What are and how to raise Functional Levels on Windows Server (2003/2008/2012)


To totally unlock this section you need to Log-in


Login
With each new release of Windows Server come new sets of features related to the domain and forest functional levels in your Active Directory domain.

Domain and forest functional levels provide a way to enable domain-wide features or forest-wide features in your Active Directory Domain Services (AD DS) environment. Different levels of domain functionality and forest functionality are available, depending on your network environment.

If all the domain controllers in your domain or forest are running the latest version of Windows Server and the domain and forest functional level is set to highest value, all domain-wide features and forest-wide features are available.

So, raising the functional level involves only Domain Controllers servers, not other members server (unless there are other specific or third-party applications used in the domain or installed on Domain Controllers).

What is the Impact of Upgrading the Domain or Forest Functional Level?

Before these question can be properly addressed, if must first be understood exactly what purposes the Domain and Forest Functional Levels serve. Each new version of Active Directory on Windows Server incorporates new features that can only be taken advantage of when all Domain Controllers (DC) in either the domain or forest have been upgraded to the same version. For example, Windows Server 2008 R2 introduces the AD Recycle Bin, a feature that allows the Administrator to restore deleted objects from Active Directory.

In order to support this new feature, changes were made in the way that delete operations are performed in Active Directory, changes that are only understood and adhered to by DCs running on Windows Server 2008 R2. In mixed domains, containing both Windows Server 2008 R2 DCs as well as DCs on earlier versions of Windows, the AD Recycle Bin experience would be inconsistent as deleted objects may or may not be recoverable depending on the DC on which the delete operation occurred.

To prevent this, a mechanism is needed by which certain new features remain disabled until all DCs in the domain, or forest, have been upgraded to the minimum OS level needed to support them.

After upgrading all DCs in the domain, or forest, the Administrator is able to raise the Functional Level, and this Level acts as a flag informing the DCs, and other components as well, that certain features can now be enabled.

Restrictions

There are two important restrictions of the Domain or Forest Functional Level to understand, and once they are, these restrictions are obvious.

  • Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest. The problems that might arise when installing downlevel DCs become pronounced with new features that change the way objects are replicated (i.e. Linked Value Replication). To prevent these issues from arising, a new DC must be at the same level, or greater, than the functional level of the domain or forest.
  • The second restriction, for which there is a limited exception on Windows Server 2008 R2, is that once upgraded, the Domain or Forest Functional Level cannot later be downgraded. The only purpose that having such ability would serve would be so that downlevel DCs could be added to the domain. As has already been shown, this is generally a bad idea.
  • Starting in Windows Server 2008 R2, however, you do have a limited ability to lower the Domain or Forest Functional Levels.

    The Windows Server 2008 R2 Domain or Forest Functional level can be lowered to Windows Server 2008, and no lower, if and only if none of the Active Directory features that require a Windows Server 2008 R2 Functional Level has been activated.

    Where’s the Undo Button?

    Even after all this, however, there is a great concern about the change being irreversible, so that you must have a rollback plan just in case something unforeseen and catastrophic occurs to Active Directory.

    Tables

    The table below outlines the differences in domain and forest functional levels between Windows 2000, Windows 2003 and Windows 2008.

    How to raise Functional Level on Windows Server (2003/2008/2012)

    How to raise Functional Level on Windows Server (2003/2008/2012)

    How to raise Functional Level on Windows Server (2003/2008/2012)

    How to raise Functional Level on Windows Server (2003/2008/2012)

    Ideally, all servers in an organization could run the latest version of Windows and take advantage of all the advanced features that are available with the newest software. But organizations often have a mixture of systems, generally running different versions of operating systems, which are migrated to the latest version only as organizational requirements demand additional functionality, either for the entire organization or for a specific area of the organization.

    AD DS supports phased implementation of new versions of Windows Server and advanced features on domain controllers by providing multiple functional levels, each of which is specific to the versions of Windows Server operating systems that are running on the domain controllers in the environment.

    These functional levels provide configuration support for the AD DS features and ensure compatibility with domain controllers running earlier versions of Windows Server.
    AD DS does not automatically enable advanced features, even if all domain controllers within a forest are running the same version of Windows Server.

    Instead, an administrator raises a domain or forest to a specific functional level to safely enable advanced features when all domain controllers in the domain or forest are running an appropriate version of Windows Server. When an administrator attempts to raise the functional level, AD DS checks whether all domain controllers are running an appropriate Windows Server operating system to ensure the proper environment for enabling new Active Directory features.

    Domain functional levels

    Seven domain functional levels (in total) are available:

  • Windows 2000 mixed (the default in Windows Server 2003)
  • Windows 2000 native
  • Windows Server 2003 interim
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Setting the functional level for a domain enables features that affect the entire domain and that domain only. If all domain controllers in a domain are running Windows Server 2012 and the functional level is set to Windows Server 2012, all domain-wide features are available.

    The concept of enabling additional functionality in AD DS exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security identifier (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and security identifier (SID) history capabilities are available. Domain controllers running Windows NT 4.0 or Windows 2000 Server are not aware of Windows Server 2003 or higher domain and forest functional levels.

    Forest functional level

    Six forest functional levels (in total) are available:

  • Windows 2000 (the default in Windows Server 2003 and Windows Server 2008)
  • Windows Server 2003 interim
  • Windows Server 2003 (the default in Windows Server 2008 R2)
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Setting the functional level for a forest enables features across all the domains within a forest. If all domain controllers in a forest are running Windows Server 2012 and the functional level is set to Windows Server 2012, all forest-wide features are available.

    Best Practices

    What can be done prior to making this change to ensure that you have as few issues as possible? Actually, there are some best practices here that you can follow:

  • Verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level. What about that DC that you decommissioned but for which you failed to perform metadata cleanup? Yes, this does happen.
  • Another good one that is not so obvious is the Lost and Found container in the Configuration container. Is there an NTDS Settings object in there for some downlevel DC? If so, that will block raising the Domain Functional Level, so you’d better clean that up.
  • Verify that Active Directory is replicating properly to all DCs. The Domain and Forest Functional Levels are essentially just attributes in Active Directory. The Domain Functional Level for all domains must be properly replicated before you’ll be able to raise the Forest Functional level.
  • Conclusion

    To summarize, the Domain or Forest Functional Levels are flags that tell Active Directory and other Windows components that all DCs in the domain or forest are at a certain minimal level. When that occurs, new features that require a minimum OS on all DCs are enabled and can be leveraged by the Administrator.

    Older functionality is still supported so any applications or services that used those functions will continue to work as before -- queries will be answered, domain or forest trusts will still be valid, and all should remain right with the world.

    1 thought on “What are and how to raise Functional Levels on Windows Server (2003/2008/2012)”

    Comments are closed.