{"id":10700,"date":"2024-02-20T21:28:34","date_gmt":"2024-02-21T02:28:34","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=10700"},"modified":"2024-02-22T23:56:09","modified_gmt":"2024-02-23T04:56:09","slug":"determining-active-directory-version","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=10700","title":{"rendered":"Determining Active Directory Version"},"content":{"rendered":"

We have a number of applications that authenticate to Active Directory. Invariably, when there are authentication issues, the vendor support person asks “what version of AD is this?” … not an unreasonable question, but<\/em> also not something the person who supports Application XYZ is apt to know<\/em> in a larger company. Fortunately, there are a few places within the directory that you can find details about AD versions.<\/p>\n

The simplest is the version of Windows the domain controllers are running … although it’s possible domain controllers have been upgraded but the AD functional level has not yet been changed.<\/p>\n

ldapsearch -h ad.example.com -D \"ldapquery@example.com\" -w \"P@s54LD@pQu3ry\" -p389 -b \"ou=domain controllers,dc=example,dc=com\" \"(&(objectClass=computer))\" operatingSystem<\/tt><\/p>\n

CN=dc007,OU=Domain Controllers,dc=example,DC=com
\noperatingSystem=Windows Server 2019 Datacenter<\/p>\n

CN=dc008,OU=Domain Controllers,dc=example,DC=com
\noperatingSystem=Windows Server 2019 Datacenter<\/p>\n

CN=dc020,OU=Domain Controllers,dc=example,DC=com
\noperatingSystem=Windows Server 2019 Datacenter<\/p>\n

CN=dc021,OU=Domain Controllers,dc=example,DC=com
\noperatingSystem=Windows Server 2019 Datacenter<\/p>\n

 <\/p>\n

You can also find the objectVersion of the schema:<\/p>\n

ldapsearch -h ad.example.com -D \"ldapquery@example.com\" -w \"P@s54LD@pQu3ry\" -p389 -b \"cn=schema,cn=configuration,dc=example,dc=com\" \"(&(objectVersion=*))\" objectVersion<\/tt><\/p>\n

CN=Schema,CN=Configuration,dc=example,DC=com
\nobjectVersion=88<\/p>\n

What does 88 mean? It depends! Either Windows 2019 or 2022<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Version<\/th>\nOperating System<\/th>\n<\/tr>\n<\/thead>\n
13<\/td>\nWindows 2000 Server<\/td>\n<\/tr>\n
30<\/td>\nWindows Server 2003 (Before R2)<\/td>\n<\/tr>\n
31<\/td>\nWindows Server 2003 R2<\/td>\n<\/tr>\n
44<\/td>\nWindows Server 2008 (Before R2)<\/td>\n<\/tr>\n
47<\/td>\nWindows Server 2008 R2<\/td>\n<\/tr>\n
56<\/td>\nWindows Server 2012<\/td>\n<\/tr>\n
69<\/td>\nWindows Server 2012 R2<\/td>\n<\/tr>\n
87<\/td>\nWindows Server 2016<\/td>\n<\/tr>\n
88<\/td>\nWindows Server 2019<\/td>\n<\/tr>\n
88<\/td>\nWindows Server 2022<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Or the functional level of the forest and its partitions:<\/p>\n

ldapsearch -H ldap:\/\/ad.example.com -D \"ldapquery@example.com\" -w \"P@s54LD@pQu3ry\" -b \"cn=partitions,cn=configuration,dc=example,dc=com\" \"(&(MSDS-Behavior-Version=*))\" MSDS-Behavior-Version<\/tt><\/p>\n

dn: CN=Partitions,CN=Configuration,DC=example,DC=com
\nmsDS-Behavior-Version: 7<\/p>\n

dn: CN=EXAMPLE,CN=Partitions,CN=Configuration,DC=example,DC=com
\nmsDS-Behavior-Version: 7<\/p>\n

What does 7 mean? Well, that depends too. It’s either Windows 2016 or 2019!<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
msDS-Behavior-Version<\/strong><\/td>\nForest
\n<\/strong><\/td>\n		Domain<\/strong><\/td>\nDomain Controller
\n<\/strong><\/td>\n<\/tr>\n
0<\/td>\n2000<\/td>\n2000 Mixed \/ Native<\/td>\n2000<\/td>\n<\/tr>\n
1<\/td>\n2003 Interim<\/td>\n2003 Interim<\/td>\nN\/A<\/td>\n<\/tr>\n
2<\/td>\n2003<\/td>\n2003<\/td>\n2003<\/td>\n<\/tr>\n
3<\/td>\n2008<\/td>\n2008<\/td>\n2008<\/td>\n<\/tr>\n
4<\/td>\n2008 R2<\/td>\n2008 R2<\/td>\n2008 R2<\/td>\n<\/tr>\n
5<\/td>\n2012<\/td>\n2012<\/td>\n2012<\/td>\n<\/tr>\n
6<\/td>\n2012 R2<\/td>\n2012 R2<\/td>\n2012 R2<\/td>\n<\/tr>\n
7<\/td>\n2016<\/td>\n2016<\/td>\n2016<\/td>\n<\/tr>\n
7<\/td>\n2019<\/td>\n2019<\/td>\n2019<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

We have a number of applications that authenticate to Active Directory. Invariably, when there are authentication issues, the vendor support person asks “what version of AD is this?” … not an unreasonable question, but also not something the person who supports Application XYZ is apt to know in a larger company. Fortunately, there are a …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[68,1976,303],"class_list":["post-10700","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-active-directory","tag-ad","tag-ldap"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10700"}],"version-history":[{"count":4,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10700\/revisions"}],"predecessor-version":[{"id":10706,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10700\/revisions\/10706"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}