Home WindowsActive Directory How to Raise Forest Functional Level and Domain Level in Active Directory?
Active Directory

How to Raise Forest Functional Level and Domain Level in Active Directory?

written by Cyril Kardashevsky

The functional level of the Active Directory domain and forest determines the available features that can be used in the domain, and the version of Windows that can be used on the domain controllers. In this article, we’ll show you how to raise the functional level of your Active Directory domain and forest.

Active Directory Functional Levels

The table below shows the available domain and forest functionality levels, the new supported features, and the versions of Windows Server that can be used on domain controllers.

Functional level New features Supported Windows Server version for DC
Windows Server 2000 Windows Server 2000 – 2008 R2
Windows Server 2003 Windows Server 2003 – 2016
Windows Server 2008
  • DFS replication for SYSVOL instead FRS
  • Fine-grained password policies
 Windows Server 2008 – 2022
Windows Server 2008 R2 Windows Server 2008 R2 – 2022
Windows Server 2012 KDC support for claims, compound authentication Windows Server 2012 – 2022
Windows Server 2012 R2
  • Protected Users
  • Authentication Policies
 Windows Server 2012 R2 – 2022
Windows Server 2016 Privileged access management with MIM

Smart card required for interactive logon

 Windows Server 2016 – 2022

Note that no new forest or domain functional levels have been added in the new versions of Windows Server 2022 and Windows Server 2019. Currently, Windows Server 2016 is the maximum functional level for Active Directory.

How to Check the Domain and Forest Functional Levels?

You can check the current domain and forest functional levels using the Active Directory Domains and Trusts mmc snap-in (domain.msc). Open your domain properties. Domain and forest functional levels are listed on the General tab. In our case, these are the Windows Server 2012 R2 forest and domain functional levels.

raise forest functional level

You can also get the current domain functional level (DFL) using PowerShell:

Get-ADDomain | fl Name, DomainMode

Windows2012R2Domain

Now let’s check the forest functional level (FFL):

Get-ADForest | fl Name, ForestMode

Windows2012R2Forest

raise domain functional level

Raising the Forest and Domain Functional Levels to Windows Server 2016

Before raising the domain and forest functional level, you need to upgrade version of Windows Server OS on all domain controllers to Windows Server 2016, 2019, or 2022. You can perform an in-place upgrade (not recommended), or install additional domain controller with Windows Server 2022/2019/2016, move the FSMO roles, and remove the legacy DCs from your Active Directory environment.

Check and ensure that AD replication is working properly in your domain and forest. You can check the Active Directory replication health using the repadmin tool or with PowerShell:

Repadmin /replsummary

Repadmin /Showrepl

Get-ADReplicationFailure -Target theitbros.com -Scope Domain

Get-ADReplicationFailure -Target theitbros.com -Scope Forest

Before you can raise the functional level of an AD forest, you must upgrade the functional level of all the domains in the forest.

To raise the functional level of a domain, you can run the MMC snap-in Active Directory Domains and Trusts. Right-click on the domain name, and select Raise Domain Functional Level.

how to raise forest functional level

In the window that opens, select the functional level Windows Server 2016, and click the Raise button.

raise forest functional level powershell

In the same way, update the functional level for all the domains in your AD forest. Once you have done this, you will be able to raise the forest functional level.

Use the Active Directory Domains and Trusts snap-in to raise the functional level of the forest.

  1. Right-click on the root of the snap-in, and select Raise Forest Functional Level;
  2. Select the desired functional forest level, and click the Raise button;
  3. Now when you open the Raise Forest Functional Level window again, a message will appear:

    This forest is operating at the highest possible functional level.

you cannot raise the domain functional level because this domain includes active directory domain

When the functional level of the domain is upgraded, the password for the krbtgt system account is automatically changed. If you have an on-premises Exchange Server in your domain, this may cause it to stop due to authentication issues. After updating the DFL, you must restart the Kerberos Key Distribution Centre (KDC) service on all domain controllers:

$DC=Get-ADDomainController

Get-Service KDC –ComputerName $DC | Restart-Service

Raise Domain and Forest Functional Levels with PowerShell

You can also raise the domain functional level using PowerShell:

Set-ADDomainMode -identity theitbros.com -DomainMode Windows2016Domain

Run this command against every domain in your forest.

