Domain Function Level?

Andrew Bartlett abartlet at
Fri Jan 27 14:26:08 MST 2012

On Fri, 2012-01-27 at 16:11 -0500, Charles Tryon wrote:
> When I provision a Samba4 domain, my understanding is that the default
> Domain Function Level is WS 2003.  What are the implications, in terms of
> features supported by Samba, of pushing this up to a higher level?  Does
> Samba4 support the various different features across these functional
> levels, or does it just tweak the API to mimic the various Microsoft
> changes from one version of their server software to another?
> Is it a good idea to use the highest level you can on your network
> (depending on where your client machines are), or is it just safer to stick
> with the default unless you REALLY need the higher level?
> (I'm just starting to get into the grubby complexities of dealing with
> AD.... and I wonder why I go home every night with an aching head... :-P)

Off the top of my head:

For Samba, the primary change is the introduction of AES keys for
Kerberos.  (2008)

2008 R2 brings the recycle bin functionality, and having a 2003 domain
is required for RODC support and link value replication (replicate only
the changes to the members of a group, not the whole group membership).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list