Forest and domain functional level (Must know)
You need to understand the role of the forest and domain functional levels before it can be raised. Some of the new features will only be available when the forest or domain functional level is set to a certain state. For example, in Windows Server 2012, the Dynamic Access Control is only available when the domain functional level is set to Windows Server 2012. Also keep in mind that, after you configure the forest or domain function level to a certain value, you will not be able to revert it. There are some exceptions to this rule. If the Recycle Bin is not enabled, you can lower the forest functional level from Windows Server 2012 to Windows Server 2008 R2 or Windows Server 2008.
At this point, we have only Windows Server 2012 Domain Controller in the environment and I am not planning to add any down level domain controllers. So we can raise the domain and forest functional level to Windows Server 2012. The pre-Windows Server 2012 Domain Controllers cannot be added in Windows Server 2012 domain functional mode.
Note
The functional level can be lowered by using the Set-AdForestMode PowerShell cmdlet. For example, the Set-AdForestMode –identity domain.com –forestmode WindowsServer2008R2Forest cmdlets lowers the forest functional level to Windows Server 2008 R2 and the Set-AdForestMode –identity domain.com -domainmode WindowsServer2008R2Domain cmdlet lowers the domain functional level to Windows Server 2008 R2.
How to do it...
The following procedure can be used to raise the domain functional level:
- Open Active Directory Domain and Trust from a Windows Server 2012 server or Windows 8 Remote Administration Tools.
- Right-click on the domain and select Raise Domain Functional Level… option.
- In the Select an available domain functional level window, select Windows Server 2012 and click on Raise.
The following procedure can be used to raise the forest functional level
- Open Active Directory Domain and Trust from a Windows Server 2012 server or Windows 8 Remote Administration Tools.
- From the Active Directory Domain and Trust console, right-click on the Active Directory Domain and Trust node and select Raise Forest Functional Level.
- In the Select an available forest functional level window, select Windows Server 2012 and then click on Raise.
How it works...
In the background, the Active Directory Domain Trust console changes the msDS-Behavior-Version attribute value. The msDS-Behavior-Version attribute controls which version of operating system can run on a domain controller within the forest and domain. The msDS-Behavior-Version value is 5 for Windows Server 2012.
There′s more...
Here is an example to verify the value of the msDS-Behavior-Version attribute using the dsquery command:
- To identify forest functional level:
dsquery * CN=Partitions,CN=Configuration,DC=domain,DC=com -scope base -attr msDS-Behavior-Version - To identify domain functional level:
dsquery * DC=domain,DC=com -scope base -attr msDS-Behavior-Version
