Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Table of contents
- Forest functional level matrix
- Domain functional level matrix
- Raise functional level to highest value examples
- How to check forest and domain functional level
- How to get all Domain Controllers
- Conclusion
The table below shows the available forest functional levels and which Domain Controller operating systems are supported.
Note: Windows Server 2019 and Windows Server 2022 are available, but there are no new domain functional levels added for those OS versions. Windows Server 2016 is the most recent forest and domain functional level.
| Forest functional level | Supported Domain Controller (OS) |
|---|---|
| Windows 2000 | Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 |
| Windows Server 2003 | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 |
| Windows Server 2008 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 |
| Windows Server 2012 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 |
| Windows Server 2012 R2 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 |
| Windows Server 2016 | Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 |
| Windows Server 2025 | Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 |
Domain functional level matrix
The table below shows the available domain functional levels and which Domain Controller operating systems are supported.
Note: Windows Server 2019 and Windows Server 2022 are available, but there are no new domain functional levels added for those OS versions. Windows Server 2016 is the most recent forest and domain functional level.
| Domain functional level | Supported Domain Controller (OS) |
|---|---|
| Windows 2000 | Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 |
| Windows Server 2003 | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 |
| Windows Server 2008 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 |
| Windows Server 2012 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 |
| Windows Server 2012 R2 | Windows Server 2022 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 |
| Windows Server 2016 | Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 |
| Windows Server 2025 | Windows Server 2025 Windows Server 2022 Windows Server 2019 Windows Server 2016 |
Raise functional level to highest value examples
Here are a couple of examples that will show how to raise the Active Directory functional levels to the highest value:
Note: You can set the domain functional level to a value higher than the forest functional level, but you cannot set the domain functional level to a value lower than the forest functional level.
Example 1. Raise functional level from Windows Server 2008 to Windows Server 2016:
- Install two new Windows Server 2022 Domain Controllers.
- Demote both Windows Server 2008 Domain Controllers.
- Raise forest and domain functional level to Windows Server 2016 (latest)*
*It’s only possible to raise the forest and domain functional level if the Windows Server 2008 DCs are both demoted.
Example 2. Raise functional level from Windows Server 2012 R2 to Windows Server 2016:
- Install two new Windows Server 2022 Domain Controllers.
- Demote both Windows Server 2012 R2 Domain Controllers.
- Raise forest and domain functional level to Windows Server 2016 (latest)*
*It’s only possible to raise the forest and domain functional level if the Windows Server 2012 R2 DCs are both demoted.
Example 3. Raise functional level from Windows Server 2016 to Windows Server 2022:
It’s impossible to raise the functional level from Windows Server 2016 to Windows Server 2022. That’s because there is no Windows Server 2022 forest and domain functional level value you can set.
Windows Server 2019 and Windows Server 2022 are available, but there are no new domain functional levels added for those OS versions. Windows Server 2016 is the highest forest and domain functional level in this case.
Example 4. Raise functional level from Windows Server 2019 to Windows Server 2025:
- Install two new Windows Server 2025 Domain Controllers.
- Demote both Windows Server 2019 Domain Controllers.
- Raise forest and domain functional level to Windows Server 2025 (latest)*
*It’s only possible to raise the forest and domain functional level if the Windows Server 2019 DCs are both demoted.
How to check forest and domain functional level
To know which AD forest and domain functional level values are active, read the article Check Active Directory forest and domain functional level.
How to get all Domain Controllers
To get all Domain Controllers and their operating systems, read the article Get all Domain Controllers with PowerShell.
Suppose you have 1x Domain Controller running, and you want to add another Domain Controller to provide fault tolerance, read the article Add Domain Controller to existing domain.
Conclusion
We showed the forest and domain functional level compatibility matrix. The matrix values are the same for the forest and the domain functional level. But it’s good to separate the tables, so you are more focused and aware when looking at them.
Always set the forest and domain functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible.
Did you enjoy this article? You may also like Export disabled users from Active Directory. Don’t forget to follow us and share this article.
ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft MVP. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »
In my home lab environment, I had the need to change the functional levels of my forest and domain to do some testing work with Exchange 2010. I was running in native Windows Server 2016 mode in both the forest and the domain levels. According to the Exchange Supportability matrix, Exchange 2010 SP3 RU5 and later will support a Windows 2012 R2 Active Directory domain. So, I wanted to roll my AD environment back to Windows Server 2012 R2 levels. Let’s see how to in Windows Server 2016 lower Forest and Domain functional level to an earlier version.
Note You need to be logged in with an Enterprise Admin account.
To do this we use the Active Directory module commandlets in Powershell. Let’s look at the process. First, we want to verify what the current forest and domain levels are.
To verify the forest functional level, we use the Get-ADForest commandlet. It will display output similar to the following. As you can see, it is currently set to the Windows2016Forest level.
Get-ADForest
Now, let’s look at the domain functional level. To see that, we use the Get-ADDomain commandlet. The domain is set to Windows2016Domain level.
Get-ADDomain
Changing the functional levels
Forest
To change the forest functional levels, we use the Set-ADForestMode commandlet and pass the forest level that we want to change to as a parameter.
Set-ADForestMode -ForestMode <Desired forest level>
Here, I want to change the forest functional level to Windows 2012 R2. As you can see below, I set the ForestMode to Windows2012R2Forest and then specify the forest name. After that, you simply confirm the action.
Now, if we run the Get-ADForest commandlet, we see the Windows2012R2Forest level has been set.
Domain
The process to change the domain functional level is the same. We just use a different commandlet. To change the domain functional level, we use the Set-ADDomainMode commandlet.
Set-ADDomainMode -DomainMode <Desired domain level>
As you can see, like the forest functional level change, we pass in the desired domain level in the DomainMode parameter. Then we specify the domain and confirm the action.
After the operation completes, we can rerun our Get-ADDomain commandlet, and now we see the Windows2012R2Domain showing in the DomainMode.
Thoughts
We all remember the days when changing the Forest and Domain level was a scary thing in the sense that there was no way to revert back to a previous version without a lot of pain. Starting In Windows Server 2008 R2 and Windows Server 2012, you could lower the Forest and Domain functional level from 2012 to 2008 R2, or from 2008 R2 to 2008. The ability to do this continues with Windows Server 2016 Lower Forest and Domain Functional Levels. However, the ability to perform these major changes in Active Directory doesn’t mean we should use it on a whim. Lowering the level should be given serious thought just as raising the level does.
Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don’t have to.
Active Directory functional levels are controls that specify which advanced Active Directory domain features can be used in an enterprise domain. The enterprise domain is usually comprised of domain controllers (DCs) that run on different versions of the Microsoft Windows Server operating system (OS).
From Windows Server 2016 onward, AD functional levels control the domain and forest features of the organization’s Active Directory Domain Services (AD DS). Functional levels also limit the Windows Server OS versions that can run DCs within the domain or forest — though this doesn’t limit the OS versions that can run on nodes joined to the domain or forest.
The OS typically designates the AD functional levels. For example, a domain might operate at a Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 or later functional level.
Functional levels are selected when a new forest is deployed, letting administrators set both the forest functional level and the domain functional level. A domain functional level can be set higher than the forest functional level, but not vice versa.
No new forest or domain functional levels have been added since Windows Server 2016. The actual list of functions at domain and forest levels can be cumbersome to parse because later Windows Server versions build on previous versions. The list is additive, where each new version adds one or more features or capabilities over previous versions.
It’s generally preferred policy to deploy AD DS with the highest domain and forest functional levels available within the environment to allow the broadest possible range of AD DS features. For example, if the environment is running Windows Server 2022 OSes, the AD functional level assigned to domain controllers is likely Windows Server 2016.
For example, the Windows Server 2016 and later forest functional level includes all of the features available in the Windows Server 2012 R2 forest functional level in addition to privileged access management using Microsoft Identity Manager.
Similarly, the Windows Server 2016 and later domain functional level includes all the AD features from the Windows Server 2012 R2 domain functional level in addition to the following:
- DC support for Windows NT LAN Manager (NTLM) and other password-based secrets on user accounts.
- DC support for network NTLM.
- Changes to Kerberos client authentication.
Consequently, admins need to reference documentation for Windows Server 2012 R2 to determine specific AD features and functions — only to reference functions and capabilities in earlier versions of Windows Server.
