Windows 2000 support

Mon Apr 11 18:27:12 UTC 2016

Hi Thomas,

>> On 11/04/16 17:04, Thomas Schulz wrote:
>>>> On 08/04/16 18:52, Thomas Schulz wrote:
>>>>> In the thread titled
>>>>> '[PATCH] samba-tool throws error if there is an empty FSMO role'
>>>>> Rowland asked:
>>>>>
>>>>>> Also would this be a good time to start discussing dropping support for
>>>>>> '2000', Microsoft dropped support for it nearly 6yrs ago, you have to
>>>>>> actively select the 2000 function level at provision and who is likely
>>>>>> to do that ?
>>>>> We have a domain with a Windows 2000 Server system as the domain controller.
>>>>> Awhile back I tried to set up Samba 4.1.something as an additional
>>>>> domain controller to provide some redundancy if the Windows 2000 machine
>>>>> went down. I was not sucessfull as replication did not work from the
>>>>> Samba DC back to the Windows DC. After working on it for awhile I gave
>>>>> up on it. Is there some special 2000 function level that I could have
>>>>> selected that would have made things work?
>>>>>
>>>>> I know that it is a very bad thing to rely on Windows 2000 Serever on a
>>>>> 15 year old computer, but for several reasons we can not update it.
>>>>> We reciently went out and bought a full set of spare parts for the
>>>>> machine so that we can fix any failures.
>>>>>
>>>>> Tom Schulz
>>>> What I meant was, and said so in a roundabout way, should we drop
>>>> support for 'provisioning' a *new* domain as function level '2000'.
>>>> Obviously there will be cases of people wanting to join a Samba AD
>>>> machine to a 2000 server and this should be supported as a way for users
>>>> to upgrade to an higher function level.
>>>>
>>>>     It sounds like I need to re-visit the fsmo.py code and make it (if
>>>> possible) 2000 aware (i.e. no DNS roles)
>>>>
>>>> Rowland
>>> When I tried it, there were three problems that I remember.
>>> One was that the DNS information was not picked up by the Windows 2000 DC.
>>
>> I have just set up a Samba 2000 AD domain to test my yet again
>> re-written fsmo.py code and you don't get any DNS zones in AD, perhaps
>> this was the reason for your first problem.
>
> Our Windows 2000 Server does have the DNS information expected of an AD DC.
> It may well not have a role for that. I am not sure how to tell.
>
>>> I worked around that by manually entering the information on the 2000 DC.
>>> The second was that if I added a new user on the Samba DC, the information
>>> was not replicated to the Windows 2000 DC.
>>
>> I have tested this and a user created on the first DC is not replicated
>> and when I try to force replication, I get this:
>>
>> root at dc2000a:~# samba-tool drs replicate dc2000b dc2000a
>> dc=samba,dc=test,dc=tld
>> ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
>> drsException: DsReplicaSync failed (2, 'WERR_BADFILE')
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/drs.py", line
>> 350, in run
>>       drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,
>> source_dsa_guid, NC, req_options)
>>     File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", line
>> 83, in sendDsReplicaSync
>>       raise drsException("DsReplicaSync failed %s" % estr)
>>
>>> Adding a new user on the Windows
>>> DC did replicate to the Samba DC.
>>
>> If I try to create a user on the second DC, I get this:
>>
>> ERROR(ldb): Failed to add user 'User2':  -
>> ../source4/dsdb/samdb/ldb_modules/ridalloc.c:551: No RID Set DN - Remote
>> RID Set creation needed
>>
>>> The third problem was that if I set up the Samba file server machines to
>>> use security=domain then the file servers would often be unable to
>>> authenticate a user. They did work before I manually added the DNS
>>> records on the Windows 2000 DC. They also did work with security=domain
>>> and specifying the server with 'password server=machine'.
>>
>> I wonder if it would have worked if you had used 'security = ADS'
>
> I mis-typed that second line. I ment to say security=ads did not work
> when the Samba DC`s DNS information was added to the Windows 2000 DC.
> The added DNS information was in exactly the same format as that already
> in the Windows 2000 DC for itself.
>
>>> I decided that I did not want to trust the Samba DC so I demoted it.
>>
>> Don't blame you :-)
>>
>>> This was with Samba 4.1.something. I see that there has been some work
>>> to make Samba tolerate missing information when becomming a DC, so perhaps
>>> I should try again.
>>>
>>
>> If my small test is anything to go on, I wouldn't bother just yet :-D
>>
>> Rowland
>
> Thanks for looking at this. I was hoping that there was some magic step
> in setting up a Samba DC when the original one is a Windows 2000 DC.

as Andrew asked you previously, the main question is : do you have some 
specific requirements for keeping a DC on that computer (eg. Exchange or 
whatever)?

If you don't need to keep the DC role on that computer, the best path 
would be for you to
* join up a temporary win2k3 DC,
* demote the win2k DC to member server
* clean up the DNS zone as per 
https://support.microsoft.com/en-us/kb/817470
* upgrade domain/forest level to 2k3
* join a Samba4 DC
* demote the win2k3 DC
* clean up all the leftover dns entries / ntdsdsa / computers objects

I've done it a few times. That way you keep you custom applications on 
your win2k machine, and get a shiny brand new samba4 AD domain. However, 
if you have a requierement for having DC role on that specific machine...

Cheers,

Denis

>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr