This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 16%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Hi,
We have 80 DCs in our domain in different sites. Recently we upgraded from 2012r2 to 2019 server OS. Now we need to raise the FFL/DFL. As we cannot roll back the change, So we are looking for a backup plan?
After researching we found that the only way is to recover the forest/domain using system state backup of 1 DC and recreate all the other DCs. But for 80 DCs that seems very difficult.
Please suggest the process.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Biswajeet Kumar ,
Thank you for your update and marking my reply as answer. I am very glad that the information is helpful.
As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!
Have a nice day!
Best Regards,
Daisy Zhou
Hello @Biswajeet Kumar ,
Thank you for posting here.
Generally, we recommend backing up all domain controllers regularly using Windows server built-in Windows backup tool .
Before we do any change in AD, we had better do related backups.
For your request, after the discussion between my colleague and I, we think either we raise the FFL/DFL successfully, or we will not raise the FFL/DFL successfully (keep the current FFL/DFL) due to some reason.
Assuming that DFL/FFL cannot be upgraded, we need to look for the reason.
Meanwhile, I have done a test in my lab as below, raise FFL and DFL.
And I can downgrade the FFL and DFL.
Before you raise FFL and DFL, I suggest we can check the information below.
1.Ensure every DC works fine itself by running Dcdiag /v on each DC.
2.Ensure AD replication works fine in the entire forest by running commands below on PDC(there is no any error in the command result).
repadmin /showrepl
repadmin /replsum
repadmin /showrepl * /csv >c:\repsum.csv
3.We can update gpo on all DCs by running gpupdate /force.
4.Netlogon and SYSVOL are shared on all DCs.
5.SYSVOL replication works fine between all DCs.
If all above is OK, FFL and DFL should be raised successfully.
Reference
Understanding Active Directory Domain Services (AD DS) Functional Levels
https://video2.skills-academy.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754918(v=ws.10)?redirectedfrom=MSDN
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou
Just a doubt,
When we raise the FFL/DFL there will be new objects created. So what will happen to those objects when we revert to 2012r2 again using PowerShell?
Hello @Biswajeet Kumar ,
It will have no effect when we do operation "When we raise the FFL/DFL there will be new objects created. So what will happen to those objects when we revert to 2012r2 again using PowerShell".
Should you have any question or concern, please feel free to let me know.
Best Regards,
Daisy Zhou
"It will have no effects" - Does that mean the object which was created or the features which was added during upgrade from 2012r2 to 2016 will be there after we downgrade the FFL/DFL to 2012r2 ?
Please clarify.
Thanks for getting soon.
Hello @Biswajeet Kumar ,
Does that mean the object which was created during upgrade from 2012r2 to 2016 will be there after we downgrade the FFL/DFL to 2012r2?
A:Based on my test in my lab, it is correct.
For example:
ForestMode:2012
DomainMode:2012R2
I raise ForestMode from 2012 to 2012R2, and DomainMode from 2012R2 to 2016.
I create a user daisy8 and a group group8.
I downgrade ForestMode from 2012R2 to 2012, and DomainMode from 2016 to 2012R2.
The user daisy8 and the group group8 still exists in AD.
Should you have any question or concern, please feel free to let me know.
Best Regards,
Daisy Zhou
I am not taliking about the users or group objects, sorry if it was confusing.
I am talking about the features that got added while raising FFL/DFL. like these
So what happens to these features? like when we raise the FFL "Privileged access management (PAM) using Microsoft Identity Manager (MIM)" added. And when we roll back will this PAM be available or not.
Similarly there are feature got added when we raise DFL. What happens to those?
Thanks
Hello @Biswajeet Kumar ,
Thank you for your update.
I am sorry for mistanding.
If we raise forest functional level from 2012 to 2016, then we deploy "Privileged access management (PAM) using Microsoft Identity Manager (MIM)", after that, we downgrade forest functional level from 2016 to 2012, this PAM should be not available.
And it is similar as the features based on higher functional level.
Best Regards,
Daisy Zhou
Ok, Thankyou very much
I will give it a try.