Anton Shevtsov
2026-May-14 08:40 UTC
[Samba] Possible bug: RODC does not upgrade msDS-Behavior-Version when running samba-tool domain functionalprep
Hello,
I have three domain controllers (2x RWDC, 1x RODC) running Samba 4.21.
All of them have |ad dc functional level = 2016|in their |smb.conf|.
I want to raise the domain and forest functional level to 2016 (and also
update the schema). All commands are run on |dc.test.alt|, which holds
all FSMO roles. However, I get the error:
ERROR: Domain function level can't be higher than the lowest function
level of a DC!
Here is the output of the commands I ran:
[root at dc ~]# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
DomainDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
ForestDnsZonesMasterRole owner: CN=NTDS
Settings,CN=DC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
[root at dc ~]# samba-tool ou listobjects 'OU=Domain Controllers'
CN=DC,OU=Domain Controllers CN=DC2,OU=Domain Controllers
CN=DC3-RODC,OU=Domain Controllers [root at dc ~]# grep 'ad dc'
/etc/samba/smb.conf ad dc functional level = 2016 [root at dc ~]# ssh
root at dc2 "grep 'ad dc' /etc/samba/smb.conf" ad dc
functional level =
2016 [root at dc ~]# ssh user at dc3-rodc "grep 'ad dc'
/etc/samba/smb.conf"
ad dc functional level = 2016 [root at dc ~]# samba-tool domain level show
Domain and forest function level for domain 'DC=test,DC=alt' Forest
function level: (Windows) 2012 R2 Domain function level: (Windows) 2012
R2 Lowest function level of a DC: (Windows) 2012 R2 [root at dc ~]#
samba-tool domain schemaupgrade --schema=2019 No changes applied to
schema [root at dc ~]# samba-tool domain functionalprep
--function-level=2016 Skip Forest Update 11:
27a03717-5963-48fc-ba6f-69faa33e70ed Skip Forest Update 54:
134428a8-0043-48a6-bcda-63310d9ec4dd Skip Forest Update 79:
21ae657c-6649-43c4-bbb3-7f184fdf58c1 Skip Forest Update 80:
dca8f425-baae-47cd-b424-e3f6c76ed08b Skip Forest Update 81:
a662b036-dbbe-4166-b4ba-21abea17f9cc Skip Forest Update 82:
9d17b863-18c3-497d-9bde-45ddb95fcb65 Skip Forest Update 83:
11c39bed-4bee-45f5-b195-8da0e05b573a Skip Forest Update 84:
4664e973-cb20-4def-b3d5-559d6fe123e0 Skip Forest Update 85:
2972d92d-a07a-44ac-9cb0-bf243356f345 Skip Forest Update 86:
09a49cb3-6c54-4b83-ab20-8370838ba149 Skip Forest Update 87:
77283e65-ce02-4dc3-8c1e-bf99b22527c2 Skip Forest Update 88:
0afb7f53-96bd-404b-a659-89e65c269420 Skip Forest Update 89:
c7f717ef-fdbe-4b4b-8dfc-fa8b839fbcfa Skip Forest Update 90:
00232167-f3a4-43c6-b503-9acb7a81b01c Skip Forest Update 91:
73a9515b-511c-44d2-822b-444a33d3bd33 Skip Forest Update 92:
e0c60003-2ed7-4fd3-8659-7655a7e79397 Skip Forest Update 93:
ed0c8cca-80ab-4b6b-ac5a-59b1d317e11f Skip Forest Update 94:
b6a6c19a-afc9-476b-8994-61f5b14b3f05 Skip Forest Update 95:
defc28cd-6cb6-4479-8bcb-aabfb41e9713 Skip Forest Update 96:
d6bd96d4-e66b-4a38-9c6b-e976ff58c56d Skip Forest Update 97:
bb8efc40-3090-4fa2-8a3f-7cd1d380e695 Skip Forest Update 98:
2d6abe1b-4326-489e-920c-76d5337d2dc5 Skip Forest Update 99:
6b13dfb5-cecc-4fb8-b28d-0505cea24175 Skip Forest Update 100:
92e73422-c68b-46c9-b0d5-b55f9c741410 Skip Forest Update 101:
c0ad80b4-8e84-4cc4-9163-2f84649bcc42 Skip Forest Update 102:
992fe1d0-6591-4f24-a163-c820fcb7f308 Skip Forest Update 103:
ede85f96-7061-47bf-b11b-0c0d999595b5 Skip Forest Update 104:
ee0f3271-eb51-414a-bdac-8f9ba6397a39 Skip Forest Update 105:
587d52e0-507e-440e-9d67-e6129f33bb68 Skip Forest Update 106:
ce24f0f6-237e-43d6-ac04-1e918ab04aac Skip Forest Update 107:
7f77d431-dd6a-434f-ae4d-ce82928e498f Skip Forest Update 108:
ba14e1f6-7cd1-4739-804f-57d0ea74edf4 Skip Forest Update 109:
156ffa2a-e07c-46fb-a5c4-fbd84a4e5cce Skip Forest Update 110:
7771d7dd-2231-4470-aa74-84a6f56fc3b6 Skip Forest Update 111:
49b2ae86-839a-4ea0-81fe-9171c1b98e83 Skip Forest Update 112:
1b1de989-57ec-4e96-b933-8279a8119da4 Skip Forest Update 113:
281c63f0-2c9a-4cce-9256-a238c23c0db9 Skip Forest Update 114:
4c47881a-f15a-4f6c-9f49-2742f7a11f4b Skip Forest Update 115:
