3.1.1.5.3.4 BehaviorVersion Updates

  • Article

msdn link

If the DC functional level is DS_BEHAVIOR_WIN2003 or greater and less than DS_BEHAVIOR_WIN2008R2, then originating updates of the msDS-Behavior-Version attribute are permitted, subject to the following additional constraints:

  • The object being modified is the NC root of the domain NC (domain functional level) or the CN=Partitions child of the config NC (forest functional level); otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • The new value is greater than the current value; otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • The operation is performed on the FSMO (PDC for domain functional level updates, Schema Master FSMO for forest functional level updates); otherwise referral / ERROR_DS_REFERRAL is returned.

  • If the domain functional level is being raised, then the domain MUST NOT contain a DC whose functional level is lower than the new value. This is determined by searching the config NC for objects with objectCategory nTDSDSA whose msDS-Behavior-Version attribute value is below the new value and whose hasMasterNCs attribute contains the DN of the domain NC root. If the search returns one or more results, then unwillingToPerform / ERROR_DS_LOW_DSA_VERSION is returned.

  • If the forest functional level is being raised, then the forest MUST NOT contain a DC whose functional level is lower than the new value. This is determined by searching the config NC for objects with objectCategory nTDSDSA whose msDS-Behavior-Version attribute value is below the new value. If the search returns one or more results, then unwillingToPerform / ERROR_DS_LOW_DSA_VERSION is returned.

  • If the domain functional level is being raised from a value below DS_BEHAVIOR_WIN2003 to a value of DS_BEHAVIOR_WIN2003 or greater, then the domain is not a mixed-mode domain. If the domain is a mixed-mode domain, then unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the forest functional level is raised from a value below DS_BEHAVIOR_WIN2003 to a value of DS_BEHAVIOR_WIN2003 or greater, then the forest does not contain mixed-mode domains. If the forest does contain mixed-mode domains, then unwillingToPerform / ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXED_DOMAIN is returned.

If the DC functional level is DS_BEHAVIOR_WIN2008R2 or greater, then originating updates of the msDS-Behavior-Version attribute are permitted, subject to the following additional constraints:

  • The object being modified is the nTDSDSA object of an RODC (DC functional level of an RODC), or NC root of the domain NC (domain functional level) or the CN=Partitions child of the config NC (forest functional level); otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the DC functional level of an RODC is being modified, the operation is performed on a writable DC that is a member of the same domain the RODC is a member of; otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the DC functional level of an RODC is being modified, the new value is greater than or equal to the domain functional level of the domain the RODC is a member of; otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the domain functional level is being modified, the operation is performed on the PDC FSMO; otherwise referral / ERROR_DS_REFERRAL is returned.

  • If the domain functional level is being modified, the new value is greater than the current value or is greater than the forest functional level; otherwise, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the domain functional level is being modified, then the domain MUST NOT contain a DC whose functional level is lower than the new value. This is determined by searching the config NC for objects with objectCategory nTDSDSA or nTDSDSARO, whose msDS-Behavior-Version attribute value is below the new value and whose hasMasterNCs attribute contains the DN of the domain NC root. If the search returns one or more results, then unwillingToPerform / ERROR_DS_LOW_DSA_VERSION is returned.

  • If the domain functional level is being raised from a value below DS_BEHAVIOR_WIN2003 to a value of DS_BEHAVIOR_WIN2003 or greater, then the domain is not a mixed-mode domain. If the domain is a mixed-mode domain, then unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.

  • If the forest functional level is being modified, the operation is performed on the Schema Master FSMO; otherwise referral / ERROR_DS_REFERRAL is returned.

  • If the forest functional level is being modified, then the forest MUST NOT contain a DC whose functional level is lower than the new value. This is determined by searching the config NC for objects with objectCategory nTDSDSA or nTDSDSARO and whose msDS-Behavior-Version attribute value is below the new value. If the search returns one or more results, then unwillingToPerform / ERROR_DS_LOW_DSA_VERSION is returned.

  • If the forest functional level is raised from a value below DS_BEHAVIOR_WIN2003 to a value of DS_BEHAVIOR_WIN2003 or greater, then the forest does not contain mixed-mode domains. If the forest does contain mixed-mode domains, then unwillingToPerform / ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXED_DOMAIN is returned.

  • If the new value is less than or equal to the existing value, the new value is greater than or equal to DS_BEHAVIOR_WIN2008; otherwise, unwillingToPerform / ERROR_DS_HIGH_DSA_VERSION is returned.

    Note In applicable Windows Server releases prior to Windows Server 2012 operating system, unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION is returned.