Active Directory functional levels

Share This

Active Directory functional levels are controls that specify which advanced Active Directory domain features can be used in an enterprise domain. The enterprise domain is usually comprised of domain controller that run on different versions of the Windows Server operating system.

Administrators use Active Directory (AD) to manage users, groups and devices in a domain, but AD features are not backward-compatible with AD domain controllers on earlier versions of Windows Server. In a domain with domain controllers that operate on different Windows Server versions, the Active Directory functional level is limited to the features available on the AD domain controller that uses the earliest version of Windows Server.

For example, a domain can include domain controllers that run both Windows Server 2008 R2 and Windows Server 2012 R2, but the Active Directory features and functionality in the Windows Server 2012 R2 domain controller would not be available because the domain’s Active Directory functional level would prevent it. Active Directory features must be supported by all domain controllers otherwise those features cannot be used.

Administrators can use Active Directory functional levels to restrict which domain controllers can participate in the domain. For example, an administrator can ensure minimum functionality by configuring a domain to run at a Windows Server 2012 R2 functional level; domain controllers that run on earlier Windows Server versions will not be accepted on the domain.

Active Directory functional levels can also apply to higher-level forests composed of multiple domains, but the forest functional level is the maximum limiting attribute. A domain within a forest can operate at a higher functional level than a forest, but no domain can operate at a functional level lower than the forest. For example, a forest configured for a Windows Server 2012 R2 functional level allows domains beneath it to use a Windows Server 2012 R2 functional level, but administrators can configure domain within the forest to use a higher functional level, such as Windows Server 2016.

Once an Active Directory functional level is raised, it may be difficult — or impossible — to roll back without rebuilding the domain or restoring it from a backup. For example, functional level increases in versions of Windows Server earlier than 2008 R2 cannot be rolled back; the administrator must rebuild or restore the domain.

For versions of Windows Server 2008 R2 and later, the administrator can usually roll back the functional level with PowerShell cmdlets if the domain’s functional level is higher than the forest’s functional level. For example, if the domain operates at Windows Server 2012 R2 and the forest operates at Windows Server 2008, the administrator can opt to roll back the domain to Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. However, if both the domain and forest operate at the same functional level, there are no rollback options for the domain.