Upgrading Functional Levels KB ID 0001851
Problem
For over twenty years, I’ve been involved with domain migrations, and I’ve had to upgrade both domain and forest functional levels thousands of times. I’ve also had to deal with many clients who were somewhat nervous when they knew that I was updating, their forest and the domain functional levels. I’m not sure if it’s just embedded in IT folklore that something horrible might happen, and because you or unable to revert if you make the mistake of upgrading these levels when you should not have done so. But in all honesty, in all the time I’ve been involved in domain migrations only once have I ever had a problem, and in that instance, the upgrade process failed because the client had Exchange, 2000 (that’s how long ago that was).
What are Domain and Forest functional levels used for?
Each version of Windows that is released, introduces new functionality, that’s built into Active Directory, and so that the clients can take advantage of that functionality, there are certain prerequisites that must be met for this to work. One of the most obvious prerequisites, is that all domain controllers be running the same version to support those new functionalities. For example, way back with server 2008, the AD recycle bin was introduced, imagine, trying to enable that feature if half of the domain controllers in your environment did not support it. That’s all that the functional level, does it sits and waits for you to get all your servers at the correct version, before you can enable a feature.
Now active directory won’t let you upgrade functional levels if your servers are non-compliant. i.e. ruining an older or unsupported operating system, therefore all the functional level is, is just a safety gate that turns on features. With that in mind, why would you be nervous that you’re adding additional features to Active Directory?
Things to Consider Before Upgrading Functional Levels
- Check that all domain controllers are working and replicating properly and are running a version of Windows Server that supports the desired functional level.
- Back up all domain controllers and verify the backups.
- Ensure that all domain functional levels are equal to or higher than the forest functional level.
- Review the new features and requirements of the target functional level and plan for any changes or impacts on your applications, services, and clients. Pay particular attention to Microsoft Exchange (if still running on premises or in hybrid mode).
- If possible, test the functional level change in a lab environment that mimics your production environment as closely as possible.
- Communicate the functional level change to your stakeholders and schedule a maintenance window for the operation.
- Follow the instructions on how to raise the domain and forest functional level and monitor the replication and health of your domain controllers after the change.
- Official documentation says you CANNOT downgrade functional levels; however this is not true* however, you should only lower the functional level if you encounter a serious problem that cannot be resolved otherwise.
*Note: You can downgrade but no further than server 2008. It is possible to downgrade from Server 2016 (the current maximum) to Server 2012 R2, Server 2012, Server 2008 R2, and Server 2008. In reality (if you’ve been looking after your AD) you should never need to downgrade more than one version anyway.
Upgrading Functional Levels
Both the domain and forest functional levels can be upgraded with the ‘Active Directory Domains and Trusts” management console, the domain by simply right clicking the domain in question then checking the version you want to upgrade to, then click raise.
When Upgrading Functional Levels simply right click Active Directory Domains and Trusts > Raise forest functional level > Checking the version you want to upgrade to then click raise.
Upgrading Functional Levels (PowerShell)
To do the same with Powershell.
[box]
Set-ADForestMode –Identity domain.com –ForestMode Windows2016Forest Set-ADDomainMode –Identity domain.com –DomainMode Windows2016Domain
[/box]
Verify Upgrading Functional Levels was Successful
Look in the Directory Service Event log for the following events.
Event ID 2039 (Successful Domain Functional Level Update).
Event ID 2040 (Successful Forest Functional Level Update).
Downgrading Functional Levels (PowerShell)
The following procedure was carried out on my test bench, when upgrading Functional Levels (in the past) Microsoft released guidance on how to downgrade functional levels to Server 2008 R2 this was handy if you wanted to perform an ADMT domain migration and had raised your levels to Server 2012 (though the tool was later fixed to support newer functional levels).
Remember this is a last resort if you are having problems and remember to ensure you have decent backups of everything before proceeding.
Firstly check the currently domain and forest functional levels.
[box]
Get-ADDomain | Format-Table Name , DomainMode Get-ADForest | Format-Table Name , ForestMode
[/box]
Then to downgrade (in this example to Serve r2012 R2 use the following commands).
[box]
Set-ADForestMode –Identity domain.com –ForestMode Windows2012R2Forest Set-ADDomainMode –Identity domain.com –DomainMode Windows2012R2Domain
[/box]
Check that the change has occurred by running the same command you used above.
[box]
Get-ADDomain | Format-Table Name , DomainMode Get-ADForest | Format-Table Name , ForestMode
[/box]
Then to prove its not all ‘smoke and mirrors’ look in ‘Active Directory domains and Trusts’ > {your-domain-name} > Right click “raise domain functional level’.
And in the same management snap-in check the forest functional level.
Related Articles, References, Credits, or External Links
NA