https://theitbros.com/raise-domain-and-forest-functional-level/

How to Raise Active Directory Domain and Forest Functional Level?

You can display the current domain functional level (DFL) using PowerShell:

Get-ADDomain | fl Name, DomainMode

Windows2012R2Domain

Now let’s check the forest functional level (FFL):

Get-ADForest | fl Name, ForestMode

Windows2012R2Forest

How to Raise Active Directory Domain and Forest Functional Levels?

Before raising the domain and forest functional level, you need to upgrade the Windows Server version on all domain controllers to Windows Server 2016. You can use an in-place upgrade (not recommended), or install additional domain controllers with Windows Server 2016, and correctly remove legacy DC versions from your Active Directory environment.

Check and ensure what AD replication is working properly in your domain and forest. You can check the Active Directory replication health using the repadmin tool or with PowerShell:

Repadmin /replsummary

Repadmin /Showrepl

Get-ADReplicationFailure -Target theitbros.com -Scope Domain

Get-ADReplicationFailure -Target theitbros.com -Scope Forest

Hint. When you upgrade the domain functional level from Windows Server 2003 to a newer version, the password for the krbtgt account will be forcibly reset. This can affect the availability of Exchange services. Also, remember to migrate AD replication in the domain from FRS to Distributed File Service (DFS) replication.

To raise the functional level of a domain, you can run the mmc snap-in Active Directory Domains and Trusts. Right-click on the domain name, and select Raise Domain Functional Level.

In the window that opens, select the functional level Windows Server 2016, and click the Raise button.

Before you can raise the forest functional level, all domains in the forest must be upgraded to the same or a higher domain functional level. To raise the functional level of a forest, you must be a member of the Enterprise Admins group. The Active Directory Domains and Trusts snap-in is also used to raise the functional level of the forest.

Right-click on the root of the snap-in, and select Raise Forest Functional Level.

In the next windows, select the required functional forest level, and click the Raise button.

Important! The domain and AD forest functional level upgrade cannot be reversed.

Now when you open the Raise Forest Functional Level window again, a message will appear:

This forest is operating at the highest possible functional level.

Raise Domain and Forest Functional Levels with PowerShell

You can also raise the domain functional level using PowerShell. The following command is used:

Set-ADDomainMode -identity theitbros.com -DomainMode Windows2016Domain

Wait for AD replication to complete and verify that all domain controllers report the domain functional level is now Windows2016Domain.

To raise the functional level of the forest, another command is used:

Set-ADForestMode -Identity theitbros.com -ForestMode Windows2016Forest

Even though Windows Server 2019 and 2022 are now available, no new domain functional levels have been added in these OS versions. Even if you upgrade all domain controllers to Windows Server 2022, you will still be using Windows Server 2016 as the most recent domain and forest functional levels.

Cannot Raise the Domain or Forest Functional Level

In this section, we will collect some of the errors that may occur when raising the Active Directory functional level.

ERROR_DS_DOMAIN_VERSION_TOO_LOW 8566 (0x2176)

When updating the domain functional level, the following error may appear:

You cannot raise the domain functional level because this domain includes Active Directory Domain Controllers that are not running the appropriate version of Windows Server.

The error means that there are domain controllers in your domain with a previous version of Windows Server. You can get a full list of domain controllers versions in AD using the Get-ADDomainController PowerShell cmdlet:

Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem

Find domain controllers with a previous version of Windows Server and upgrade them to at least Windows Server 2016 or remove (demote) their accounts from AD and clean up Active Directory metadata and AD Site configuration.

ERROR_DS_FOREST_VERSION_TOO_LOW 8565 (0x2175)

The following error is similar to the previous one, only related to the presence of previous versions of domain controllers in the AD forest:

The version of the operating system installed on this server no longer supports the current AD DS Forest functional level or AD LDS Configuration Set functional level. You must raise the AD DS Forest functional level or AD LDS Configuration Set functional level before this server can become an AD DS Domain Controller or an AD LDS Instance in this Forest or Configuration Set.

ERROR_DS_NO_BEHAVIOR_VERSION_IN_MIXEDDOMAIN 8569 (0x2179)

This error may appear if your domain is running in mixed mode:

The forest functional level cannot be raised to the requested value since one or more domains are still in mixed domain mode. All domains in the forest must be in native mode, for you to raise the forest functional level.

Mixed mode allows Windows NT and 2000 backup domain controllers to co-exist in a domain. To fix the problem, you need to switch the domain to Native mode. To do this, open the Active Directory Domains and Trusts console (domain.msc), expand your domain and open its Properties. Go to the General tab and click Change Mode.