How functional levels work

[Rowland Penny]

On 10/04/16 20:15, Andrew Bartlett wrote:
> On Sun, 2016-04-10 at 12:11 +0100, Rowland Penny wrote:
>> OK, whilst trying to write 'fsmo.py' yet again, taking into account
>> that
>> there may not be any dns zones, I provisioned a new domain with this:
>>
>> samba-tool domain provision --use-rfc2307 --use-xattrs=yes
>> --realm=SAMBA.TEST.TLD --domain=SAMBA --server-role=dc
>> --function-level=2000 --adminpass=XXXXXXXXXX
>>
>> When I checked with:
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> "CN=Sites,CN=configuration,DC=samba,DC=test,DC=tld" -s sub
>> '(objectclass=nTDSDSA)'
>>
>> Amongst the results, I found this:
>>
>> msDS-Behavior-Version: 4
> I'm presuming this is on the DC object?
>
>> I sort of expected it not to be there, or set to '0'
>>
>> so I ran:
>>
>> root at dc2000a:~# samba-tool domain level show
>> Domain and forest function level for domain 'DC=samba,DC=test,DC=tld'
>>
>> Forest function level: (Windows) 2000
>> Domain function level: (Windows) 2000
>> Lowest function level of a DC: (Windows) 2008 R2
>>
>>
>> OK, how can the only DC in a domain have a lowest function level that
>> is
>> higher than the domain or forest level ?? or am I missing something ?
> The DC functional level is (emulating) the software version of windows
> it is.  It tells you how high you can move the forest and domain
> functional levels, because of course you can't have them higher than
> the lowest (oldest) server.
>
> Andrew Bartlett
>

Sorry, still don't understand this :-)

 From what you are saying, if another DC is joined, this sets what the 
functional level can be raised to, but you also say it cannot be higher 
than the lowest server.

So:
original DC:
Domain function level: (Windows) 2000

New DC:
Lowest function level of a DC: (Windows) 2008 R2

 From that, the second DC could be raised to '2008 R2' , this is higher 
than the lowest server, or am I still missing something ?????

Totally lost here.

Rowland