How functional levels work

Michael Adam obnox at
Mon Apr 11 05:31:40 UTC 2016

On 2016-04-10 at 20:29 +0100, Rowland Penny wrote:
> On 10/04/16 20:15, Andrew Bartlett wrote:
> >On Sun, 2016-04-10 at 12:11 +0100, Rowland Penny wrote:
> >>
> >>root at dc2000a:~# samba-tool domain level show
> >>Domain and forest function level for domain 'DC=samba,DC=test,DC=tld'
> >>
> >>Forest function level: (Windows) 2000
> >>Domain function level: (Windows) 2000
> >>Lowest function level of a DC: (Windows) 2008 R2
> >>
> >>OK, how can the only DC in a domain have a lowest function
> >>level that is higher than the domain or forest level ??
> >>or am I missing something ?

This says that there is no DC in the domain
(or forest?) that is of level lower than 2008 R2.
But the domain and forest are still configured to
only use 2000 level functionality, hence allowing
for older DCs. That is no contradiction:

These per domain and forest settings are explicitly
configurable. These settings of domain and forest
functional level set minimum levels for DCs of the
domain / forest. But the de facto lower bound for
functional level of existing DCs in a domain/forest
does not implicitly set the domain/forest bound.

E.g. a domain with functional level 2000 can have
only DCs of level 2008R2 or newer, but a domain of
level 2008R2 can not have a DC of level 2003.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list