![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 83%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
7,023 questions
Hi @Dan Bhatoa ,
In the following MS Learn article the Event ID 16408 is being mentioned:
How to raise Active Directory domain and forest functional levels
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/raise-active-directory-domain-forest-functional-levels?WT.mc_id=EM-MVP-5002219
Event Type: Information
Event Source: SAM
Event ID: 16408
Computer:Server Name
Description: "Domain operation mode has been changed to Native Mode. The change cannot be reversed."
but imho you cannot obtain more details about who did this. The only way to achieve this would be to have already Auditing enabled. If you had Auditing enabled then you can look for Event ID 4739 in the Security Log on your domain controllers and there you can obtain more info regarding "Who" raised the FL.
4739(S): Domain Policy was changed.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739?WT.mc_id=EM-MVP-5002219
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov