Raise the Domain Functional Level
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
When you install Active Directory Domain Services (AD DS), a set of basic Active Directory features is enabled by default. In addition to the basic Active Directory features on individual domain controllers, there are domain-wide and forest-wide Active Directory features available when all domain controllers in a domain or forest are running a later version of Windows Server.
For the all domain-wide features to be enabled, all domain controllers in the domain must be running the latest version of Windows Server, and the domain functional level must be raised to that level. But you should not raise the domain functional level to a higher value if you plan to deploy any domain controllers running earlier versions of Windows Server. After you set the domain functional level to a certain value, you can roll back or lower the domain functional level only by using Windows PowerShell and only under specific conditions. For more information, see Understanding Active Directory Domain Services (AD DS) Functional Levels.
Membership in Domain Admins or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.
To raise the domain functional level
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .
In the console tree, right-click the domain for which you want to raise functional level, and then click Raise Domain Functional Level .
In Select an available domain functional level , select the value and then click Raise .
Important
Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.
Additional considerations
You can also raise the domain functional level by right-clicking a domain in the Active Directory Users and Computers snap-in, and then clicking Raise Domain Functional Level .
The current domain functional level is displayed under Current domain functional level in the Raise domain functional level dialog box.
To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.
You can also perform the task in this procedure by using the Active Directory module for Windows PowerShell™. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell . For more information, see Raise the Domain Functional Level (https://go.microsoft.com/fwlink/?LinkId=137825). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).