What Are Active Directory Functional Levels?
Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In this section
Active Directory Functional Level Scenarios
Active Directory Functional Level Dependencies and Rollback Options
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.
In Active Directory Domain Services (AD DS), domain controllers can run different versions of Windows Server operating systems. The functional level of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The functional level of a domain or forest controls which advanced features are available in the domain or forest.
Ideally, all servers in an organization could run the latest version of Windows and take advantage of all the advanced features that are available with the newest software. But organizations often have a mixture of systems, generally running different versions of operating systems, which are migrated to the latest version only as organizational requirements demand additional functionality, either for the entire organization or for a specific area of the organization.
AD DS supports phased implementation of new versions of Windows Server and advanced features on domain controllers by providing multiple functional levels, each of which is specific to the versions of Windows Server operating systems that are running on the domain controllers in the environment. These functional levels provide configuration support for the AD DS features and ensure compatibility with domain controllers running earlier versions of Windows Server.
AD DS does not automatically enable advanced features, even if all domain controllers within a forest are running the same version of Windows Server. Instead, an administrator raises a domain or forest to a specific functional level to safely enable advanced features when all domain controllers in the domain or forest are running an appropriate version of Windows Server. When an administrator attempts to raise the functional level, AD DS checks whether all domain controllers are running an appropriate Windows Server operating system to ensure the proper environment for enabling new Active Directory features.
Raising the functional level allows the introduction of advanced features but also limits the versions of Windows Server that can run on domain controllers in the environment. AD DS has two types of functional levels:
Domain functional level. Six domain functional levels are available:
Windows 2000 mixed (the default in Windows Server 2003)
Windows 2000 native
Windows Server 2003 interim
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Setting the functional level for a domain enables features that affect the entire domain and that domain only. If all domain controllers in a domain are running Windows Server 2008 R2 and the functional level is set to Windows Server 2008 R2, all domain-wide features are available.
Note
The default domain functional level for Windows Server 2008 and Windows Server 2008 R2 is set to the existing value of the forest functional level.
Forest functional level. Five forest functional levels are available:
Windows 2000 (the default in Windows Server 2003 and Windows Server 2008)
Windows Server 2003 interim
Windows Server 2003 (the default in Windows Server 2008 R2)
Windows Server 2008
Windows Server 2008 R2
Setting the functional level for a forest enables features across all the domains within a forest. If all domain controllers in a forest are running Windows Server 2008 R2 and the functional level is set to Windows Server 2008 R2, all forest-wide features are available.
Note
In addition to the Windows Server 2008 R2 forest functional level requirement, the Active Directory Recycle Bin feature must be enabled before it becomes available for use. For more information, see the Active Directory Recycle Bin Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=178657).
When domain controllers running earlier versions of Windows Server are included in your domain or forest with domain controllers running later versions of Windows Server, advanced Active Directory features are limited.
The concept of enabling additional functionality in AD DS exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security identifier (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and security identifier (SID) history capabilities are available. Domain controllers running Windows NT 4.0 or Windows 2000 Server are not aware of Windows Server 2003 or higher domain and forest functional levels.
Active Directory Functional Level Scenarios
Functional levels provide a method for any organization to introduce the latest Active Directory functionality. The advanced functionality can be optimized immediately, or phased in over time, depending on the needs of each organization. The following scenarios describe how functional levels can meet a range of deployment needs:
A small organization running only Windows Server 2008 R2 on domain controllers. In this scenario, a small organization might be creating an AD DS infrastructure for the first time, using only two domain controllers in a forest with a single domain. By installing Windows Server 2008 R2 on both domain controllers and selecting the Windows Server 2008 R2 forest functional level during the AD DS installation on the first domain controller, the organization can immediately take advantage of all of the advanced Active Directory features that are available.
Note
The option to select the domain or forest functional level during AD DS installation is available only in Windows Server 2008 and Windows Server 2008 R2.
A mid-size organization with accelerated upgrade requirements. In this scenario, a mid-size organization might have a native mode Windows Server 2003 domain, and would now like to start upgrading domain controllers to Windows Server 2008. Upgrading to Windows Server 2008 on some domain controllers, while maintaining some previously installed domain controllers running Windows Server 2003, enables the mid-size organization to take advantage of much of the latest functionality, even though all domain controllers are not running Windows Server 2008. Later, after all domain controllers running Windows Server 2003 have been upgraded to Windows Server 2008, the organization can raise the forest functional level to take advantage of all advanced Active Directory features.
A large organization with phased upgrade requirements. In this scenario, an enterprise with a mature and complex forest with multiple domains, some of which are still running Windows 2000 Server, might now be ready to install one or more new domain controllers running Windows Server 2008. Members of the organization might want to raise functional levels in a phased manner (one domain at a time). They could target certain domains that are running Windows 2000 domain controllers and upgrade them first to Windows Server 2003 and then to Windows Server 2008. After they upgrade all domain controllers in the domain, they could raise the functional level of only that domain to Windows Server 2008 to take advantage of additional Active Directory features.
After they are satisfied with the results of that domain, members of the organization can carry out a similar exercise in other domains. After upgrading every domain in the forest to Windows Server 2008, they can finally raise the functional level of the forest to Windows Server 2008 to take advantage of the advanced Active Directory features for Windows Server 2008.
Active Directory Functional Level Dependencies and Rollback Options
Active Directory domain and forest functionality has the following dependencies:
After all domain controllers are running an appropriate version of Windows Server, the domain or forest must be configured to support the appropriate domain or forest functional level. That is, to provide support in a domain or forest for advanced Active Directory features, an administrator must raise the domain functional level or forest functional level, which can only be done if the domain controllers are each running the appropriate version of Windows Server.
After the domain functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the domain. After the forest functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the forest.
With versions of Windows Server that are earlier than Windows Server 2008 R2, you cannot roll back or lower a functional level under any circumstances. If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2, you must rebuild the domain or forest or restore it from a backup copy.
After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
After you set the forest functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the forest functional level, with one exception: when you raise the forest functional level to Windows Server 2008 R2 and if the Active Directory Recycle Bin is not enabled, you have the option of rolling the forest functional level back to Windows Server 2008. For more information about the Active Directory Recycle Bin, see What's New in AD DS: Active Directory Recycle Bin (https://go.microsoft.com/fwlink/?LinkId=141392). You can lower the forest functional level only from Windows Server 2008 R2 to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back to Windows Server 2003, for example.