Difference between revisions of "Raising the Functional Levels"

(Initial version of the 'Raising the function levels' HowTo)
 
m
 
(12 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Impact of upgrading the functional levels =
+
= Introduction =
  
'''Warning: Before you raise the functional levels in your AD, you should make sure, that you understand what functional levels are and what consequences it will have for your domain and forest, if you upgrade them!'''
+
The Active Directory (AD) functional levels determine the domain or forest capabilities. For details, see:
 
 
Some usefull links to documentation about AD functional levels:
 
  
 
* [http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28WS.10%29.aspx Understanding Active Directory Domain Services (AD DS) Functional Levels]
 
* [http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28WS.10%29.aspx Understanding Active Directory Domain Services (AD DS) Functional Levels]
  
 
* [http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx What is the Impact of Upgrading the Domain or Forest Functional Level?]
 
* [http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx What is the Impact of Upgrading the Domain or Forest Functional Level?]
 +
 +
 +
{{Imbox
 +
| type = important
 +
| text = If you raise any of the functional levels, you will need to restart the Samba AD DC(s).
 +
}}
 +
 +
 +
 +
 +
 +
= Supported Functional Levels =
 +
 +
You can set the following functional levels in Active Directory (AD) via samba-tool.
 +
 +
{| class="wikitable"
 +
!Functional Level
 +
!Included in Samba Version
 +
|-
 +
|2012_R2
 +
|4.4 and later*
 +
|-
 +
|2012
 +
|4.4 and later*
 +
|-
 +
|2008_R2
 +
|4.0 and later
 +
|-
 +
|2008
 +
|4.0 and later
 +
|-
 +
|2003
 +
|4.0 and later
 +
|}
 +
 +
<nowiki>*</nowiki> Functional level is included for use against Windows, but '''not supported in Samba'''. Kerberos improvements from Windows Server 2012 and 2012 R2 are not implemented in Samba.
 +
 +
= Raising the Domain Functional Level =
 +
 +
== Using samba-tool ==
 +
 +
To raise the domain functional level on a Samba Active Directory (AD) domain controller (DC), use <code>samba-tool</code>. For example, to set the domain functional level to <code>2008_R2</code>:
 +
 +
# samba-tool domain level raise --domain-level=2008_R2
 +
 +
For a list of supported domain functional levels, see [[#Supported_Functional_Levels|Supported Functional Levels]].
  
  
  
 +
== Using the Windows Active Directory Domains and Trusts Utility ==
  
 +
{{Imbox
 +
| type = important
 +
| text = Raising the domain functional level using the <code>Active Directory Domains and Trusts</code> utility is currently not supported.<br />For details, see https://bugzilla.samba.org/show_bug.cgi?id=10360
 +
}}
  
= Raising the forest functional level =
+
Run the following steps on a Windows machine having the remote server administration tools (RSAT) installed:
  
'''The forest functional level can't be higher than the domain functional level!'''
+
* Log in as domain administrator.
  
 +
* Open the <code>Active Directory Domains and Trusts</code> utility.
  
 +
* Right-click the domain on the left side and select <code>Raise Domain Functional Level</code>.
  
== Through Windows Administration Tools ==
+
:[[Image:Raise_Domain_Functional_Level.png]]
  
'''Hint: This way does not work at the moment! See [https://bugzilla.samba.org/show_bug.cgi?id=10360 Bug #10360]'''
+
* Select the functional level.
  
The following steps can be executed on any Windows machine (including workstations), on which the RSAT (Remote Server Administration Tools) are installed.
+
* Click <code>OK</code>.
  
* Open Active Directory Domains and Trusts
 
  
* Right-click to „Active Directory Domains and Trusts“ in the left pane and choose „Raise Forest Functional Level...“.
 
  
:[[Image:Raise_Forest_Functional_Level.png]]
 
  
* In the upcomming Window, choose the functional level, you want to upgrade to.
 
