windows DC. After working on it for awhile I gave
>>> up on it. Is there some special 2000 function level that I could have
>>> selected that would have made things work?
>>> I know that it is a very bad thing to rely on Windows 2000 Serever on a
>>> 15 year old computer, but for several reasons we can not update it.
>>> We reciently went out and bought a full set of spare parts for the
>>> machine so that we can fix any failures.
>>> Tom Schulz
>> What I meant was, and said so in a roundabout way, should we drop
>> support for 'provisioning' a *new* domain as function level '2000'.
>> Obviously there will be cases of people wanting to join a Samba AD
>> machine to a 2000 server and this should be supported as a way for users
>> to upgrade to an higher function level.
>> It sounds like I need to re-visit the fsmo.py code and make it (if
>> possible) 2000 aware (i.e. no DNS roles)
> When I tried it, there were three problems that I remember.
> One was that the DNS information was not picked up by the Windows 2000 DC.
I have just set up a Samba 2000 AD domain to test my yet again
re-written fsmo.py code and you don't get any DNS zones in AD, perhaps
this was the reason for your first problem.
> I worked around that by manually entering the information on the 2000 DC.
> The second was that if I added a new user on the Samba DC, the information
> was not replicated to the Windows 2000 DC.
I have tested this and a user created on the first DC is not replicated
and when I try to force replication, I get this:
root at dc2000a:~# samba-tool drs replicate dc2000b dc2000a
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
350, in run
source_dsa_guid, NC, req_options)
83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)
> Adding a new user on the Windows
> DC did replicate to the Samba DC.
If I try to create a user on the second DC, I get this:
ERROR(ldb): Failed to add user 'User2': -
../source4/dsdb/samdb/ldb_modules/ridalloc.c:551: No RID Set DN - Remote
RID Set creation needed
> The third problem was that if I set up the Samba file server machines to
> use security=domain then the file servers would often be unable to
> authenticate a user. They did work before I manually added the DNS
> records on the Windows 2000 DC. They also did work with security=domain
> and specifying the server with 'password server=machine'.
I wonder if it would have worked if you had used 'security = ADS'
> I decided that I did not want to trust the Samba DC so I demoted it.
Don't blame you :-)
> This was with Samba 4.1.something. I see that there has been some work
> to make Samba tolerate missing information when becomming a DC, so perhaps
> I should try again.
If my small test is anything to go on, I wouldn't bother just yet :-D
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
More information about the samba-technical