UCS 4.1 AD functioning level


#1

With UCS 4.1 samba version is 4.3 and with that AD functioning level is 2008R2 but only with new installations. Is it possible to rise AD functioning level on older AD installation which is upgraded to UCS 4.1?


#2

Hello,
You can raise the function level on the domain controller, but this is a step not taken lightly. You have to be very carefull and try it first in a testing environment.
With the risen domain function level Microsoft changed the way it handled user passwords and its policies - that can have unexpected consequences.

You can raise the function level with (That has to be the same on all domain controllers):

samba-tool domain level raise --forest-level=2008_R2

samba-tool domain level raise --domain-level=2008_R2

Regards,
Jens Thorp-Hansen


#3

Hello,
I saw, there are some unanswered questions like https://lists.samba.org/archive/samba/2013-July/174639.html.
Did someone already successfully test the migration on UCS, coming from 2.x -> 3.x -> 4.x?


#4

In one case we observed that with the very first automatic change of the Windows clients’ machine account password after the functioning levels were updated, the clients temporarily lost the ability to authenticate against the Domain controllers. All that needed to be done was to reboot the Windows clients and everything was fine again. Subsequent machine account password changes are fine, too.

By default, Windows clients change their machine account password every 30 days. That means they don’t do it all at the same time and even if the change is due, it is done only after the Windows client is running for a couple of minutes. So you might see “random” login / authentication problems, for example after people locked their screens and want to re-login again or something similar.

Bottom line: If you see authentication problems some days or few weeks after raising the functioning levels, reboot your Windows :slight_smile:

There are also ways to force the machine account password change so you can handle all Windows clients in a short maintenance window.

Best regards,
Michael Grandjean


#5

Ok, thanks for the information.
I’m gonna give it a try in January and will report the results here!


#6

Thnx for the information, I have a environment where I can test it.


#7

Hello,

have someone tried it already? What are the results?


#8

Yes I did it and it worked without problems.


#9

Hello,
sorry for the late answer: yes it worked without problems for so far.
Just remember to restart the client as soon as you’ve probably lost AD trust because of the machine password change for the first time!

Best regards,
TP