When implementing new Active Directory domain controllers and removing domain controllers running previous versions of Windows Server, many admins forget to raise the Active Directory domain functional level (DFL) to the earliest Windows Server version still running as domain controllers. After upgrading all domain controllers from Windows Server 2008 R2 to Windows Server 2012 R2, for instance, they would not raise the DFL to Windows Server 2012 R2, but keep it at the Windows Server 2008 R2 level.
The Windows 2016 domain is the highest available DFL for Active Directory; there is no Windows 2019 domain level.
It's a shame, really, because many new Active Directory features and optional Active Directory features are only available when the functional level is raised. Furthermore, the DFL dictates the lowest version of Windows Server that admins can use to promote new domain controllers. In addition, since Windows Server 2008 R2, the DFL can also be reverted, as long as no new optional features have been enabled and the Active Directory forest functional level (FFL) is the same as the DFL that you want to revert to, or lower.
From an Active Directory point of view, the Windows Server 2008 DFL (or any newer version of the DFL), is required when you want to deploy Windows Server 2016-based domain controllers.
Microsoft recommends raising the DFL from the Active Directory domain controller that holds the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role.
To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:
netdom.exe query fsmo
Alternatively, use the following lines of PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:
Import-Module ActiveDirectoryGet-ADDomain | Format-List PDCEmulator
Use an account that is a member of the Domain Admins group in the Active Directory domain for which you want to raise the DFL.
On domain controllers running Windows Server with the Desktop Experience, follow these steps:
- Sign in to the domain controller holding the PDC emulator FSMO role.
- Open Active Directory Domains and Trusts (domain.msc).
- In the left navigation pane, right-click the domain for which you want to raise the functional level, and then click Raise Domain Functional Level.
The Raise domain functional level window appears:
- From the Select an available forest functional level drop-down list, select the desired DFL, and then click Raise.
Alternatively, you can use the following two PowerShell commands:
Import-Module ActiveDirectory
Set-ADDomainMode lucernpub.com Windows2016Domain
Replace lucernpub.com with values for your Active Directory environment.
Even when under time pressure, you'll want to check for the proper replication of changes to Active Directory functional levels before making any other changes in Active Directory that might depend on them. Especially in large environments with elaborate replication technologies, replication might take a while.
To check for the proper replication of changes to Active Directory functional levels, use the following command:
repadmin.exe /showattr *.lucernpub.com "dc=lucernpub,dc=com" /atts:msDS-Behavior-Version
Replace lucernpub.com, lucernpub, and com with values for your Active Directory environment.
The command checks the value for the msDS-Behavior-Version attribute on each of the domain controllers in the respective Active Directory domain, and return the value.
The following table shows the msDS-Behavior-Version attribute value per Active Directory DFL:
DFL | msDS-Behavior-Version |
Windows 2000 Server | |
Windows Server 2003 Mixed | 1 |
Windows Server 2003 | 2 |
Windows Server 2008 | 3 |
Windows Server 2008 R2 | 4 |
Windows Server 2012 | 5 |
Windows Server 2012 R2 | 6 |
Windows Server 2016 | 7 |
Windows Server 2019 | 8 |
The output shows you the domain controllers that are replicating a change from a lower value to a higher value. When each domain controller returns the same value, the DFL has successfully replicated throughout the Active Directory environment.
When a domain controller operates, it references the DFL to know how it can optimally interoperate with other domain controllers in the Active Directory domain. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permittable action.
If there is a domain controller running a version of Windows Server that does not meet the requirements of a certain DFL, the level is grayed out in Active Directory Domains and Trusts and the level cannot be raised to this level (DFL). When you try to raise the DFL using Windows PowerShell or other programmatic means, it will error out.
