Microsoft Active Directory Services evolves with each edition of Windows Server and whenever you do initial install of AD DS or upgrade your DC servers there is an option/decision for you to set/upgrade Domain and Forest functional levels (I will further refer those ad DFL and FFL respectively). Each new level introduces some new features and starting from 2008 R2 there is an option to do a rollback to lower levels. This is possible only if you not enabled certain features which require current FFL/DFL (think of AD recycle bin etc.).
In short it means that from Server 2012 R2 DFL/FFL you can rollback as far down as to Server 2008 (certain limitation are applicable here). In the following TechNet article: “Understanding Active Directory Domain Services (AD DS) Functional Levels” you can find details on features available on each functional level as well as neat table describing possible rollback options. In this blog post I want to describe how you can check your current FFL/DFL and perform rollback to lower level.
Most of the features are included in DFL, and those may have FFL requirements. To give you an idea of which features are become available with newer DFL:
Server 2008: DFS replication support for WS 2003 SYSVOL, Domain-based DFS namespaces (includes support for access-based enumeration and increased scalability), AES128/256 for Kerberos, Last Interactive Logon Information, Fine-grained password policies, Personal Virtual Desktops.
Seriver 2008 R2: Authentication mechanism assurance (packages info about logon method type into Kerberos token), automatic SPN management for services running on specific computer under the context of Managed Service Account when the name of machine account changes
Server 2008 R2 FFL: Active Directory recycle bin
Server 2012: KDC support for claims, compound authentication and Kerberos armoring
Server 2012 R2: DC-side protections for Protected Users, Authentication Pilicies, Authentication Policy Silos
Now to the practical part of this blog post. How to check current FFL/DFL:
1) GUI way. Access “Active Directory Domains and Trusts” snap-in and right click on your domain to access its properties. On General tab you will be able to see DFL/FFL:
2) PowerShell mehod 1. This method does not require admin or domain admin rights, and can be used even with a limited user on a domain-joined workstation with Powershell v2/v3 or newer. It also does not require any third party tools or Powershell modules (e.g. Microsoft Powershell AD Module).
$dse = ([ADSI] "LDAP://RootDSE")
# Domain Controller Functional Level
# Domain Functional Level
# Forest Functional Level
This script will return 3 numberic values which can be interpreted using the following table:
Value Forest Domain Domain Controller
0 2000 2000 Mixed/Native 2000
1 2003 Interim 2003 Interim N/A
2 2003 2003 2003
3 2008 2008 2008
4 2008 R2 2008 R2 2008 R2
5 2012 2012 2012
6 2012 R2 2012 R2 2012 R2
3) PowerShell method 2. Requires Microsoft PowerShell AD Module.
# Get the Forest functional level
# Get the Domain functional level
This script gives easily readable output instead of numbers you get with method (2).
How to rollback to lower FFL/DFL:
While you can raise FFL/DFL via GUI using “Active Directory Domains and Trusts” snap-in you cannot lower it using GUI and have to use PowerShell for this. Here is command you have to use:
Set-ADForestMode –Identity “yourdomain.com” –ForestMode Windows2008Forest
Set-ADDomainMode –Identity “yourdomain.com” –DomainMode Windows2008Domain
Order is important: first forest, then domain. Depending on your current DFL/FFL valuee for ForestMode/DomainMode parameters include the following: Windows 2012, Windows 2008R2, Windows2008.
As possibility to lower FFL/DFL was introduced in Server 2008 R2 you cannot go lower than Server 2008. So in case for your tests you need something like Server 2003 or Windows 2000 in terms of FFL/DFL you have to install AD DS from scratch.
Please follow and like us: