How to verify AD DS FFL/DFL and how to rollback to a lower levels

|

Microsoft Active Directory Services evolves with each edition of Windows Server and whenever you do initial install of AD DS or upgrade your DC servers there is an option/decision for you to set/upgrade Domain and Forest functional levels (I will further refer those ad DFL and FFL respectively). Each new level introduces some new features and starting from 2008 R2 there is an option to do a rollback to lower levels. This is possible only if you not enabled certain features which require current FFL/DFL (think of AD recycle bin etc.).

In short it means that from Server 2012 R2 DFL/FFL you can rollback as far down as to Server 2008 (certain limitation are applicable here). In the following TechNet article: “Understanding Active Directory Domain Services (AD DS) Functional Levels” you can find details on features available on each functional level as well as neat table describing possible rollback options. In this blog post I want to describe how you can check your current FFL/DFL and perform rollback to lower level.

Most of the features are included in DFL, and those may have FFL requirements. To give you an idea of which features are become available with newer DFL:

Server 2008: DFS replication support for WS 2003 SYSVOL, Domain-based DFS namespaces (includes support for access-based enumeration and increased scalability), AES128/256 for Kerberos, Last Interactive Logon Information, Fine-grained password policies, Personal Virtual Desktops.

Seriver 2008 R2: Authentication mechanism assurance (packages info about logon method type into Kerberos token), automatic SPN management for services running on specific computer under the context of Managed Service Account when the name of machine account changes

Server 2008 R2 FFL: Active Directory recycle bin

Server 2012: KDC support for claims, compound authentication and Kerberos armoring

Server 2012 R2: DC-side protections for Protected Users, Authentication Pilicies, Authentication Policy Silos

Now to the practical part of this blog post. How to check current FFL/DFL:

1) GUI way. Access “Active Directory Domains and Trusts” snap-in and right click on your domain to access its properties. On General tab you will be able to see DFL/FFL:

AD DS DFL-FFL level 012) PowerShell mehod 1. This method does not require admin or domain admin rights, and can be used even with a limited user on a domain-joined workstation with Powershell v2/v3 or newer. It also does not require any third party tools or Powershell modules (e.g. Microsoft Powershell AD Module).

$dse = ([ADSI] "LDAP://RootDSE")
# Domain Controller Functional Level
$dse.domainControllerFunctionality
# Domain Functional Level
$dse.domainFunctionality
# Forest Functional Level
$dse.forestFunctionality

This script will return 3 numberic values which can be interpreted using the following table:

Value  Forest        Domain             Domain Controller
0      2000          2000 Mixed/Native  2000
1      2003 Interim  2003 Interim       N/A
2      2003          2003               2003
3      2008          2008               2008
4      2008 R2       2008 R2            2008 R2
5      2012          2012               2012
6      2012 R2       2012 R2            2012 R2

3) PowerShell method 2. Requires Microsoft PowerShell AD Module.

# Get the Forest functional level 
(Get-ADForest).ForestMode 
# Get the Domain functional level 
(Get-ADDomain).DomainMode

This script gives easily readable output instead of numbers you get with method (2).

How to rollback to lower FFL/DFL:

While you can raise FFL/DFL via GUI using  “Active Directory Domains and Trusts” snap-in you cannot lower it using GUI and have to use PowerShell for this. Here is command you have to use:

Set-ADForestMode –Identity “yourdomain.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “yourdomain.com” –DomainMode Windows2008Domain

Order is important: first forest, then domain. Depending on your current DFL/FFL valuee for ForestMode/DomainMode parameters include the following: Windows 2012, Windows 2008R2, Windows2008.

As possibility to lower FFL/DFL was introduced in Server 2008 R2 you cannot go lower than Server 2008. So in case for your tests you need something like Server 2003 or Windows 2000 in terms of FFL/DFL you have to install AD DS from scratch.

2 Comments

  • Anil says:
    January 25, 2016 at 08:50

    I do understand rollback is real necessity. Can it be done for specific change sonly? I would consider a solution for this then…..a third party solution, I do know it is a big problem solution, but instead of complete state rollback, can it be specific change(s) rollback?

    Reply
    • Mikhail says:
      January 26, 2016 at 07:05

      @Anil I don’t understand your question here. I can try and reply it if you maybe explain/rephrase it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *