Windows 2000 support

Rowland Penny repenny241155 at
Mon Apr 11 16:40:39 UTC 2016

On 11/04/16 17:04, Thomas Schulz wrote:
>> On 08/04/16 18:52, Thomas Schulz wrote:
>>> In the thread titled
>>> '[PATCH] samba-tool throws error if there is an empty FSMO role'
>>> Rowland asked:
>>>> Also would this be a good time to start discussing dropping support for
>>>> '2000', Microsoft dropped support for it nearly 6yrs ago, you have to
>>>> actively select the 2000 function level at provision and who is likely
>>>> to do that ?
>>> We have a domain with a Windows 2000 Server system as the domain controller.
>>> Awhile back I tried to set up Samba 4.1.something as an additional
>>> domain controller to provide some redundancy if the Windows 2000 machine
>>> went down. I was not sucessfull as replication did not work from the
>>> Samba DC back to the Windows DC. After working on it for awhile I gave
>>> up on it. Is there some special 2000 function level that I could have
>>> selected that would have made things work?
>>> I know that it is a very bad thing to rely on Windows 2000 Serever on a
>>> 15 year old computer, but for several reasons we can not update it.
>>> We reciently went out and bought a full set of spare parts for the
>>> machine so that we can fix any failures.
>>> Tom Schulz
>> What I meant was, and said so in a roundabout way, should we drop
>> support for 'provisioning' a *new* domain as function level '2000'.
>> Obviously there will be cases of people wanting to join a Samba AD
>> machine to a 2000 server and this should be supported as a way for users
>> to upgrade to an higher function level.
>>    It sounds like I need to re-visit the code and make it (if
>> possible) 2000 aware (i.e. no DNS roles)
>> Rowland
> When I tried it, there were three problems that I remember.
> One was that the DNS information was not picked up by the Windows 2000 DC.

I have just set up a Samba 2000 AD domain to test my yet again 
re-written code and you don't get any DNS zones in AD, perhaps 
this was the reason for your first problem.

> I worked around that by manually entering the information on the 2000 DC.
> The second was that if I added a new user on the Samba DC, the information
> was not replicated to the Windows 2000 DC.

I have tested this and a user created on the first DC is not replicated 
and when I try to force replication, I get this:

root at dc2000a:~# samba-tool drs replicate dc2000b dc2000a 
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed - 
drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/", line 
350, in run
     drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, 
source_dsa_guid, NC, req_options)
"/usr/local/samba/lib/python2.7/site-packages/samba/", line 
83, in sendDsReplicaSync
     raise drsException("DsReplicaSync failed %s" % estr)

> Adding a new user on the Windows
> DC did replicate to the Samba DC.

If I try to create a user on the second DC, I get this:

ERROR(ldb): Failed to add user 'User2':  - 
../source4/dsdb/samdb/ldb_modules/ridalloc.c:551: No RID Set DN - Remote 
RID Set creation needed

> The third problem was that if I set up the Samba file server machines to
> use security=domain then the file servers would often be unable to
> authenticate a user. They did work before I manually added the DNS
> records on the Windows 2000 DC. They also did work with security=domain
> and specifying the server with 'password server=machine'.

I wonder if it would have worked if you had used 'security = ADS'

> I decided that I did not want to trust the Samba DC so I demoted it.

Don't blame you :-)

> This was with Samba 4.1.something. I see that there has been some work
> to make Samba tolerate missing information when becomming a DC, so perhaps
> I should try again.

If my small test is anything to go on, I wouldn't bother just yet :-D

> Tom Schulz
> Applied Dynamics Intl.
> schulz at

More information about the samba-technical mailing list