Wait for AD replication to complete and verify that all domain controllers report that the domain functional level is now Windows2016Domain.

Now you can raise the forest functional level:

Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest

Note. If you have not upgraded the DFL on any of the domains in the forest, the Set-ADForestMode command returns an error:

The functional level of the domain (or forest) cannot be raised to the requested value, because there exist one or more domain controllers in the domain (or forest) that are at a lower incompatible functional level.

Cannot Raise the Domain or Forest Functional Level

In this section, we will collect some of the errors that may occur when you raise forest functional level.

ERROR_DS_DOMAIN_VERSION_TOO_LOW 8566 (0x2176)

This section lists some of the errors that can occur when increasing the forest’s or domain’s functional level.

You cannot raise the domain functional level because this domain includes Active Directory Domain Controllers that are not running the appropriate version of Windows Server.

raise domain and forest functional level

The error means that there are domain controllers in your domain with a previous version of Windows Server. List the versions of domain controllers in AD using PowerShell:

Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem

Find domain controllers running previous version of Windows Server and upgrade them to at least Windows Server 2016 or remove (demote) their accounts from AD, and clean up Active Directory metadata and AD Sites configuration.

ERROR_DS_FOREST_VERSION_TOO_LOW 8565 (0x2175)

The following error is similar to the previous one, except that it is related to the presence of previous versions of Windows Server on domain controllers in the AD forest:

The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set.

Downgrade Domain and Forest Functional Levels in AD

Starting with Windows Server 2008 R2, you can roll back the forest level and the domain level after you have raised them.

  • The minimum target DFL that you can downgrade to is Windows Server 2008.
  • You can’t roll back to Windows Server 2008 functional level after enabling the AD Recycle Bin. You can check if the AD Recycle Bin is enabled in your domain:
Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'

You can only downgrade using PowerShell (you can’t do it using the GUI).

Open a PowerShell console with Domain Admin/Enterprise Admin privileges. Check the current FFL:

(Get-ADForest).forestmode

Check the DFL for each domain in the forest:

$domains=(Get-ADForest).domains

foreach ($domain in $domains) {

Get-ADDomain -Identity $domain| select DNSRoot,DomainMode

}

You can downgrade the forest functional level to Windows Server 2012 with the command:

Set-ADForestMode –Identity contoso.com –ForestMode Windows2012Forest

Then perform a functional level downgrade for each domain. You can downgrade DFL in child domains in any order.

Set-ADDomainMode –Identity contoso.com –DomainMode Windows2012Domain

Trying to reduce the DFL before the FFL will result in the error:

Set-ADDomainMode : The functional level of the domain (or forest) cannot be lowered to the requested value.
kardashevsky cyril

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

5 comments

Johannes April 25, 2021 - 10:43 am

Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest
nicht Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Domain oder?

a April 26, 2021 - 7:44 am

The command should look like the following
Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest

Richard Shibley November 9, 2021 - 3:36 pm

The correct cmdlet to raise the domain functional level is:

Set-ADDomainMode -identity theitbros.com -DomainMode Windows2016Domain

Nha Pham November 9, 2021 - 11:47 pm

Thanks for your instruction.

Also, you said that the “Exchange service will be affected” with krbtgt reset when do the upgrade from 2003 level, may I ask how can we prevent it?

Gerardo A July 13, 2022 - 1:53 pm

Hello,
I have Server 2008r2 level and I want to move to Server 2012r2 Level.
does my Exchange Server 2016 will be affected?.
what are the risks ?
Regards

Comments are closed.