The functional level of the Active Directory domain and forest determines the available features that can be used in the domain, and the Windows Server version you can use on domain controllers.
For example, if you have Windows Server 2016 domain controllers, and the domain functional level is only Windows Server 2003, you won’t be able to use the AD Recycle Bin (introduced in the AD version in Windows Server 2008 R2). In this article, we’ll show you how to raise your Active Directory domain and forest functional level from Windows Server 2012 R2 to Windows Server 2016.
How to Check the Domain and Forest Functional Levels?
You can check the current domain and forest functional level using the Active Directory Domains and Trusts mmc snap-in (domain.msc). Open your domain properties. Domain and forest functional levels are listed on the General tab. In our case, this is Windows Server 2012 R2.
You can display the current domain functional level (DFL) using PowerShell:
Get-ADDomain | fl Name, DomainMode Windows2012R2Domain
Now let’s check the forest functional level (FFL):
Get-ADForest | fl Name, ForestMode Windows2012R2Forest
How to Raise Active Directory Domain and Forest Functional Levels?
Note. This article shows how to upgrade a domain feature level to Windows Server 2016. Why we don’t use the more recent versions of Windows Server 2022 and Windows Server 2019? The fact is that in WS 2022 and 2019, no new domain and forest functional levels are added for these OS versions. Even if you upgrade all of your domain controllers to Windows Server 2022, you will still be using Windows Server 2016 as your most recent domain and forest functional level.
Before raising the domain and forest functional level, you need to upgrade the Windows Server version on all domain controllers to Windows Server 2016, 2019, or 2022. You can use an in-place upgrade (not recommended), or install additional domain controllers with Windows Server 2022/2019/2016, and correctly remove legacy DC versions from your Active Directory environment.
Adding a new domain controller with any of these versions of Windows Server requires at least Windows Server 2008 functional level. If you are using an older version, you will get an error when promoting a new DC:
Verification of replica failed. The forest functional level is not supported. To install a Windows Server 2022 domain or domain controller, the forest functional level must be Windows Server 2008 or higher.
Check and ensure what AD replication is working properly in your domain and forest. You can check the Active Directory replication health using the repadmin tool or with PowerShell:
Repadmin /replsummary Repadmin /Showrepl Get-ADReplicationFailure -Target theitbros.com -Scope Domain Get-ADReplicationFailure -Target theitbros.com -Scope Forest
Hint. When you upgrade the domain functional level from Windows Server 2003 to a newer version, the password for the krbtgt account will be forcibly reset. This can affect the availability of Exchange services. Also, remember to migrate AD replication in the domain from FRS to Distributed File Service (DFS) replication.
To raise the functional level of a domain, you can run the MMC snap-in Active Directory Domains and Trusts. Right-click on the domain name, and select Raise Domain Functional Level.
In the window that opens, select the functional level Windows Server 2016, and click the Raise button.
Before you can raise the forest functional level, all domains in the forest must be upgraded to the same or a higher domain functional level. To raise the functional level of a forest, you must be a member of the Enterprise Admins group. The Active Directory Domains and Trusts snap-in is also used to raise the functional level of the forest.
Right-click on the root of the snap-in, and select Raise Forest Functional Level.
In the next windows, select the required functional forest level, and click the Raise button.
Now when you open the Raise Forest Functional Level window again, a message will appear:
This forest is operating at the highest possible functional level.
Raise Domain and Forest Functional Levels with PowerShell
You can also raise the domain functional level using PowerShell. The following command is used:
Set-ADDomainMode -identity theitbros.com -DomainMode Windows2016Domain
If you have multiple domains in your forest, you must update the DFL in each domain.
Wait for AD replication to complete and verify that all domain controllers report the domain functional level is now Windows2016Domain.
To raise the functional level of the forest, another command is used:
Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest
Note. The Set-ADForestMode command returns an error if you have not updated the domain version on any of the domains in the forest:
The functional level of the domain (or forest) cannot be raised to the requested value, because there exist one or more domain controllers in the domain (or forest) that are at a lower incompatible functional level.
Cannot Raise the Domain or Forest Functional Level
In this section, we will collect some of the errors that may occur when you raise forest functional level.
ERROR_DS_DOMAIN_VERSION_TOO_LOW 8566 (0x2176)
When updating the domain functional level, the following error may appear:
You cannot raise the domain functional level because this domain includes Active Directory Domain Controllers that are not running the appropriate version of Windows Server.
The error means that there are domain controllers in your domain with a previous version of Windows Server. You can get a full list of domain controllers versions in AD using the Get-ADDomainController PowerShell cmdlet:
Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem
Find domain controllers with a previous version of Windows Server and upgrade them to at least Windows Server 2016 or remove (demote) their accounts from AD, and clean up Active Directory metadata and AD Site configuration.
ERROR_DS_FOREST_VERSION_TOO_LOW 8565 (0x2175)
The following error is similar to the previous one, only related to the presence of previous versions of domain controllers in the AD forest:
The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set.
ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN 8569 (0x2179)
This error may appear if your domain is running in mixed mode:
The forest functional level cannot be raised to the requested value since one or more domains are still in mixed domain mode. All domains in the forest must be in native mode, for you to raise the forest functional level.
Mixed mode allows Windows NT and 2000 backup domain controllers to co-exist in a domain. To fix the problem, you need to switch the domain to Native mode. To do this, open the Active Directory Domains and Trusts console (domain.msc), expand your domain and open its Properties. Go to the General tab and click Change Mode.
Downgrade Domain and Forest Functional Levels in AD
You could not roll back the forest and domain functional level after an upgrade prior to the release of Windows Server 2008 R2. Starting with WS 2008 R2, you can roll back changes to DFL and FFL. Functional-level demote can only be performed in specific scenarios:
- The minimum target domain functional level that you can downgrade to is Windows Server 2008.
- You won’t be able to roll back to the functional level of Windows Server 2008 after you enabled the AD Recycle Bin. The reason for this is that the Recycle Bin cannot be disabled, and Windows Server 2008 does not support the Recycle Bin. You can use the PowerShell command to check whether or not the Recycle Bin is enabled in your domain:
Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'
You can only downgrade using PowerShell (you can’t do it using the GUI).
Open a PowerShell console with Domain Admin/Enterprise Admin privileges. Check the current domain and forest functional level:
(Get-ADForest).forestmode (Get-ADDomain).domainmode
If you have multiple domains in the forest, use the following PowerShell script to check the functional level for all domains:
$domains=(Get-ADForest).domains
foreach ($domain in $domains) {
Get-ADDomain -Identity $domain| select DNSRoot,DomainMode
}
In our case, the current level of all domains and forest is Windows2016Forest.
You can demote the forest function level to Windows Server 2012 with the command:
Set-ADForestMode –Identity contoso.com –ForestMode Windows2012Forest
Then perform a functional level downgrade for each domain. You can downgrade DFL in child domains in any order.
Set-ADDomainMode –Identity contoso.com –DomainMode Windows2012Domain
If you try to lower the DFL before the FFL it will result in the error:
Set-ADDomainMode : The functional level of the domain (or forest) cannot be lowered to the requested value
Check if Forest and Domain functional levels have successfully rolled back.
5 comments
Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest
nicht Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Domain oder?
The command should look like the following
Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest
The correct cmdlet to raise the domain functional level is:
Set-ADDomainMode -identity theitbros.com -DomainMode Windows2016Domain
Thanks for your instruction.
Also, you said that the “Exchange service will be affected” with krbtgt reset when do the upgrade from 2003 level, may I ask how can we prevent it?
Hello,
I have Server 2008r2 level and I want to move to Server 2012r2 Level.
does my Exchange Server 2016 will be affected?.
what are the risks ?
Regards
Comments are closed.