Windows 2000 domain level
gulikoza
gulikoza at users.sourceforge.net
Sun Mar 9 03:03:40 MDT 2014
Hello,
I'm starting with samba4 so please excuse me if I ask something obvious,
but I'll try not to bother everyone with n00b questions :-)
I'm trying to replace a failed W2K8 AD server with samba4. The server has
been temporary made available in virtual environment so a simple join
samba/transfer roles/demote plan is made. Why this is posted to a
technical list, follows...
I have found out that the domain and forest are actually windows 2000
level (must have been migrated from some previous server without raising
the levels). Now here is what makes it interesting. I could not raise
forest/domain level either from samba or w2k8.
samba-tool domain level show and raise, showed error:
ERROR: Could not retrieve the actual domain, forest level and/or lowest DC
function level!
File "/usr/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
865, in run
min_level_dc = int(res_dc_s[0]["msDS-Behavior-Version"][0]) # Init
value
After checking with ADSI Edit, the samba4 entry in the Configuration NTDS
had msDS-Behavior-Version <not set>. I was searching how to force samba4
reported dc level as w2k8 raise was failing with the same problem ("The
following Active Directory Domain Controllers are running earlier versions
of windows..."). At this point I also updated to latest version 4.1.5 (I'm
using Centos6, tried samba4 4.0.1 compile from SoGo, but then rebuilt the
RPM with 4.1.5). For some reason samba did not set msDS-Behavior-Version.
I couldn't modify the entry with ADSI ("Illegal modify operation"). That's
problem no. 1 - it seems as if samba4 does not correctly set DC reported
level when joined to a windows 2000 domain.
I tried demoting samba4 and raising the level when W2k8 would be the only
AD controller. The demote failed with:
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <00002028:
LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on
integrity checking if SSL\TLS are not already active on the connection,
data 0, v1772> <>
I could not find the option how to specify samba-tool to sign ldap
requests or use tls (I did set "client ldap sasl wrapping = sign" to
smb.conf as a last resort, but this probably does not influence
samba-tool).
I ended up deleting everything from samba and doing metadata cleanup. Just
for the test, I re-joined the domain with version 4.1.5 cleanly and it
showed the same problems (domain level show not working,
msDS-Behavior-Version <not set>). I repeated clean/delete procedure and
raised the domain level to windows 2003. After joining samba4, the
msDS-Behavior-Version of samba4 server is now set to 4. Domain level show
works and correctly shows 2003 domain level. Raising the level to 2008
would probably work now, but I wanted to work in steps.
I started with all of this because the samba4 dns did not want to resolve
it's hostname for some reason. When I wanted to switch to BIND, it said
that domain level is too low (I haven't even noticed that before). It
could resolve other hosts and dns forwarding worked, but it's own hostname
could not be resolved (and yes, the W2k8 server was resolving samba
hostname and showing it in the zone). With the current 2003 level domain,
samba resolves it's hostname correctly and dns console from w2k8 shows the
dns zones on samba4.
All this shows certain problems with windows 2000 level forest/domain. As
much as this is probably outdated and the focus of development is on newer
features, there are probably a lot of setups where domains were migrated
from older hardware without raising the levels. A warning would be nice
before joining samba4, that certain features would not work as it would
save the admin a lot of time debugging and demoting/re-joining samba4
because the level cannot be raised. Ideally of course, it should be
possible to raise the level of windows 2000 domain with samba4 joined as
DC.
Regards,
gulikoza
More information about the samba-technical
mailing list