David Whitney
2018-Jun-18  22:12 UTC
[Samba] Does DomainCompatibilityMode still work for NT4 domain joins in Windows 10?
Greetings! I have a brand new Windows 10 Pro box, Version 1703, Build 15063.1155, and made the two registry mods (DNSNameResolutionRequired and DomainCompatibilityMode) to enable it to join an old-style NT4 Samba domain (Version 4.3). However, I note that the dialog for joining a domain within Windows 10 now specifically says to "Join an Active Directory Domain," and no attempt to join the domain has succeeded. In all cases, the domain name I provide is not found. I began to observe a slight delay from the time I would provide the domain name and receive the failure message, which led me to believe the DNS lookup is still occurring. I added the name of my DC to both the local HOSTS file and even the LMHOSTS file on the W10 box, neither to any avail. I am suspecting now that this most recent build of Windows has quietly turned off the last vestige of NT4 domain-join support by now ignoring minimally the DomainCompatibilityMode setting. I was wondering if any other users with a very recent Windows 10 Pro build might have experienced the same issue. I have not yet undertaken a network trace to see if the W10 box is querying DNS for the conspicuous "_ldap..." style AD domain record. Also, I was wondering why logon for a domain-joined W10 box against an NT4 Samba domain requires the max SMB level to be NT1. My understanding was that Samba started supporting 3.11 with 4.3. Many thanks for your attention and consideration. Anyone with additional information or insight on this would be appreciated! -David
Rowland Penny
2018-Jun-19  06:50 UTC
[Samba] Does DomainCompatibilityMode still work for NT4 domain joins in Windows 10?
On Mon, 18 Jun 2018 17:12:51 -0500 David Whitney via samba <samba at lists.samba.org> wrote:> Greetings! > > I have a brand new Windows 10 Pro box, Version 1703, Build > 15063.1155, and made the two registry mods (DNSNameResolutionRequired > and DomainCompatibilityMode) to enable it to join an old-style NT4 > Samba domain (Version 4.3). However, I note that the dialog for > joining a domain within Windows 10 now specifically says to "Join an > Active Directory Domain," and no attempt to join the domain has > succeeded. In all cases, the domain name I provide is not found. > > I began to observe a slight delay from the time I would provide the > domain name and receive the failure message, which led me to believe > the DNS lookup is still occurring. I added the name of my DC to both > the local HOSTS file and even the LMHOSTS file on the W10 box, > neither to any avail. > > I am suspecting now that this most recent build of Windows has quietly > turned off the last vestige of NT4 domain-join support by now ignoring > minimally the DomainCompatibilityMode setting. I was wondering if any > other users with a very recent Windows 10 Pro build might have > experienced the same issue. I have not yet undertaken a network trace > to see if the W10 box is querying DNS for the conspicuous "_ldap..." > style AD domain record. > > Also, I was wondering why logon for a domain-joined W10 box against > an NT4 Samba domain requires the max SMB level to be NT1. My > understanding was that Samba started supporting 3.11 with 4.3.Windows seems intent on removing all access to NT4-style domains. Latterly, the only way to connect is to set the SMB level to NT1, but even that doesn't seem to help now. Whilst trying not to sound like a cracked record, can I urge you to make plans to upgrade to AD whilst you can, and before Windows just stops working totally with your NT4-style domain. I fear that day is not far away. Rowland
David Whitney
2018-Jun-19  14:45 UTC
[Samba] Does DomainCompatibilityMode still work for NT4 domain joins in Windows 10?
Rowland, thanks so much for taking the time to reply. I did pull a NetMon trace of DNS queries from the W10 Pro box, and sure enough, even with the DomainCompatibilityMode and DNSNameResolutionRequired registry settings applied (and verified for typos or strange characters or other possible flotsam), the only DNS lookup the box tries is to the conspicuous AD entry (_ldap....). I think that last bit of native support is really gone. You're right; we all knew it would happen eventually :) As far as migrating - in reality, my Samba server is a trivially simple home setup that I installed years ago and have maintained for my own hobby interest and education. I've gone through several migrations from older versions, and it really exists otherwise only as a file server. It's fun to have domain-joined machines on my network, but it has never been essential. In that vein, I have the luxury of upgrading/migrating to a Samba AD domain, or not. If nothing else, we might get the word out that the door may have closed on this part of NT legacy support. (And, frankly, I'd rather not drop the SMB support level down to just NT1 anyway) Thanks again for your information and insight, Rowland. It is much appreciated! -David On Tue, Jun 19, 2018 at 1:51 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 18 Jun 2018 17:12:51 -0500 > David Whitney via samba <samba at lists.samba.org> wrote: > > > Greetings! > > > > I have a brand new Windows 10 Pro box, Version 1703, Build > > 15063.1155, and made the two registry mods (DNSNameResolutionRequired > > and DomainCompatibilityMode) to enable it to join an old-style NT4 > > Samba domain (Version 4.3). However, I note that the dialog for > > joining a domain within Windows 10 now specifically says to "Join an > > Active Directory Domain," and no attempt to join the domain has > > succeeded. In all cases, the domain name I provide is not found. > > > > I began to observe a slight delay from the time I would provide the > > domain name and receive the failure message, which led me to believe > > the DNS lookup is still occurring. I added the name of my DC to both > > the local HOSTS file and even the LMHOSTS file on the W10 box, > > neither to any avail. > > > > I am suspecting now that this most recent build of Windows has quietly > > turned off the last vestige of NT4 domain-join support by now ignoring > > minimally the DomainCompatibilityMode setting. I was wondering if any > > other users with a very recent Windows 10 Pro build might have > > experienced the same issue. I have not yet undertaken a network trace > > to see if the W10 box is querying DNS for the conspicuous "_ldap..." > > style AD domain record. > > > > Also, I was wondering why logon for a domain-joined W10 box against > > an NT4 Samba domain requires the max SMB level to be NT1. My > > understanding was that Samba started supporting 3.11 with 4.3. > > Windows seems intent on removing all access to NT4-style domains. > Latterly, the only way to connect is to set the SMB level to NT1, but > even that doesn't seem to help now. > > Whilst trying not to sound like a cracked record, can I urge you to > make plans to upgrade to AD whilst you can, and before Windows just > stops working totally with your NT4-style domain. I fear that day is not > far away. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >