[Samba] Does DomainCompatibilityMode still work for NT4 domain joins in Windows 10?

[David Whitney]

Rowland, thanks so much for taking the time to reply.

I did pull a NetMon trace of DNS queries from the W10 Pro box, and sure
enough, even with the DomainCompatibilityMode and DNSNameResolutionRequired
registry settings applied (and verified for typos or strange characters or
other possible flotsam), the only DNS lookup the box tries is to the
conspicuous AD entry (_ldap....). I think that last bit of native support
is really gone. You're right; we all knew it would happen eventually :)

As far as migrating - in reality, my Samba server is a trivially simple
home setup that I installed years ago and have maintained for my own hobby
interest and education. I've gone through several migrations from older
versions, and it really exists otherwise only as a file server. It's fun to
have domain-joined machines on my network, but it has never been essential.
In that vein, I have the luxury of upgrading/migrating to a Samba AD
domain, or not. If nothing else, we might get the word out that the door
may have closed on this part of NT legacy support. (And, frankly, I'd
rather not drop the SMB support level down to just NT1 anyway)

Thanks again for your information and insight, Rowland. It is much
appreciated!

-David


On Tue, Jun 19, 2018 at 1:51 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 18 Jun 2018 17:12:51 -0500
> David Whitney via samba <samba at lists.samba.org> wrote:
>
> > Greetings!
> >
> > I have a brand new Windows 10 Pro box, Version 1703, Build
> > 15063.1155, and made the two registry mods (DNSNameResolutionRequired
> > and DomainCompatibilityMode) to enable it to join an old-style NT4
> > Samba domain (Version 4.3). However, I note that the dialog for
> > joining a domain within Windows 10 now specifically says to "Join an
> > Active Directory Domain," and no attempt to join the domain has
> > succeeded. In all cases, the domain name I provide is not found.
> >
> > I began to observe a slight delay from the time I would provide the
> > domain name and receive the failure message, which led me to believe
> > the DNS lookup is still occurring. I added the name of my DC to both
> > the local HOSTS file and even the LMHOSTS file on the W10 box,
> > neither to any avail.
> >
> > I am suspecting now that this most recent build of Windows has quietly
> > turned off the last vestige of NT4 domain-join support by now ignoring
> > minimally the DomainCompatibilityMode setting. I was wondering if any
> > other users with a very recent Windows 10 Pro build might have
> > experienced the same issue. I have not yet undertaken a network trace
> > to see if the W10 box is querying DNS for the conspicuous "_ldap..."
> > style AD domain record.
> >
> > Also, I was wondering why logon for a domain-joined W10 box against
> > an NT4 Samba domain requires the max SMB level to be NT1. My
> > understanding was that Samba started supporting 3.11 with 4.3.
>
> Windows seems intent on removing all access to NT4-style domains.
> Latterly, the only way to connect is to set the SMB level to NT1, but
> even that doesn't seem to help now.
>
> Whilst trying not to sound like a cracked record, can I urge you to
> make plans to upgrade to AD whilst you can, and before Windows just
> stops working totally with your NT4-style domain. I fear that day is not
> far away.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>