How-to: Raise Domain Functional Level

Howto raise domain functional level

Regarding Windows 2016 Server there is an article from Microsoft.
For Samba there is an article in the Samba-Wiki.
To archive the same goal functional level can be increased on UCS, too.

:bulb:
Currently Samba does not support to raise the functional level on the server side higher than 2008 R2. Please check your Samba version! This article is written for Samba 4.7! The tutorial was also successfully done with Samba 4.10.1, but you have to use a different Kerberos key renewal script. (Step 4)

Step 1

Verify all Samba server in your UCS domain are at least use msDS-Behavior-Version 4:

root@master:~# samba-tool domain level show 
Domain and forest function level for domain 'DC=multi,DC=ucs'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
root@master:~# univention-s4search --cross-ncs "(objectClass=nTDSDSA)" msDS-Behavior-Version
# record 1
dn: CN=NTDS Settings,CN=SLAVE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=multi,DC=ucs
msDS-Behavior-Version: 4

# record 2
dn: CN=NTDS Settings,CN=BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=multi,DC=ucs
msDS-Behavior-Version: 4

# record 3
dn: CN=NTDS Settings,CN=MASTER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=multi,DC=ucs
msDS-Behavior-Version: 4

# returned 3 records
# 3 entries
# 0 referrals

Step 2

In case not all Samba-DCs show version 4 this can be edited with

ldbedit -H /var/lib/samba/private/sam.ldb --cross-ncs "(objectClass=nTDSDSA)" msDS-Behavior-Version

Set all values there to “4”.
Note: The editor used with the above command is “vi-like”.

Step 3

Raise functional level:

1. samba-tool domain level raise --domain-level=2008_R2
2. samba-tool domain level raise --forest-level=2008_R2

As string for the needed level use the possible ones documented in the Samba Wiki.

Step 4

Renew Kerberos keys with this script.
Note: The script is written for Samba 4.7.
With later versions there might be some different script. Check versions and availability before using. A customer has successfully used this script for Samba 4.10.1

Step 5

Please check the UCRV samba4/function/level and modify the value to the new level.

ucr set samba4/function/level='2008_R2'

Step 6

Finally you have to do a manual server password change (Manually trigger server password change), so that the server itself has the new keytypes.

The other servers needs to be rejoined (univention-join)

1 Like
Mastodon