2aea2dc6-d1d3-4f0c-9994-66c1da21de0f Skip Forest Update 116:
ae78240c-43b9-499e-ae65-2b6e0f0e202a Skip Forest Update 117:
261b5bba-3438-4d5c-a3e9-7b871e5f57f0 Skip Forest Update 118:
3fb79c05-8ea1-438c-8c7a-81f213aa61c2 Skip Forest Update 119:
0b2be39a-d463-4c23-8290-32186759d3b1 Skip Forest Update 120:
f0842b44-bc03-46a1-a860-006e8527fccd Skip Forest Update 121:
93efec15-4dd9-4850-bc86-a1f2c8e2ebb9 Skip Forest Update 122:
9e108d96-672f-40f0-b6bd-69ee1f0b7ac4 Skip Forest Update 123:
1e269508-f862-4c4a-b01f-420d26c4ff8c Skip Forest Update 125:
e1ab17ed-5efb-4691-ad2d-0424592c5755 Skip Forest Update 126:
0e848bd4-7c70-48f2-b8fc-00fbaa82e360 Skip Forest Update 127:
016f23f7-077d-41fa-a356-de7cfdb01797 Skip Forest Update 128:
49c140db-2de3-44c2-a99a-bab2e6d2ba81 Skip Forest Update 129:
e0b11c80-62c5-47f7-ad0d-3734a71b8312 Skip Forest Update 130:
2ada1a2d-b02f-4731-b4fe-59f955e24f71 Skip Forest Update 131:
b83818c1-01a6-4f39-91b7-a3bb581c3ae3 Skip Forest Update 132:
bbbb9db0-4009-4368-8c40-6674e980d3c3 Skip Forest Update 133:
f754861c-3692-4a7b-b2c2-d0fa28ed0b0b Skip Forest Update 134:
d32f499f-3026-4af0-a5bd-13fe5a331bd2 Skip Forest Update 135:
38618886-98ee-4e42-8cf1-d9a2cd9edf8b Skip Forest Update 136:
328092fb-16e7-4453-9ab8-7592db56e9c4 Skip Forest Update 137:
3a1c887f-df0a-489f-b3f2-2d0409095f6e Skip Forest Update 138:
232e831f-f988-4444-8e3e-8a352e2fd411 Skip Forest Update 139:
ddddcf0c-bec9-4a5a-ae86-3cfe6cc6e110 Skip Forest Update 140:
a0a45aac-5550-42df-bb6a-3cc5c46b52f2 Skip Forest Update 141:
3e7645f3-3ea5-4567-b35a-87630449c70c Skip Forest Update 142:
e634067b-e2c4-4d79-b6e8-73c619324d5e Skip Domain Update 75:
5e1574f6-55df-493e-a671-aaeffca6a100 Skip Domain Update 76:
d262aae8-41f7-48ed-9f35-56bbb677573d Skip Domain Update 77:
82112ba0-7e4c-4a44-89d9-d46c9612bf91 Skip Domain Update 78:
c3c927a6-cc1d-47c0-966b-be8f9b63d991 Skip Domain Update 79:
54afcfb9-637a-4251-9f47-4d50e7021211 Skip Domain Update 80:
f4728883-84dd-483c-9897-274f2ebcf11e Skip Domain Update 81:
ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff Skip Domain Update 82:
83c53da7-427e-47a4-a07a-a324598b88f7 Skip Domain Update 83:
c81fc9cc-0130-4fd1-b272-634d74818133 Skip Domain Update 84:
e5f9e791-d96d-4fc9-93c9-d53e1dc439ba Skip Domain Update 85:
e6d5fd00-385d-4e65-b02d-9da3493ed850 Skip Domain Update 86:
3a6b3fbf-3168-4312-a10d-dd5b3393952d Skip Domain Update 87:
7f950403-0ab3-47f9-9730-5d7b0269f9bd Skip Domain Update 88:
434bb40d-dbc9-4fe7-81d4-d57229f7b080 Skip Domain Update 89:
a0c238ba-9e30-4ee6-80a6-43f731e9a5cd [root at dc ~]# samba-tool domain
level raise --domain-level=2016 --forest-level=2016 ERROR: Domain
function level can't be higher than the lowest function level of a DC!
I suspected the RODC might be the problem, so I checked the
|msDS-Behavior-Version|attribute on all DCs:
[root at dc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"CN=Configuration,DC=test,DC=alt" '(objectClass=nTDSDSA)' dn
msDS-Behavior-Version
# record 1 (DC2) - msDS-Behavior-Version: 7
# record 2 (DC) - msDS-Behavior-Version: 7
# record 3 (RODC) - msDS-Behavior-Version: 6 <-- problem here
Indeed, the RODC has version |6|(2012 R2) while the RWs have version
|7|(2016).
Running |samba-tool domain functionalprep --function-level=2016|did not
update the RODC's attribute.
As a workaround, I manually updated the attribute using an LDIF file and
|ldbmodify|:
cat > /root/raise-rodc-fl.ldif << 'EOF'
dn: CN=NTDS
Settings,CN=DC3-RODC,CN=Servers,CN=site1,CN=Sites,CN=Configuration,DC=test,DC=alt
changetype: modify
replace: msDS-Behavior-Version
msDS-Behavior-Version: 7
EOF
ldbmodify -H /var/lib/samba/private/sam.ldb /root/raise-rodc-fl.ldif
After this manual change, |samba-tool domain level raise|succeeded and
the level is now shown as 2016.
*My questions:*
1.
Is this a bug ? should |samba-tool domain functionalprep|or |domain
level raise|automatically update the RODC's |msDS-Behavior-Version|?
2.
Is manually editing this attribute via |ldbmodify|a safe and
recommended approach, or could it cause issues?
--
*Anton*