In this article, we will learn how to Raise or Downgrade AD Domain and Forest Functional Level. Upon installation of Active Directory Domain Services (AD DS), basic Active Directory features are automatically enabled, along with domain-wide and forest-wide features. To enable “all domain-wide features” the domain controllers must run the latest Windows Server version. Please see How to Deploy a React Application on Netlify, and Active Directory: How to Setup a Domain Controller.

Note: During this DC setup, I deliberately lowered the Forest and Domain Functional level.

In this guide, I will raise the Domain Functional Level from Windows Server 2012 R2 to Windows Server 2016 and then raise the Domain Functional Level from Windows Server 2012 R2 to Windows Server 2016 via the GUI (Active Directory Domain and Trust). I will also downgrade the domain and forest functional level and have them increased again via PowerShell.

At the time of writing this article, every release of Windows Server until Windows Server 2016 came with improvements and new features added to AD FFL and DFL. However, Since Windows Server 2019 and Windows Server 2022 as Domain Controllers. It only offers the equivalent of Windows Server 2016 as shown in this image.
But for the latest Windows Insider Preview of Windows Server 2025, the maximum forest and domain functional level we can choose is equal to Windows Server 2025. This is currently not documented.

Note: By default when a domain is added to a forest, it takes the same level as the forest functional level. A Domain within a forest is allowed to operate at a functional level higher than that of the forest functional level but can never operate a lower functional level of the forest. This is why when downgrading, you should downgrade the Forest functional level first, else it will result in errors.

Prerequisites to raising Active Directory Forest Functional Level

The Active Directory (AD) Forest Functional levels determine the Active Directory Domain Services (AD DS) features that are available in a forest while the domain functional level determines the features of ADDS that can be utilized by a DC.

Note: Increase forest functional level to support specific applications and services, improve security, and comply with ADDS’s latest features and functionalities.

Note: To raise the functional and domain functional level, all Domain Controllers (DCs) must have the same Operating system (OS) version running on them. This is to ensure that all the DCs are able to support all the features. If this is not the case and the DCs are running different versions, only the features provided by the lowest OS features will be available within the domain.

With this information, I will install the latest version of Windows Server 2025 insider preview and have the FFL and DFL set to 2025. Therefore, I will have only the FFL and DFL features for Windows Server 2016. So when I am ready to replace my Windows Server 2022 Servers, I will install a 2025 and ensure all DCs are running the same versions.

Lastly, also ensure that the AD replication should be working correctly on the forest etc. Lastly, you have to ensure the compatibility of applications. You can learn the impact of Upgrading the Domain or Forest Functional Level.

Before we proceed, let us run the command below to retrieve all domain controllers in the Active Directory domain and display their names and operating systems. currently, I have just one. So life is easy as I do not have to perform this operation on other DCs in my lab. But I will be setting up a new DC on Hyper-V and have this migrated to Proxmox with Veeam Backup and Replication.

Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem

DC Operaing system — List of DCs’ in my environment

Here is how to “Enter connection information for your on-premise directory or forests: Azure AD connect unable to connect directory, forest not available, and how to grant Access to User Mailbox.

Raise Active Directory Domain / Forest Functional Level via the GUI

First, if you have multiple Domain controllers, you have to check the replication summary with the command below for errors. Please take a look at this article for some related information “AD Recovery: Fix device ran into an issue with error 0xc00002e2“.

repadmin /replsummary

Another method you could use is the command below to view the replication status

readmin /showrepl

You can also run the command below to get domain wide replication failures. If there are no errors, you will get a prompt back as shown below.

Get-ADReplicationFailure -Target techdc01.techdirectarchive.com -scope domain

You can also run the command below to get forest wide replication failures. If there are no errors, you will get a prompt back as shown below.

Get-ADReplicationFailure -Target techdc01.techdirectarchive.com -scope forest

Note: The following membership “Domain Admins or Enterprise Admins” is the minimum required to complete this operation or delegated to have this rights.

Please see AD Recovery: Fix device ran into an issue with error 0xc00002e2, and Install Lets Encrypt Certificate on Windows with Certbot.

Raise Domain Functional Level via the GUI

Note: You can also raise the domain functional level by right-clicking a domain in the Active Directory Users and Computers snap-in, and then clicking Raise Domain Functional Level

Launch Active Directory Domains and Trusts

In the console tree, right-click the domain for which you want to raise functional level, and then click Raise Domain Functional Level .

In Select an available domain functional level , select the value and then click Raise as shown below.

On the prompt, click OK

The Domain Forest Functional Level has been raised successfully.

