3.2.19 Example 19: Raise the Domain Functional Level

In this example, an administrator uses LDAP to modify the msDS-Behavior-Version attribute ([MS-ADA2] section 2.246 and [MS-ADTS] section to an incremented value in order to raise the domain functional level. To perform this task, an administrator runs a client application on a client computer that targets a directory server in the Active Directory system and raises the domain functional level ([MS-ADTS] section

This example applies only to AD DS.

This example covers the use case in section, "Modify Directory Object - Client Application".


The general requirements set forth in section 2.6, "Assumptions and Preconditions".

The Active Directory system meets all preconditions described in section

Initial System State


Final System State

The crossRef object is modified, and the domain functional level is raised.

Sequence of Events

The following sequence diagram shows the message flow that is associated with this example.

Message flow to raise the domain functional level

Figure 65: Message flow to raise the domain functional level

Unless otherwise noted, all responses that include a return code contain a return code that indicates that the operation was successfully performed.

  1. The client application starts and sends an LDAP bind request ([RFC2251] section 4.2) to the directory server along with credentials.

  2. The directory server verifies the credentials ([MS-AUTHSOD] section 2) and sends an LDAP bind response ([RFC2251] section 4.2.3) to the client application.

  3. An LDAP search request ([RFC2251] section 4.5.1) is sent to the directory to query the base domain to look for the msDS-Behavior-Version attribute ([MS-ADA2] section 2.207 and [MS-ADTS] section

  4. The directory server sends an LDAP search response ([RFC2251] section 4.5.2) that contains the current domain functional level value (2, DS_BEHAVIOR_WIN2003, [MS-ADTS] section

  5. The user interacts with the client application and provides the name of the domain NC and the new domain functional level (3, DS_BEHAVIOR_WIN2008, [MS-ADTS] section

    An LDAP modify request ([RFC2251] section 4.6) is sent to the directory server. The LDAP modify operation contains the distinguishedName of the domain along with the msDS-Behavior-Version attribute ([MS-ADA2] section 2.207) as a replace operation with the value of 3.

    If necessary, the client application reroutes the modify request ([RFC2251] section 4.6) to the PDC FSMO if a referral was returned from the initial modify request. This is because only the PDC FSMO role holder can perform this modification ([MS-ADTS] section

  6. The directory server processes the modify request and verifies the processing rules and constraints as described in [MS-ADTS] sections and It then sends an LDAP modify response ([RFC2251] section 4.6) that indicates success.

  7. The client application sends an LDAP unbind request ([RFC2251] section 4.3) to the directory server. The LDAP connection to the directory server is closed.