.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Raising the domain functional level to 2016 with Samba-AD :keywords: Security, Samba-AD, Raise Functional Level 2016, documentation, Password Strategy .. _samba_raising_fl_2016: *********************************************** Forest Functional Level 2016 and AD Schema 2022 *********************************************** Since 4.19.0, you can raise the domain functional level of an existing domain to FL 2016, and AD Schema version to 88 (Windows Server 2019 / 2022). =============================== Determine the AD Schema Version =============================== You need first to determine the actual AD Schema on your Samba-AD installation : .. code-block:: bash ldbsearch -H /var/lib/samba/private/sam.ldb -b "cn=Schema,cn=Configuration,DC=$(hostname -d | sed 's/\./,DC=/g')" -s base objectVersion .. attention:: If you are bellow 47 (if you come from MS SBS, MS 2003), you cannot upgrade easily your schema. Please contact Tranquil-IT for assistance. .. note:: All AD Schema versions are available here : https://wiki.samba.org/index.php/AD_Schema_Version_Support ===================================== Determine the domain functional level ===================================== You can determine the function level for your domain with this samba-tool command : .. code-block:: bash root:~# samba-tool domain level show Domain and forest function level for domain 'DC=domain,DC=lan' Forest function level: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of a DC: (Windows) 2008 R2 .. attention:: if you are bellow 2008R2 lowest functional level of a DC, please contact Tranquil-IT for assistance. ================================================================== Raising functional level from new Samba-AD version 4.19.0 or later ================================================================== For new domain from 4.19.0, just add to your `/etc/samba/smb.conf` on the `[global]` section to all your Samba-AD domain controllers : .. code-block:: bash ad dc functional level = 2016 And restart samba : .. code-block:: bash systemctl restart samba-ad-dc # debian systemctl restart samba # RedHat or derivated ============================================ Raising functional level from older Samba-AD ============================================ For older domain, you must update your `/etc/samba/smb.conf` on the `[global]` section to all your Samba-AD domain controllers : .. code-block:: bash ad dc functional level = 2016 And restart samba : .. code-block:: bash systemctl restart samba-ad-dc # debian systemctl restart samba # RedHat or derivated On the FSMO owner domain controller, run this : .. code-block:: bash samba-tool domain schemaupgrade --schema=2019 samba-tool domain functionalprep --function-level=2016 samba-tool domain level raise --domain-level=2016 --forest-level=2016 You are now on Forest Level 2016 and AD Schema version 88 (Windows Server 2019 / 2025).