[Samba] [SOLVED] replace Windows 2003 dc

Peter Beck peter at datentraeger.li
Sat Feb 23 13:49:08 MST 2013 

Hi guys,

I did some more testing:

--- Scenario 1:

Server 2003 with Forest Operation Level 'Windows 2000' and domain
operation Level 'Windows 2000 mixed' (which seems to be the default when
setting up Server 2003):

After joining Samba4 to the domain I was unable to raise the level.
Samba-tool just had an error, when trying to showing the levels:

ERROR: Could not retrieve the actual domain, forest level and/or 
lowest DC function level!

And on the Windows DC the only change that was possible was to raise up
the domain operating level to "Windows 2000 native". No other changes
were possible [cannot raise ...because this domain includes domain
controllers that are not running the appropriate version of Windows]

I also got issues with replicate:

samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local
ERROR(<class 'samba.drs_utils.drsException'>): DsReplicaSync failed -
drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 331, in run
drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,source_dsa_guid, NC, req_options)
File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync
raise drsException("DsReplicaSync failed %s" % estr)

with option --local:
samba-tool drs replicate lab07 lab03
dc=domaindnszones,dc=adlab,dc=local --local
Partition[dc=domaindnszones,dc=adlab,dc=local] objects[26]
linked_values[0]

the same behaviour with forestdnszones.

--- Scenario 2:

Then the same setup again, but _before_ joining Samba, the Domain 
and Forest level were raised up to 2003. After joining the samba server,
the levels were shown without issues:

samba-tool was able to list the levels:

Domain and forest function level for domain 'DC=adlab,DC=local'
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003

Also replicating seems (after restart of samba) to work successfull
(with all its options like full-sync, local,etc):

samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local            
Replicate from lab03 to lab07 was successful.
samba-tool drs replicate lab07 lab03 dc=forestdnszones,dc=adlab,dc=local
Replicate from lab03 to lab07 was successful.

I was able do demote the Windows server like the times before.

My conclusion is to ensure the forest and domain operating levels
_before_ joining the Samba server to the domain and do not hurry with
replacing to ensure the replication was done completely prevents from 
lots of issues and headache...

I think the next test will be with Server 2008...

Regards
Peter

More information about the samba mailing list