[Samba] New Windows 8 RSAT and "OU=Domain Controllers" support?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue Apr 23 07:25:58 MDT 2013

Raising the functional level above 2003 doesn't sound like a good plan
as long as we still have to keep the Windows 2003 DC around. I don't
know about Samba, but RSAT wouldn't even let me do that.

Also note that it is the Windows DC (CN=W2K3R2DC) that doesn't have this

I figured out that I should be able to download MS's adprep tools by
subscribing to Windows 2008 R2 trial. If nobody has better ideas I'll
just do that, and then try to run the various adprep commands. If Samba
truly functions like the 2008 R2, then these tools actually should've
been run anyway before adding Samba DCs to 2003 domains (see that
Technet article again).

I really hope that the version of Windows Samba mimics would be better
documented, though... obviously none of this is a problem in a pure
Samba 4 environment, but many organisations migrating from Windows to
Samba are definitely not going to do so overnight, so the different DCs
must co-exist for quite some time. Also, people are most likely going to
run various different RSAT versions, so the compatibility of those is an
important factor, too.

Pekka L.J. Jalkanen

On 23.4.2013 0:29, Hisham Attar wrote:
> That attribute is a 2008+ schema attribute, as far as I was aware when
> you provision with Samba your DC functionality is at 2008 R2 but
> forest/domain is at 2003 and can be raised to 2008 R2 try samba-tool
> domain level raise --domain 2008_R2 --forest 2008_R2 maybe that will add
> the attribute to the schema.
> On Tue, Apr 23, 2013 at 4:43 AM, Pekka L.J. Jalkanen
> <pekka.jalkanen at vihreat.fi <mailto:pekka.jalkanen at vihreat.fi>> wrote:
>     Hello,
>     We have two DCs. One runs Windows 2003 R2, and the other Samba 4.0.5.
>     Forest functional level is Windows 2000 native.
>     I recently demoted (worked flawlessy now, which was a great relief),
>     rebuilt and re-promoted my Samba 4 DC, as my problems that I posted to
>     this list about two monts were still unresolved (see
>     https://lists.samba.org/archive/samba/2013-February/171898.html), and I
>     thoght that I might as well give it a shot.
>     And yes, it all seems to work now. (I even got the rfc2307 uid/gid
>     support working, finally! Doesn't matter a lot on a DC-only box, but
>     still.)
>     Everything, this far, except one thing: if
>     1. RSAT, specifically one shipped with Windows Vista or newer (older
>     tools do not seem to be affected) is used to manage the domain,
>     2. Samba 4 DC is the domain controller that RSAT's AD User and Computers
>     console connects to, and
>     3. one clicks the "Domain Controllers" OU in the tree
>     then the following error message will result:
>     "Data from Domain Controllers is not available from Domain Controller
>     SAMBA4DC.mydomain.site because: An operations error occurred. Try again
>     later, or choose another DC by selecting Connect to Domain Controller on
>     the Domain context menu."
>     At the same time the following is written to log.samba:
>     "[2013/04/17 18:03:24,  0]
>     ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>       ldb: acl_read: CN=W2K3R2DC,OU=Domain Controllers,DC=mydomain,DC=site
>     cannot find attr[msDS-isRODC] in of schema
>     If the RSAT's AD Users & Computers console is deliberately changed to
>     use our Windows DC, the problem disappears. The console reports DC
>     version for the domain controllers as W2K3 for the Windows DC and as W2K
>     for the Samba DC.
>     Is this error expected? I find the error message in log.samba a bit
>     peculiar, because it talks about msDS-isRODC attribute. But the way I
>     see it there shouldn't even be anything RODC-related in the schema, as a
>     prerequisite for any RODCs is Windows 2003 forest functional level, and
>     even then the schema should be extended first (see
>     http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
>     for Microsoft's documentation).
>     Because Samba doesn't really seem to support Windows 2000 functional
>     level properly anymore (samba-tool domain level just showed the
>     following error: "ERROR: Could not retrieve the actual domain, forest
>     level and/or lowest DC function level!"), and we no longer had real
>     reasons to stick to that, I tried to promote the forest.
>     Now that failed too, and I had to demote Samba (so that Windows doesn't
>     think it is just a W2k box), raise forest level on Windows, and then
>     purge Samba's config and re-join it. (Simply running "samba-tool domain
>     dcpromo" doesn't work either--it just gives an error "Account SAMBA4DC$
>     appears to be an active DC, use 'samba-tool domain join' if you must
>     re-create this account".)
>     But: now the forest functional level *is* Windows 2003, RSAT AD User &
>     Computers reports the Samba DC as W2k8 R2, and all this still didn't
>     affect the actual RSAT / ldb: acl_read error at all. The issue is still
>     reproducible!
>     I don't know if running the MS adprep tool on the Windows DC would help
>     (see the Technet article linked above), but that tool is anyway only
>     shipped with Windows 2008, and I don't have that.
>     Should I file a bug? Or is this error expected? Any experiences by
>     people who regularly run newer RSATs? What about those that also have
>     Windows DCs, like me?
>     Thanks,
>     Pekka L.J. Jalkanen
>     PS. The Win 8 RSAT that I've been trying to use is actually hugely
>     problematic, because there is no way to install the Server for NIS tools
>     that are required for RFC2307 management, even though MS does claim
>     (http://support.microsoft.com/kb/2693643) that those tools are still
>     supported. I can't recommend it to anyone.
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list