Successfully raised domian functional level

Raise Forest Functional Level via the GUI

To enable forest-wide features, all domain controllers in the forest must run the version of Windows Server corresponding to the forest functional level value, or a later version as discussed above. And the forest functional level must be raised to that value. To activate Active Directory Recycle Bin for instance, all domain controllers must run Windows Server 2008 R2 or Windows Server 2012, and the forest functional level must be set to at least Windows Server 2008 R2.

Note: Windows Server 2016 also introduced Privileged Access Management (PAM) functionalities along with all the functionalities of the previous versions.

To raise the forest functional level, launch Active Directory Domains and Trusts.

In the console tree, right-click Active Directory Domains and Trusts , and then click Raise Forest Functional Level .

Click Ok on the prompt to confirm your action.

As you can see below, the Forest Functional level was successfully raised.

Successfully raised forest functional level

To view the properties of the Domain and Forest Functional Levels. Right-click on the Domain, and select properties.

As you can see below, both are running Windows Server 2016 Domain and Forest Functional level.

Both Domain and Forest Functional Level raised

Note: After you set the domain functional level to a certain value, you can roll back or lower the domain functional level only by using Windows PowerShell and only under specific conditions.

Here is how to set Pleasant User Group Permission and User Access, How to access shared resources from two different domains, and “how to install and configure Active Directory Domain Services on Windows Server 2022“.

Downgrade Domain and Forest Functional Level

When downgrading domain and forest functional levels, you should downgrade the Forest functional level first. Important Considerations involves carefully planning and testing the downgrade process in a lab environment. This will ensure you avoid any disruptions and compatibility issues.

Ensure that all domain controllers within the domain and forest support the lower functional levels.
Backup your Active Directory environment before making any changes.

Downgrade Forest Functional Level

The forest functional level controls the features available across all domains within the forest. You will have to start with the forest functional level downgrade else it would result in errors this is because, the FFL can never be higher than the DFL of any domain in the forest. We have explained the reason for this behavior in the fourth block above. To downgrade the forest functional level, please run the command below.

Set-ADForestMode -Identity TechDC01.techdirectarchive.com -ForestMode Windows2012R2Forest

Downgrade Domain Functional Level

The domain functional level controls the features available within the domain. To do this, please run the command below.

Set-ADDomainMode -Identity TechDC01.techdirectarchive.com -DomainMode Windows2012R2Domain

Now, let us verify to see if this change is in effect for both the domain and forest functional level.

Get-ADDomain | Select-Object Name, DomainMode

Get-ADForest | Select-Object Name, ForestMode

Successfully downgraded domain and forest fucntional level — Domain and Forest functional level downgraded

Please see How to integrate ObjectFirst OOTBI Appliance with VBR, and How to Configure Object First OOTBI Appliance.

Raise Domain Functional Level via PowerShell

Note: Before updating the AD functional level of any forest, you will need to first upgrade all the functional levels of all the domains in the forest. Check the current domain functional level for replication errors etc as discussed above.

To raise the domain functional level to current version, run the command below

Set-ADDomainMode -Identity techdc01.techdirectarchive.com -DomainMode windows2016domain

Set domain functional mode via PowwrShell — Domain functional Level raised successfully via PowerShell

Now we can confirm the domain functional level upgrade is successful by running the command below

Get-ADDomain | Select-Object Name, DomainMode

Note: This has to be done for all Domain Controllers in your forest. You could also wait for replication to sync between all domain controllers with the command below. I am setting up a new DC in my LAB, therefore, it makes no sense to run the command below.

repadmin /syncall

Raise Forest Functional Level via PowerShell

First, you will have to determine the current Forest functional Level with the command above. Since I downgraded and showed this in the image above, there is not need to show this image here anymore.

Now that we have determined the current forest level, we have to raise it to the latest forest level. To do this, type the command below

Set-ADForestMode -Identity techdc01.techdirectarchive.com -ForestMode windows 2016forest

Raise Windows functional level via PowerShell

To confirm if the Forest Functional Level was upgraded successfully, please run the command below.

Get-ADForest | Select-Object Name, ForestMode

Forest functional level raised via PowerShell is successful

You have to wait for AD replication to complete and verify that all domain controllers in the forest reports this change (level). If you have a single Domain Controller, this change will be instantaneous and you do not have to do anything.

Restart KDC Services on all Domain Controllers

Note: Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.

To do this, run the command below. With this, you have successfully learned how to Raise or Downgrade AD Domain and Forest Functional Level.

Restart-Service KDC

To do this on a remote Domain controller, please run the command below

Get-Service kdc -ComputerName TechDC02 | Restart-Service

I hope you found this article very useful on how to Raise or Downgrade AD Domain and Forest Functional Level. Please feel free to leave a comment below.

5/5 - (1 vote)