For educational purposes, it’s sufficient to know that AD functional levels are inclusive and backward-compatible with AD in previous Windows Server versions. Newer Windows Server versions simply add more functions. Today, this backward-compatibility extends to Windows Server 2012. Any domain controller that runs Windows Server 2008 R2 or older should be upgraded or removed from the domain.
What are the three main functions of Active Directory?
AD is most commonly associated with AD DS, which is the most used AD service. AD is fundamentally a hierarchical database designed to retain, organize and manage information about items attached to a network such as computers and user accounts. AD DS provides many common techniques for storing and accessing data within the database. It also provides three major functions for the enterprise by doing the following:
- Centralizing network resources and security. Centralization is a principal benefit of AD, offering a single enterprise-wide mechanism for admins to manage and secure network objects and resources while ensuring security for those assets.
- Providing global authorization and authentication. AD provides logon control and management for access to network resources within the domain. Users are authenticated once using a single sign-on approach. They can then access any resources for which their account, group or role is authorized.
- Simplifying resource management. AD can be searched to allow for fast and easy resource location. Users can locate published, or visible resources, and then securely access those resources as needed.
Although AD is comprised of many individual features and functions, most fit into one of these three general categories.
What are the benefits of the latest functional level?
Typically, the highest or latest functional level allows AD domain controllers to provide the largest suite of features and functions. Each newer AD version released with a Windows Server OS is backward-compatible but adds capabilities and features only available when all the domain controllers within the forest or domain are operating at the same OS functional level.
For example, Windows Server 2008 R2 adds the AD Recycle Bin, letting admins restore deleted objects from the AD database. This requires changes to the way AD delete behaves, which requires all domain controllers to run Windows Server 2008 R2. While it’s certainly possible to operate a mixed environment with domain controllers operating at a lower or older functional level, the features of the higher functional level are disabled until all domain controllers are upgraded to operate at the higher functional level.
After upgrading all domain controllers in the domain or forest, an admin can raise the AD functional level. The level selection informs the domain controllers that certain features can now be enabled. There are two basic caveats to AD functional levels:
- Active Directory functional levels can also apply to higher-level forests composed of multiple domains, but the forest functional level is the maximum limiting attribute. A domain within a forest can operate at a higher functional level than a forest, but no domain can operate at a functional level lower than a forest. For example, a forest configured for a Windows Server 2012 R2 functional level lets domains beneath it use a Windows Server 2012 R2 functional level. But admins can configure domain within the forest to use a higher functional level, such as Windows Server 2016.
- Once an AD functional level is raised, it could be difficult — or impossible — to roll back without rebuilding the domain or restoring it from a backup. For example, functional level increases in versions of Windows Server earlier than 2008 R2 can’t be rolled back; the admin must rebuild or restore the domain. For versions of Windows Server 2008 R2 and later, the admin can usually roll back the functional level with PowerShell cmdlets if the domain’s functional level is higher than the forest’s functional level. For example, if the domain operates at Windows Server 2012 R2 and the forest operates at Windows Server 2008, the admin can opt to roll back the domain to Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. However, if both the domain and forest operate at the same functional level, there are no rollback options for the domain.
Admins can use AD functional levels to restrict which domain controllers can participate in the domain. For example, an admin can ensure minimum functionality by configuring a domain to run at a Windows Server 2012 R2 functional level; domain controllers that run on earlier Windows Server versions won’t be accepted on the domain.
What is the difference between a domain functional level and a forest functional level?
The primary difference between a domain and a forest is scope. An AD domain is a logical grouping of objects within a single network domain, such as «mycompany.com.» A domain can operate two or more domain controllers for AD replication and load sharing. An AD forest is a collection of two or more domains organized to represent an entire enterprise. For example, a forest can include a U.S.-based domain, such as «mycompany.com,» and another domain for a European facility, such as «mycompany.co.uk.»
The ideas of AD functional levels apply equally to forests and domains. A domain functional level defines the functional level selected for all AD domain controllers within the given domain. Similarly, forest functional level selection sets the features and functionality of AD DS across the entire forest.
Given the caveats involved in AD functional levels, organizations generally operate domain controllers at the forest functional level when a forest exists, ensuring that all domain controllers in every domain across the entire forest are configured similarly. An organization without a forest will typically operate and manage AD at the domain functional level.
