Wednesday, February 5, 2014

Windows Server 2012 - Active Directory - Domain and Forest Functional Levels.

Domain and forest functional levels (abbreviated as DFL and FFL) determine what functionality is available in a domain (or forest) based on the version of domain controllers present.

What do we mean by "functionality"?

For example, the Active Directory Recycle Bin was introduced with Windows 2008 R2 (and later improved in Windows Server 2012). If we want to use the Recycle Bin, our FFL must be - at least - Windows 2008 R2. That means that all domain controllers in the forest must run Windows 2008 R2 (or above). Other features may be available at a lower functional level. If we want to rename the domain, for example, the Windows 2003 FFL would suffice.

We can raise the functional level in at least three places.


For the domain level, we can open Active Directory Users and Computers (ADUC), right-click on the icon representing the domain, and select "Raise Domain Functional Level"

For the forest, we go to Active Directory Domains and Trusts (ADDT), right-click on the icon and select "Raise Forest Functional Level".

Note: we can also raise the DFL in ADDT as well by right-clicking the domain icon.
We can safely click on these options because the level will not be raised at this step but only after we select the new functional level (and click "Raise"). This is what we see in ADDT:
In fact, we can select a number of different levels depending on the domain controllers that are present. Here, we can select up to Windows Server 2012:
Note: with Windows Server 2012 R2, there is now yet another possible level.

The Active Directory Administrative Center is the second place we can raise functional levels. Once again, we right-click on the domain icon and select among the options in the resulting drop-down menu:


The third place we can raise the DFL and FFL (and lower - in some cases) is at the Powershell command line. I'll present the cmdlets in a moment, but first want to take a look at the designations of the various levels. Since we are (in my test network) already at Windows 2003 DFL, we have these options remaining:

- Windows2008Domain - or "3"
- Windows2008R2Domain -  or "4"
- Windows2012Domain - or "5"

And more recently, with the release of Windows 2012 R2:

- Windows2012R2Domain - or "6"

So, if we want to raise the DFL, we can either type "Windows2008Domain" or just the number "3" (without quotes in both cases).

Here is the complete command:

Set-ADDomainMode mynet.lan -DomainMode Windows2008Domain



There is a similar command for the FFL, for example:

Set-ADForestMode -identity mynet.lan -ForestMode Windows2008Forest



Note: the parameter -identity is positional, which means we can omit it if we prefer.

So that is how we can raise the DFL (or FFL) with Powershell cmdlets - at least in theory.

My first attempts with these cmdlets were not successful. Here are the results:

PS C:\> Get-ADDomain | Set-ADDomainMode -DomainMode Windows2008Domain

[snip - confirmation prompt was here]

Set-ADDomainMode : A referral was returned from the server at line:1 char:16
+ Get-ADDomain | Set-ADDomainMode -DomainMode Windows2008Domain
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : ResourceUnavailable: (DC=mynet,DC=lan:ADDomain) [Set-ADDomainMode]


However, if I attempt the same operation from the GUI, it is successful.

In fact, I learned that this command apparently requires the designation of the PDC emulator.

Indeed, if I use the syntax below (where DC2 is the PDCe)....

PS C:\> Set-ADDomainMode mynet.lan -DomainMode Windows2008R2Domain -Server DC2

The operation succeeds.


Set-ADDomainMode - ResourceUnavailable

And thanks once again to Christopher.

Reverting to a previous DFL or FFL

With the Set-ADDomainMode and Set-ADForestMode cmdlets, we can also revert the DFL and FFL to a previous level - but only under certain conditions.

First, we can go from Windows 2012 to Windows 2008 R2 or from either of those levels to Windows 2008.

We cannot revert to Windows 2003 (or 2003 R2).

There is one more extremely important condition:

The Recycle Bin must not have been enabled.

If it is, we are "out of luck": it is impossible to revert to a previous level in this case.

In the lines below, I'll revert my DFL from Windows 2008 R2 to Windows 2008.

Note: the operation is only possible at the command line. There (currently) is no equivalent option in the GUI.

We start at the Windows2008R2Domain DFL...

PS C:\> Get-ADDomain | fl name,domainmode

name                       : mynet
DomainMode          : Windows2008R2Domain

We revert to the Windows2008Domain DFL with this cmdlet:

PS C:\> Set-ADDomainMode mynet.lan -DomainMode Windows2008Domain -Server DC2

Are you sure you want to perform this action? [snip] y

It may take a moment for the change to take effect. The first time I verified the change, the DFL was still at Windows2008R2:

PS C:\> Get-ADDomain | fl name,domainmode

name                       : mynet
DomainMode         : Windows2008R2Domain

After a moment or two, the change takes effect:

PS C:\> Get-ADDomain | fl name,domainmode

name                       : mynet
DomainMode          : Windows2008Domain

Note: concerning Powershell, we can also display the domain mode (for example) with the following syntax:

PS C:\> (Get-ADDomain).domainmode

No comments:

Post a Comment