Raising Active Directory Forest and Domain Functional Levels Using PowerShell.

Posted on November 10, 2015 by jbernec

As part of the infrastructure clean up and upgrade plans, we have decided to raise the DFL and FFL of our domain to take advantage of new Windows Server features.

The first step in the process is making sure all new DCs in the domain are running the same version of Windows Server. To meet this requirement, I have added two Windows Server 2008R2 servers running Active Directory Domain Services as domain controllers.For the next step, I decommissioned all existing Windows Server 2003R2 domain controllers by using dcpromo.exe to demote and uninstall Active Directory.

After uninstalling AD from the WS2003R2 servers and restarting both machines. I went through the clean up process to manually remove any lingering objects in AD integrated DNS and AD Sites and Services referencing the demoted Windows 2003 R2 servers. I’ve written about this in previous post.

By raising the forest and domain functional levels, I intend to take advantage of two main features:

a) Active Directory Recycle Bin, provides us the ability to fully restore deleted objects and their attributes(user accounts, groups) in their entirety while ADDS is running, from the Deleted Objects Container.

b) AD Fine-grained Password Group Policies will now make it possible for us to specify password and account lockout policies for specific users and security groups in the domain instead of a blanket password policy for every department .

In the next step, I will verify the current forest and domain functionality level in the domain using the following PowerShell cmdlet:


PS C:\scripts> Get-ADRootDSE | fl domainFunctionality, forestFunctionality

domainFunctionality : Windows2003Domain
forestFunctionality : Windows2003Forest

CurrentForestFL

Raise the Domain functional level :


PS C:\scripts> Set-ADDomainMode -Identity lab.net -DomainMode Windows2008R2Domain -Verbose

Raise the Forest functional level:


PS C:\scripts> Set-ADForestMode -Identity lab.net -ForestMode Windows2008R2Forest -Server WS2012R2.lab.net -Verbose

It should be noted that this operation is irreversible.

Advertisement
This entry was posted in Active Directory, Active Directory Domain Services, Active Directory Replication, AD Forest, Domain Controller, PowerShell, PowerShell 3.0, Powershell 4.0, Windows Server 2008 R2, Windows Server 2008 R2 Backup and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s