Does a domain takeover change the functional level?


I have a new install of 4.1 and am wondering whether or not a takeover of a 2003 domain would result in a 2003 or 2008 functional level, and if it would matter in either case.



I don’t have a definitive answer for you but some conjecture.

By default a 4.1 UCS Samba 4 installation uses Windows 2008R2 as the domain level:

[code][0 root@master ~] samba-tool domain level show
Domain and forest function level for domain ‘DC=mbu-test,DC=intranet’

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2[/code]

That being said: looking at the code doing the takeover (file “/usr/share/pyshared/univention/management/console/modules/adtakeover/” from package “univention-management-console-module-adtakeover”) it seems like the function “takeover_DC_Behavior_Version” does indeed copy the functional level from the source AD.

Further we can see that a domain/forest level of Windows 2012 is still not supported (see function “authenticate” where the variable “msds_behavior_version” is set and checked).

So in order to answer your first question I’d say that the resulting domain’s functional level should still be 2003.

As to the second question (whether or not it actually matters) I’d say keeping the functional level is the safe thing to do as everything that worked before should continue to work and therefore it’s a Good Thing™. Switching to a higher level might in theory cause problems if you have clients that don’t support such a level.

Kind regards,


That is what I figured, I would have expected a lot of ‘hey this will change functional level… heads up’ messages in the docs otherwise. I still have a few XP clients to get out of the mix, and then it is mostly win7… no rush on changing functional level really.

Thanks for the reply and conjecture!