samba - Jan 2014 - ERROR: Could not retrieve the actual domain, forest level and/or lowest DC function level!

Doing some basic sanity checks on our Samba4 setup (migrating off of a 
Win2000/Win2003 AD) and the following command is throwing an error.  Not 
sure how to troubleshoot this as most other things seem to be working.

# samba-tool domain level show

ERROR: Could not retrieve the actual domain, forest level and/or lowest 
DC function level!

...

We are running the Sernet Samba package for Active Directory mode:

Installed Packages
Name        : sernet-samba-ad
Arch        : x86_64
Version     : 4.1.3
Release     : 7.el6
Size        : 26 M
Repo        : installed
 From repo   : sernet-samba-4.1

The smb.conf file is the minimum, so we are taking default values for 
most things.

-------------------------------------------------
# cat /etc/samba/smb.conf
-------------------------------------------------
# Global parameters
[global]
         workgroup = EXAMPLEGROUP
         realm = intra.example.com
         netbios name = EXAMPLEHOST
         server role = active directory domain controller

         interfaces = 172.30.0.40

         dns forwarder = 172.30.0.2

[netlogon]
         path = /var/lib/samba/sysvol/intra.nybeta.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
-------------------------------------------------

On 1/9/2014 10:06 AM, Thomas Harold wrote:
> Doing some basic sanity checks on our Samba4 setup (migrating off of a
> Win2000/Win2003 AD) and the following command is throwing an error.  Not
> sure how to troubleshoot this as most other things seem to be working.
>
> # samba-tool domain level show
>
> ERROR: Could not retrieve the actual domain, forest level and/or lowest
> DC function level!
>
In digging around some more:

- This was originally a Windows 2000 Active Directory Domain.

- Looking at the domain properties in AD Users & Groups shows that it is 
a 2000 domain on a 2000 forest (functional level).

- Later a Win2003 server was added (not Win2003 R2, but the first 
version of 2003) and all roles were seized.  The functional level was 
never upgraded to 2003.

- Running "addiag.exe" on the 2003 server shows no issues while
running
the default tests.

- Samba4 has had no trouble joining the domain as either domain 
controllers or as member servers.

- Attempting to do "adprep.exe /forestprep" says that the forest has 
already been updated to 2003.  The same applies to running "adprep.exe 
/domainprep".

So what I have is a bit of a mess where the ADPrep tool thinks the work 
has already been done, but the Win2003 AD server thinks that it is still 
running at the 2000 functional level.