Learn which features Windows Server 2022 offers in its Datacenter Azure edition.
This was last updated in May 2023
Continue Reading About Active Directory functional levels
- Windows Server 2022 storage features address security, speed
- Optimize Windows Server 2019 with server best practices
- Learn how to set up Windows Server 2022 SMB compression
- Microsoft releases out-of-band update for Windows Server
- Understand Active Directory basics for enterprise success
Dig Deeper on IT operations and infrastructure management
-
What is Active Directory (AD)?
By: Rahul Awati
-
What is Active Directory Domain (AD Domain)?
By: Rahul Awati
-
New Active Directory features coming in Windows Server 2025
By: Brien Posey
-
How to transfer FSMO roles with PowerShell
By: Liam Cleary
When you create an Active Directory infrastructure, you have the option of choosing a functional level for the forest and for the domain.
If all your servers use the same version of Windows Server, you will necessarily choose the latest version available to benefit from all the features offered by your version of Windows Server.
In this article, you will find a quick summary of the different features that have appeared in each version of Windows Server for the forest and the domain functional level.
- Windows Server 2003 functional level
- Forest functional level on Windows Server 2003
- Domain functional level on Windows Server 2003
- Windows Server 2008 functional level
- Forest functional level on Windows Server 2008
- Domain functional level on Windows Server 2008
- Windows Server 2008 R2 functional level
- Forest functional level on Windows Server 2008 R2
- Domain functional level on Windows Server 2008 R2
- Windows Server 2012 functional level
- Forest functional level on Windows Server 2012
- Domain functional level on Windows Server 2012
- Windows Server 2012 R2 functional level
- Forest functional level on Windows Server 2012 R2
- Domain functional level on Windows Server 2012 R2
- Windows Server 2016 functional level
- Forest functional level on Windows Server 2016
- Domain functional level on Windows Server 2016
1. Windows Server 2003 functional level
1.1. Forest functional level on Windows Server 2003
Windows Server 2003 brings many new features to the forest, including :
- forest approvals : what is interesting when 2 companies merge, for example
- the ability to change the domain of a domain controller
- replication of linked values : this allows the replication of only modified links and not complete objects. For example, if you change the members of a group, only those links will be replicated, not the entire group object.
- the ability to deploy a read-only domain controller (RODC)
- and more
1.2. Domain functional level on Windows Server 2003
Windows Server 2003 brings new features to the domain, including :
- the «Netdom.exe» tool which allows you to manage a domain and rename domain controllers if you wish
- the addition of a new «lastLogonTimestamp» attribute which corresponds to the time when the user logged in for the last time.
Note that this attribute is replicated only at the same domain level. - the possibility of redirecting the creation of new computers and users to the desired containers rather than using the original «CN=Computers» and «CN=Users» containers.
- the possibility of creating delegations of control
- the appearance of selective authentication to choose which users and groups in a forest can authenticate for the resources of the remote forest
- and more
2. Windows Server 2008 functional level
2.1. Forest functional level on Windows Server 2008
Windows Server 2008 doesn’t add any new feature to the forest functional level.
2.2. Domain functional level on Windows Server 2008
Windows Server 2008 brings new features to the domain, including :
- the DFS replication support for the SYSVOL folder instead of FRS which was previously used and which is deprecated since version 2012 R2
- the AES 128 and AES 256 support for the Kerberos protocol
- the ability to deploy personal virtual desktops
- and more
3. Windows Server 2008 R2 functional level
3.1. Forest functional level on Windows Server 2008 R2
Windows Server 2008 R2 brings only one new feature to the forest :
- Active Directory Recycle Bin : this allows you to restore deleted Active Directory objects without losing the links they potentially had with other Active Directory objects.
3.2. Domain functional level on Windows Server 2008 R2
Windows Server 2008 R2 brings new features to the domain, including :
- possibility of knowing the type of logon used (username/password or smart card)
- and more
4. Windows Server 2012 functional level
4.1. Forest functional level on Windows Server 2012
Windows Server 2012 doesn’t add any new feature for the forest functional level.
