Rise AD Domain Function Level

Question

Hello,

Recently i migrated from Active Directory Windows Server 2008 R2 to Windows Server 2019.

In the beginning i had one server WS 2008 R2, and after i migrated and to all stuff now i have 2 Windows Server 2019. And Domain function level is 2008.

I want to rise Domain Function Level to 2016.

So all i need to do is login on DC that is PDC role holder and rise domain function level in active directory, and active directory domain and trust to 2016?

Could anything go wrong ?

Answer 1

Hello,

Thank you so much for your kindly reply.

Usually if we have all requirements met, our current DCs will work properly when making the changes. Before proceeding with the change, we could review our AD environment to make sure that our AD environment is healthy.

Whether our AD environment is healthy, we can check as below:

1. We should check if all DCs work fine by running Dcdiag /v on every DC.
2. And check if AD replication is working properly by running repadmin /showrepl and repadmin /replsum on every DC.
3. Check if we can run gpupdate /force successfully on every DC.
4. Check if the SYSVOL and Netlogon are shared by running net share on every DC.

We could rise the domain functional level first and then rise the forest functional level.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello,

Thank you so much for posting here.

To activate the newest domain features, all the domain controllers must be running the newest Windows Server operating system version in the domain. If this requirement is met, the administrator can raise the domain functional level.

To activate the newest forest-wide features, all the domain controllers in the forest must be running the Windows Server operating system version that corresponds to the desired forest functional level. Additionally, the current domain functional level must already be at the newest level. If these requirements are met, the administrator can raise the forest functional level.

So before we rise the domain function level to 2016, we need to demote the Windows server 2008 R2 DC. As for the domain function level 2016, the supported Domain Controller Operating System:

Windows Server 2019
Windows Server 2016

Reference: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

Before raising function level, we should understand:

1)Ensure that all domain functional levels are equal to or higher than the forest functional level;
2)Ensure that the operating system level of all domain controllers is equal to or higher than the domain functional level;
3)The domain function level can only be upgraded on the PDC;
4)The forest functional level can only be upgraded on the schema master.

Raise methods:
Open Active Directory Domains and Trusts\right click Active Directory Domains and Trusts\Raise Forest Functional Level.
Open Active Directory Domains and Trusts\right click domain name\Raise Domain Functional Level.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hello,

You are welcome.

Thank you so much for your kindly reply.

If we only want to rise the domain functional level, we could do only in the below place:

Open Active Directory Domains and Trusts\right click domain name\Raise Domain Functional Level

The other place is to rise the forest functional level.

To both rise the domain and forest functional level, we have to do the both as shown in the screenshots.

Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest. To prevent these issues from arising, a new DC must be at the same level, or greater, than the functional level of the domain or forest.

The second restriction, for which there is a limited exception on Windows Server 2008 R2, is that once upgraded, the Domain or Forest Functional Level cannot later be downgraded. 

The process of raising DFL/FFL is not a reversible operation without restore. Before proceeding further with the change, please review our AD environment. Make sure that our AD environment is healthy.

We can set the domain functional level to a value that is equal to or higher than the forest functional level. Also, we will need to have DCs that are running OS with the same level as DFL or higher.

For more information, please refer to:

Understanding Active Directory Domain Services (AD DS) Functional Levels
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754918(v=ws.10)?redirectedfrom=MSDN

What is the Impact of Upgrading the Domain or Forest Functional Level?
https://learn.microsoft.com/en-us/archive/blogs/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.