Raise Active Directory Domain and Forest Functional Levels using PowerShell

Updated: Jan 16th, 2015 – 8:10am MT – Fixed typo in Set-ADForestMode section.

In this easy Ask the Admin, I’ll show you how to determine and change the domain and forest functional levels in Active Directory (AD).

The domain and forest functional levels indicate that all domain controllers (DCs) are running a specific version of Windows Server, and that domain or forest-wide features only supported in that version of Windows Server can be enabled in the domain(s) and/or forest.

Before raising the functional level of a domain, all DCs in the domain must be running the same version of Windows Server. For instance, before changing the domain functional level to Windows Server 2012 R2, all DCs in the domain must be running Windows Server 2012 R2. When configuring a new AD domain, it’s always best to set the domain functional level to the highest possible level if you’re not planning to join any DCs running legacy versions of Windows Server.

Determine the Domain and Forest Functional Levels

The easiest way to find the functional level of a domain is using Windows PowerShell. You can run the following commands from a domain controller or any domain-joined PC with the PowerShell module for Active Directory installed.

Raise Active Directory Domain and Forest Functional Levels
Determine the domain and forest functional level in Active Directory (Image Credit: Russell Smith)
Piping the results of Get-ADDomain to select is not compulsory, but reduces down the amount of information returned. When no parameters are specified for the Get-ADDomain cmdlet as shown above, information about the current user's domain is returned. If you want to retrieve information about a specific domain, then you must specify it as shown below:
​
The -identity parameter can be populated with a domain name given using DNS, distinguished name (DC=ad,DC=contoso,DC=com), objectGUID, NetBIOS name or Security Identifier (SID).


Raise the Domain Functional Level

Once all the domain controllers in a domain are running the same version of Windows Server, you might decide to raise the domain functional level to get access to features that are exclusive to a particular domain functional level. The most important point to remember is that it's not possible to roll back this operation, so make sure you have tested thoroughly before committing. You must be a member of the Domain Admins group to raise the domain functional level, and you'll need to replace ad.contoso.com with the Fully Qualified Domain Name (FQDN) of your AD domain.
​
In the example above, I'm raising the domain functional level to Windows Server 2012 R2, because all the DCs in my domain now run that version of Windows Server, but other possible values for the –DomainMode parameter are:
  • Win2003Domain
  • Win2008Domain
  • Win2008R2Domain
  • Win2012Domain
  • Win2012R2Domain
Note that the Set-ADDomainMode cmdlet only works with full Active Directory, not AD Lightweight Directory Services (LDS) or AD snapshots. It also can't be run against a read-only domain controller or when connected to a Global Catalog (GC). If you want to target the cmdlet against a primary domain controller (PDC) to avoid the above mentioned scenarios, then use the Get-ADDomainController cmdlet to discover the PDC in the domain.

Raise the Forest Functional Level

When all the domains in a forest are set to the same functional level, you can then raise the forest functional level. The supported forest modes are:
  • Windows2000Forest
  • Windows2003InterimForest
  • Windows2003Forest
  • Windows2008Forest
  • Windows2008R2Forest
  • Windows2012Forest
  • Windows2012R2Forest
To raise the forest functional level, you should be a member of the Enterprise Admins group, and the same restrictions apply as with the Set-ADDomainMode cmdlet. To perform the operation against the DC holding the forest schema master role:
​


Don't forget, that with a few exceptions, it's not possible to roll back this operation.