  
 +
= Raising the Forest Functional Level =
  
 +
== Using samba-tool ==
  
== Through samba-tool ==
+
{{Imbox
 +
| type = note
 +
| text = You can not set the forest functional level higher than the domain functional level.
 +
}}
  
You can raise the forest functional level on any of your Samba AD Domain Controllers by using the following command:
 
  
# samba-tool domain level --forest-level=...
+
To raise the forest functional level on a Samba Active Directory (AD) domain controller (DC), use <code>samba-tool</code>. For example, to set the forest functional level to <code>2012_R2</code>:
  
 +
# samba-tool domain level raise --forest-level=2012_R2
  
 +
For a list of supported forest functional levels, see [[#Supported_Functional_Levels|Supported Functional Levels]].
  
  
  
= Raising the domain functional level =
+
== Using the Windows Active Directory Domains and Trusts Utility ==
  
== Through Windows Administration Tools ==
+
{{Imbox
 +
| type = important
 +
| text = Raising the domain functional level using the <code>Active Directory Domains and Trusts</code> utility is currently not supported.<br />For details, see https://bugzilla.samba.org/show_bug.cgi?id=10360
 +
}}
  
'''Hint: This way does not work at the moment! See [https://bugzilla.samba.org/show_bug.cgi?id=10360 Bug #10360]'''
+
Run the following steps on a Windows machine having the remote server administration tools (RSAT) installed:
  
The following steps can be executed on any Windows machine (including workstations), on which the RSAT (Remote Server Administration Tools) are installed.
+
* Log in as domain administrator.
  
* Open Active Directory Domains and Trusts
+
* Open the <code>Active Directory Domains and Trusts</code> utility.
  
* Right-click your Domain in the left pane and choose „Raise Domain Functional Level...“.
+
* Right-click <code>Active Directory Domains and Trusts</code> on the left side and select <code>Raise Forest Functional Level</code>.
  
:[[Image:Raise_Domain_Functional_Level.png]]
+
:[[Image:Raise_Forest_Functional_Level.png]]
  
* In the upcomming Window, choose the functional level, you want to upgrade to.
+
* Select the functional level.
  
 +
* Click <code>OK</code>.
  
  
  
== Through samba-tool ==
 
  
You can raise the domain functional level on any of your Samba AD Domain Controllers by using the following command:
 
  
# samba-tool domain level --forest-level=...
+
----
 +
[[Category:Active Directory]]

Latest revision as of 16:47, 12 April 2021

Introduction

The Active Directory (AD) functional levels determine the domain or forest capabilities. For details, see:




Supported Functional Levels

You can set the following functional levels in Active Directory (AD) via samba-tool.

Functional Level Included in Samba Version
2012_R2 4.4 and later*
2012 4.4 and later*
2008_R2 4.0 and later
2008 4.0 and later
2003 4.0 and later

* Functional level is included for use against Windows, but not supported in Samba. Kerberos improvements from Windows Server 2012 and 2012 R2 are not implemented in Samba.

Raising the Domain Functional Level

Using samba-tool

To raise the domain functional level on a Samba Active Directory (AD) domain controller (DC), use samba-tool. For example, to set the domain functional level to 2008_R2:

# samba-tool domain level raise --domain-level=2008_R2

For a list of supported domain functional levels, see Supported Functional Levels.


Using the Windows Active Directory Domains and Trusts Utility

Run the following steps on a Windows machine having the remote server administration tools (RSAT) installed:

  • Log in as domain administrator.
  • Open the Active Directory Domains and Trusts utility.
  • Right-click the domain on the left side and select Raise Domain Functional Level.
Raise Domain Functional Level.png
  • Select the functional level.
  • Click OK.



Raising the Forest Functional Level

Using samba-tool


To raise the forest functional level on a Samba Active Directory (AD) domain controller (DC), use samba-tool. For example, to set the forest functional level to 2012_R2:

# samba-tool domain level raise --forest-level=2012_R2

For a list of supported forest functional levels, see Supported Functional Levels.


Using the Windows Active Directory Domains and Trusts Utility

Run the following steps on a Windows machine having the remote server administration tools (RSAT) installed:

  • Log in as domain administrator.
  • Open the Active Directory Domains and Trusts utility.
  • Right-click Active Directory Domains and Trusts on the left side and select Raise Forest Functional Level.
Raise Forest Functional Level.png
  • Select the functional level.
  • Click OK.