.. Reminder for header structure:        
  Parts (H1)          : #################### with overline
  Chapters (H2)       : ******************** with overline
  Sections (H3)       : ====================
  Subsections (H4)    : --------------------
  Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
  Paragraphs (H6)     : """""""""""""""""""""

.. |date| date::

.. meta::
  :description: Raising the domain functional level to 2016 with Samba-AD
  :keywords: Security, Samba-AD, Raise Functional Level 2016, documentation, Password Strategy

.. _samba_raising_fl_2016:

***********************************************
Forest Functional Level 2016 and AD Schema 2022
***********************************************

Since 4.19.0, you can raise the domain functional level of an existing domain to FL 2016, and AD Schema version to 88 (Windows Server 2019 / 2022).

===============================
Determine the AD Schema Version
===============================

You need first to determine the actual AD Schema on your Samba-AD installation :

.. code-block:: bash

    ldbsearch -H /var/lib/samba/private/sam.ldb -b "cn=Schema,cn=Configuration,DC=$(hostname -d | sed 's/\./,DC=/g')" -s base objectVersion

.. attention::

    If you are bellow 47 (if you come from MS SBS, MS 2003), you cannot upgrade easily your schema. Please contact Tranquil-IT for assistance.

.. note::

    All AD Schema versions are available here : https://wiki.samba.org/index.php/AD_Schema_Version_Support


=====================================
Determine the domain functional level
=====================================


You can determine the function level for your domain with this samba-tool command :

.. code-block:: bash
    
    root:~# samba-tool domain level show
    
    Domain and forest function level for domain 'DC=domain,DC=lan'
    
    Forest function level: (Windows) 2008 R2
    Domain function level: (Windows) 2008 R2
    Lowest function level of a DC: (Windows) 2008 R2

.. attention:: 
 
   If you are bellow 2008R2 lowest functional level of a DC, please contact Tranquil-IT for assistance.


==================================================================
Raising functional level from new Samba-AD version 4.19.0 or later
==================================================================

For new domain from 4.19.0, just add to your `/etc/samba/smb.conf` on the `[global]` section to all your Samba-AD domain controllers : 

.. code-block:: bash

    ad dc functional level = 2016

And restart samba : 

.. code-block:: bash

   systemctl restart samba-ad-dc     # debian
   systemctl restart samba           # RedHat or derivated


============================================
Raising functional level from older Samba-AD
============================================

For older domain, you must update your `/etc/samba/smb.conf` on the `[global]` section to all your Samba-AD domain controllers : 
 
.. code-block:: bash

    ad dc functional level = 2016

And restart samba : 

.. code-block:: bash

   systemctl restart samba-ad-dc     # debian
   systemctl restart samba           # RedHat or derivated


On the FSMO owner domain controller, run this :

.. code-block:: bash

    samba-tool domain schemaupgrade --schema=2019
    samba-tool domain functionalprep --function-level=2016
    samba-tool domain level raise --domain-level=2016 --forest-level=2016


You are now on Forest Level 2016 and AD Schema version 88 (Windows Server 2019 / 2025).


