Raising the Functional Levels

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic contains the following subjects:

  • Raising the forest functional level

  • Raising the domain functional level

  • Troubleshooting errors when you raise the functional level

When you deploy the first Windows Server 2008 domain controller in your forest root domain, Active Directory Domain Services (AD DS) sets the functional levels by default, unless you set them to higher levels when you run Dcpromo. They remain at the following levels until you raise them manually:

  • Windows 2000 forest functional level

  • Windows 2000 native domain functional level

Functional levels are set at these default levels to give you the option of adding Windows 2000–based domain controllers or Windows Server 2003–based domain controllers to your new Windows Server 2008 forest. However, if you plan to run Windows Server 2008 operating systems on all domain controllers in your new Windows Server 2008 environment, you can take advantage of all Windows Server 2008 forest-level and domain-level features by setting the forest functional level—and then the domain functional level to Windows Server 2008. Similarly, if you plan to run Windows Server 2008 R2 operating systems on all domain controllers in your new Windows Server 2008 R2 environment, you can take advantage of all Windows Server 2008 R2 forest-level and domain-level features by setting the forest functional level—and then the domain functional level to Windows Server 2008 R2.

Important

We recommend that you raise forest and domain functional levels when you run the Active Directory Domain Services Installation Wizard (Dcpromo.exe). The following procedures describe how to raise the forest and domain functional levels.

For more information about advanced features that are enabled at various available functional levels, see Enabling Advanced Features for AD DS.

Raising the forest functional level

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To raise the forest functional level

  1. To open the Active Directory Domains and Trusts snap-in, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.

  3. In Select an available forest functional level, do one of the following:

    • To raise the forest functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.

    • To raise the forest functional level to Windows Server 2008, click Windows Server 2008, and then click Raise.

    • To raise the forest functional level to Windows Server 2008 R2, click Windows Server 2008 R2, and then click Raise.

Warning

Do not raise the forest functional level to Windows Server 2008 R2 if you have or will have any domain controllers running Windows Server 2008 or earlier.

Important

After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
For more information about the Active Directory Recycle Bin, see Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=133971).

Raising the domain functional level

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To raise the domain functional level

  1. To open the Active Directory Domains and Trusts snap-in, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain for which you want to raise functional level, and then click Raise Domain Functional Level.

  3. In Select an available domain functional level, do one of the following:

    • To raise the domain functional level to Windows Server 2003, click Windows Server 2003, and then click Raise.

    • To raise the domain functional level to Windows Server 2008, click Windows Server 2008, and then click Raise.

    • To raise the domain functional level to Windows Server 2008 R2, click Windows Server 2008 R2, and then click Raise.

Warning

Do not raise the domain functional level to a later version (such as Windows Server 2008 or Windows Server 2008 R2) if you have or will have any domain controllers running earlier versions of Windows Server.

Important

After you set the domain functional level to a certain value, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

Troubleshooting errors when you raise the functional level

If the domain or forest includes an unoccupied read-only domain controller (RODC) account that has an msDS-Behavior-Version attribute value that is less than the value that the domain or forest is being raised to, the operation to raise the functional level will fail.

If you are using Active Directory Domains and Trusts to raise the forest functional level, the error message is the following:

“The functional level could not be raised. This may be due to replication latency. Please wait about 30 minutes and try again.”

If you are using Active Directory Domains and Trusts or Active Directory Users and Computers to raise the domain functional level, the error message is the following:

“The functional level could not be raised. The error is: The server is unwilling to process the request.”

If you are using the Active Directory module for Windows PowerShell to raise the functional level, the error message is the following:

“The functional level of the domain (or forest) cannot be raised to the requested value, because there exist one or more domain controllers in the domain (or forest) that are at a lower incompatible functional level.”

For more information about using the Active Directory module to raise the functional level, see Forest and Domain Management (https://go.microsoft.com/fwlink/?LinkId=157592).

To verify the msDS-Behavior-Version of a domain controller account, use Active Directory Sites and Services to check the Attribute Editor tab in the properties of the NTDS Settings object for the domain controller. To resolve the error, you can delete the unoccupied RODC account.