[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Mon Apr 22 12:43:30 MDT 2013

Hello,

We have two DCs. One runs Windows 2003 R2, and the other Samba 4.0.5.
Forest functional level is Windows 2000 native.

I recently demoted (worked flawlessy now, which was a great relief),
rebuilt and re-promoted my Samba 4 DC, as my problems that I posted to
this list about two monts were still unresolved (see
https://lists.samba.org/archive/samba/2013-February/171898.html), and I
thoght that I might as well give it a shot.

And yes, it all seems to work now. (I even got the rfc2307 uid/gid
support working, finally! Doesn't matter a lot on a DC-only box, but still.)

Everything, this far, except one thing: if
1. RSAT, specifically one shipped with Windows Vista or newer (older
tools do not seem to be affected) is used to manage the domain,
2. Samba 4 DC is the domain controller that RSAT's AD User and Computers
console connects to, and
3. one clicks the "Domain Controllers" OU in the tree

then the following error message will result:

"Data from Domain Controllers is not available from Domain Controller
SAMBA4DC.mydomain.site because: An operations error occurred. Try again
later, or choose another DC by selecting Connect to Domain Controller on
the Domain context menu."

At the same time the following is written to log.samba:

"[2013/04/17 18:03:24,  0] ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
  ldb: acl_read: CN=W2K3R2DC,OU=Domain Controllers,DC=mydomain,DC=site
cannot find attr[msDS-isRODC] in of schema

If the RSAT's AD Users & Computers console is deliberately changed to
use our Windows DC, the problem disappears. The console reports DC
version for the domain controllers as W2K3 for the Windows DC and as W2K
for the Samba DC.

Is this error expected? I find the error message in log.samba a bit
peculiar, because it talks about msDS-isRODC attribute. But the way I
see it there shouldn't even be anything RODC-related in the schema, as a
prerequisite for any RODCs is Windows 2003 forest functional level, and
even then the schema should be extended first (see
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
for Microsoft's documentation).

Because Samba doesn't really seem to support Windows 2000 functional
level properly anymore (samba-tool domain level just showed the
following error: "ERROR: Could not retrieve the actual domain, forest
level and/or lowest DC function level!"), and we no longer had real
reasons to stick to that, I tried to promote the forest.

Now that failed too, and I had to demote Samba (so that Windows doesn't
think it is just a W2k box), raise forest level on Windows, and then
purge Samba's config and re-join it. (Simply running "samba-tool domain
dcpromo" doesn't work either--it just gives an error "Account SAMBA4DC$
appears to be an active DC, use 'samba-tool domain join' if you must
re-create this account".)

But: now the forest functional level *is* Windows 2003, RSAT AD User &
Computers reports the Samba DC as W2k8 R2, and all this still didn't
affect the actual RSAT / ldb: acl_read error at all. The issue is still
reproducible!

I don't know if running the MS adprep tool on the Windows DC would help
(see the Technet article linked above), but that tool is anyway only
shipped with Windows 2008, and I don't have that.

Should I file a bug? Or is this error expected? Any experiences by
people who regularly run newer RSATs? What about those that also have
Windows DCs, like me?

Thanks,

Pekka L.J. Jalkanen

PS. The Win 8 RSAT that I've been trying to use is actually hugely
problematic, because there is no way to install the Server for NIS tools
that are required for RFC2307 management, even though MS does claim
(http://support.microsoft.com/kb/2693643) that those tools are still
supported. I can't recommend it to anyone.