How functional levels work

Michael Adam obnox at samba.org
Mon Apr 11 07:21:13 UTC 2016 

On 2016-04-11 at 08:09 +0100, Rowland Penny wrote:
> On 11/04/16 08:03, Michael Adam wrote:
> >On 2016-04-11 at 07:56 +0100, Rowland Penny wrote:
> >>On 11/04/16 06:31, Michael Adam wrote:
> >>>On 2016-04-10 at 20:29 +0100, Rowland Penny wrote:
> >>>>On 10/04/16 20:15, Andrew Bartlett wrote:
> >>>>>On Sun, 2016-04-10 at 12:11 +0100, Rowland Penny wrote:
> >>>>>>root at dc2000a:~# samba-tool domain level show
> >>>>>>Domain and forest function level for domain 'DC=samba,DC=test,DC=tld'
> >>>>>>
> >>>>>>Forest function level: (Windows) 2000
> >>>>>>Domain function level: (Windows) 2000
> >>>>>>Lowest function level of a DC: (Windows) 2008 R2
> >>>>>>
> >>>>>>OK, how can the only DC in a domain have a lowest function
> >>>>>>level that is higher than the domain or forest level ??
> >>>>>>or am I missing something ?
> >>>This says that there is no DC in the domain
> >>>(or forest?) that is of level lower than 2008 R2.
> >>>But the domain and forest are still configured to
> >>>only use 2000 level functionality, hence allowing
> >>>for older DCs. That is no contradiction:
> >>Ah, light dawns (I think), when you say 'level lower than 2008 R2', this
> >>means 'The highest level of DC you can join is 2008 R2, but it will function
> >>as a 2000 server'.
> >Essentially, yes. The advanced features will only be
> >enabled once the domain (or forest) functional level
> >is raised.
> >
> >See
> >
> >https://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx
> >
> >and
> >
> >https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
> >
> >Cheers - Michael
> 
> Of course, you could just have said 'Microsoft named the attribute' and a
> better name would have been 'ms-highest-dc-you-can-join'

Isn't it rather lowest-dc-you-can-join?

And,  Well, I think the name is not so badly chosen:

It is the level of function(ality) at which the domain
or forest operates as a whole. This means that no older DC
can join. Newer DCs can join, but they will operate at the
prescribed level which may be below their capabilites...

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160411/9f8337c4/signature.sig>

More information about the samba-technical mailing list