[Samba] R: R: Error in 'samba-tool domain level show's

[Manzini Enrico]

Hi, the change of the msds-behavior with adsiedit, modifiy the dc version of my rodc, and now with all domain controller holding windows server 2012 version, samba-tool show me that the domain function level is 2008R2, but the function level of a dc in 2012 r2, that let me to increase both the domain and the forest functional level.

I attach some screeshots for clarification

Enrico Manzini




-----Messaggio originale-----
Da: samba <samba-bounces at lists.samba.org> Per conto di Rowland Penny via samba
Inviato: lunedì 23 giugno 2025 12:23
A: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Oggetto: Re: [Samba] R: Error in 'samba-tool domain level show's

On Mon, 23 Jun 2025 09:48:08 +0000
Manzini Enrico <emanzini at zensistemi.com> wrote:

> Hi rowland
> Try to set "ad dc functional level = 2016" in /etc/samba/smb.conf of 
> the rwdc, because it seem the dc functional level is lower that one 
> specified in the domain functional level
> 

Thanks for that, it made me stop and think, not because I didn't have that line in my DCs, I did.

I traced the error to a an RODC that I have running, an ldbsearch produced this:

sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb -P -b 'DC=samdom,DC=example,DC=com' -s sub '(msDS-Behavior-Version=*)'
msDS-Behavior-Version

..................
# record 2
dn: CN=NTDS Settings,CN=RODC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
msDS-Behavior-Version: 4

Changing that '4' to a '7' with ldbmodify fixed the problem, running 'sudo samba-tool domain level show' now produces this:

Domain and forest function level for domain 'DC=samdom,DC=example,DC=com'

Forest function level: (Windows) 2016
Domain function level: (Windows) 2016
Lowest function level of a DC: (Windows) 2016

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba