What are Functional Levels in Active Directory?
Active Directory functional levels help to determine the features that available for the domain or forest. There are two types of functional levels in Active Directory; they are the Domain Functional Level (DFL) and the Forest Functional Level (FFL). The domain controller (DC) can run on different versions of the Windows Server operating systems. Based on these, the domain functional levels define the features of Active Directory Domain Services (AD DS) that can be used by the domain controller. The forest functional levels, on the other hand can be used to determine the Active Directory Domain Services (AD DS) features that are available in a forest.
A domain may have several domain controllers that use different versions of the Windows Server operating system. In this case, the functional level is defined by the features which are available on the domain controller using the oldest version of the operating system.
The basic requirement for choosing the domain functional level is that, it should be at the same level or higher than that of the forest functional level. The forest functional level is chosen such that it is compatible with the version of the Windows Server operating system which is in use.
Checking the Domain and Forest Functional Levels
The domain and forest functional levels in Active Directory can be checked either using the Server Manager, Administrative Tools or by using PowerShell commands. Once the existing functional levels have been checked, the administrator can determine which domains or forests need their functional levels to be raised. This can be performed by following the instructions given below.
Using Server Manager
Log in to the Active Directory Domain Controller.
Open the Server Manager and select the Tools option.
Click on the Active Directory Domains and Trusts option.
Right click on the root domain and select Properties.
The current domain and forest functional levels on the Domain Controller are displayed under the General tab.
Using Administrative Tools
Log in to the Active Directory Domain Controller.
From the Start menu, select Windows Administrative Tools.
Locate the Active Directory Domains and Trusts option from the list and double click on the same.
Right click on the root domain and select Properties.
The current domain and forest functional levels on the Domain Controller are displayed under the General tab.
Using PowerShell Commands
Log in to the Active Directory Domain Controller.
From the Start menu, click on Windows PowerShell.
Select the Run as Administrator option.
To check the Domain Functional Level, use the following command.
Get-ADDomain | fl Name,DomainMode
To check the Forest Functional Level, use the following command.
Get-ADForest | fl Name,ForestMode
The respective domain and forest functional levels are displayed in the window.
Raising the Domain and Forest Functional Levels
Raising the functional level of a domain or forest in Active Directory serves the major purpose of upgrading the features that are available within the domain or forest. The domain controller is supposed to run on the version of operating system that is compatible with the functional level. However, this constraint holds only for the domain controller and not for the other servers or workstations within the domain. This condition is held true for forest functional levels as well. Hence, the functional levels of the forests and domains are required to be raised in some cases. In addition to this, raising the domain functional levels provides additional features and security to the domain. Similarly, raising the forest functional level enhances the capabilities and features provided by all the domain controllers within the forest.
As mentioned earlier, the domain functional level must always be chosen to be at the same or higher level than the forest functional level. By default, whenever a new domain is added to the forest, it takes the same level as that of the forest functional level. A domain within a forest is allowed to operate at a functional level which is higher than the functional level of the forest, but can never operate at a lower functional level. For instance, if the forest functional level is set to Windows Server 2008, then the domain functional level can only be set to Windows Server 2008 or higher. It cannot be set to earlier versions such as Windows Server 2003 or Windows 2000.
When there are several domain controllers within the domain that use different versions of the Windows Server operating system, the functional level is limited to the features provided by the earliest version. For instance, if there are domain controllers running on Windows Server 2008 and Windows Server 2012, only the features provided by Windows Server 2008 are available within the domain. This is to ensure that all the domain controllers within the domain are able to support the same features.
However, once the functional level has been raised it is difficult (or even impossible in some cases) to roll back to a lower level. This can generally be done only by rebuilding or restoring the domain from backup. For example, for Windows Server versions older than Windows Server 2008 R2, it is not possible to roll back to a lower functional level, without rebuilding or restoring the domain or forest from backup.
Raise the Domain Functional Level
Before raising the functional level of a domain, the following prerequisites have to be fulfilled.
The minimum requirement is a membership in the Domain Admins or Enterprise Admins group or an equivalent.
All the domain controllers in the domain must run a version of the operating system that is compatible with the new functional level.Once these requirements are met, the functional level of a domain can be raised by following the steps given below.
From the Start menu, click on Administrative Tools.
Select Active Directory Domains and Trusts.
From the console, select the domain for which the functional level needs to be raised and right click on it.
Click on the Raise Domain Functional Level option.
Choose the required value from Select an available domain functional level and click on Raise.
Alternatively, this can also be done by right clicking on the required domain using the Active Directory Users and Computers snap-in and clicking on Raise Domain Functional Level.
The domain functional level can also be upgraded using the PowerShell command:
Set-ADDomainMode
Raise the Forest Functional Level
Before raising the functional level of a forest, the following prerequisites have to be met.
The minimum requirement is a membership in the Enterprise Admins group or an equivalent. The forest functional level should not be raised if there are any domain controllers which run an earlier version of the Windows Server. Once these requirements are met, the functional level of a forest can be raised by following the steps given below.
From the Start menu, click on Administrative Tools.
Select Active Directory Domains and Trusts.
From the console, right click on Active Directory Domains and Trusts and select Raise Forest Functional Level.
Choose the required value from Select an available forest functional level and click on Raise.
The forest functional level can also be upgraded using the PowerShell command: Set-ADForestMode
Best Practices
In conclusion, the following practices can be adopted to ensure that the domain and forest functional levels are raised with ease.
- Make a list of domain controllers running earlier versions of the operating system within the forest.
- Check whether end to end replication works within the forest.
- Verify whether the programs and services are compatible with the higher functional level.