4.2. Domain functional level on Windows Server 2012
Windows Server 2012 brings new feature for the domain :
- the Key Distribution Center (KDC) support for authentication, claims and policy administrative templates
5. Windows Server 2012 R2 functional level
5.1. Forest functional level on Windows Server 2012 R2
Windows Server 2012 R2 doesn’t add any new feature for the forest functional level.
5.2. Domain functional level on Windows Server 2012 R2
Windows Server 2012 R2 brings new features for the domain :
- protection of domain controllers for protected users
- the appearance of authentication policies
- the appearance of authentication policies silos
6.1. Forest functional level on Windows Server 2016
Windows Server 2016 brings a new feature for the forest :
- the Privileged Access Management (PAM)
6.2. Domain functional level on Windows Server 2016
Windows Server 2016 brings new features for the domain :
- 2 new features related to NTLM
- Kerberos clients using PKInit get an updated Public Key Identity Security Identifier (SID)
For detailed information about the new features available for each forest or domain functional level, see the Microsoft site : Forest and Domain Functional Levels
Published May 06, 2023 by Danny Moran
Table of Contents
PAGE CONTENT
Introduction
Learn how to raise both the Domain Functional Level and the Forest Functional Level in an Active Directory Domain. In this example, I raise the Domain Functional Level from Windows Server 2012 R2 to Windows Server 2016, and then raise the Domain Functional Level from Windows Server 2012 R2 to Windows Server 2016.
Video
Prerequisites
- All Domain Controllers need to be running at least Windows Server 2016. Demote any Domain Controllers that are not running atleast this version of Windows Server. You can run the following PowerShell command to list all Domain Controllers and their Operating System version:
Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem - The user account upgrading the Functional Level is a member of the
Domain Adminssecurity group. - Check there are no replication errors between any Domain Controllers.
Check Domain Functional Level
To check the existing Domain Functional Level, you can run the following PowerShell command on any Domain Controller.
Get-ADDomain | fl Name, DomainMode
Check Forest Functional Level
To check the existing Forest Functional Level, you can run the following PowerShell command on any Domain Controller.
Get-ADForest | fl Name, ForestMode
Raise Domain Functional Level (PowerShell)
To raise the Domain Functional Level using PowerShell:
-
Run PowerShell as Administrator on a Domain Controller.
-
Run the following PowerShell command.
Set-ADDomainMode -identity ad.dannymoran.com -DomainMode Windows2016Domain -
Press
Ato confirm yes to all. -
Run the following command to check it’s now showing the correct Domain Functional level.
Get-ADDomain | fl Name, DomainMode
Raise Forest Functional Level (PowerShell)
WARNING: The Forest Functional Level cannot be higher than the Domain Functional Level. You must upgrade the Domain Functional Level first.
To raise the Forest Functional Level using PowerShell:
-
Run PowerShell as Administrator on a Domain Controller.
-
Run the following PowerShell command.
Set-ADForestMode -identity ad.dannymoran.com -ForestMode Windows2016Forest -
Press
Ato confirm yes to all. -
Run the following command to check it’s now showing the correct Domain Functional level.
Get-ADForest | fl Name, ForestMode
Raise Domain Functional Level (GUI)
-
Open Active Directory Domains and Trusts.
-
Right-click your local Domain name and press Raise Domain Functional level.
-
Select Windows Server 2016, and then press Raise.
-
Agree to the warning by pressing OK.
-
Press OK on the popup confirming the Domain Functional level has been raised successfully.
-
If you have multiple Domain Controllers, it might take some time for this change to replicate to all other Domain Controllers.
-
Run the following PowerShell command to check it’s now showing the correct Domain Functional level.
Get-ADDomain | fl Name, DomainMode
Raise Forest Functional Level (GUI)
WARNING: The Forest Functional Level cannot be higher than the Domain Functional Level. You must upgrade the Domain Functional Level first.
-
Open Active Directory Domain and Trusts.
-
Right-click Active Directory Domains and Trusts and select Raise Forest Functionalal Level.
-
Select Windows Server 2016, and then press Raise.
-
Agree to the warning by pressing OK.
-
Press OK on the popup confirming the Forest Functional level has been raised successfully.
-
If you have multiple Domain Controllers, it might take some time for this change to replicate to all other Domain Controllers.
-
Run the following PowerShell command to check it’s now showing the correct Forest Functional level.
Get-ADForest | fl Name, ForestMode