T 2.156 Compatibility problems when increasing the Active Directory function level

The Active Directory or, with Windows Server 2008 and higher, the Active Directory Domain Services (AD DS) supports various functional levels ("AD functional level") for domain and overall structure ("Forest").

The functional levels correspond to the range of functions of the corresponding operating system versions and enable "mixed" domains, for example with Windows Server 2003 and 2008 domain controller.

The change to a higher functional level is made in two steps for Windows Server 2008:

• extension of the AD scheme before inclusion of a Windows Server 2008 as domain controller (using adprep)
• downgrading of domain functional level or forest functional level after change of all domain controllers (using domprep).

Compatibility problems may occur with both steps, above all with the second step. Both steps cannot be reversed; rollback will not be possible. Restoring of a data backup is not recommended because all domain controllers are affected (see also S 6.108 Data backup for domain controllers).

Often, problems only emerge during productive operation because test environments are not able to simulate the full complexity of a grown AD structure.

Compatibility problems also often affect non-Windows systems as well as applications connected to the AD service. This may include LDAP interfaces with separate scheme extensions, e.g.

• telephone systems, CTI or UM services,
• Samba servers and embedded Samba servers in NAS or SAN systems, and
• interfaces of Unix/Linux-based web services.

This may result in malfunction of the AD integration, permanently disturbing these services.