Introduction
In part 1 of this series, we established in theory that we can lower the Active Directory functional levels from the latest functional level to Windows Server 2008 R2, or even Windows Server 2008 if the Active Directory Recycle Bin is not enabled.
I will now demonstrate how to lower the functional levels from Windows Server 2016 to Windows Server 2008.
Lab Configuration
I’ve deployed a three-domain forest with Windows Server 2019 Domain Controllers. This is a root domain with two child domains. The Forest Functional Level (FFL) is Windows Server 2016 and the Active Directory Recycle Bin is disabled (it is not enabled by default when deploying a new forest).
Viewing the forest configuration using Active Directory Domains and Trusts
Viewing domain and forest functional levels using Windows PowerShell
When creating a new Active Directory forest on Windows Server 2019, you can select Windows Server 2008 as the functional level. This should indicate functional level compatibility when using the latest Windows Operating Systems. There is no option to select a Windows Server 2019 functional level. This is because no new functional levels were added with the release of Windows Server 2019.
In the following demonstration, I will attempt to lower the functional level of the root domain (root.contoso.com) and a child domain (child1.root.constoso.com).
The basics
You should be a member of the Enterprise Admins group to raise or lower the FFL and a member of the Domain Admins group to raise or lower the DFL. Enterprise Admins, by default, should have Domain Admin rights in all the domains. Read more on default Active Directory security groups here.
Unlike raising the functional levels, downgrading (lowering) the functional levels can only be accomplished using Windows PowerShell. There are no Graphical User Interface (GUI) tools to accomplish this task.
The Active Directory Module for Windows PowerShell is required for the commands that we will use. Find more information on this module here.
We will use Set-ADForestMode to lower the Forest Functional Level (FFL) and Set-ADDomainMode to lower the Domain Functional Level. You can also use these commands to raise the functional level instead of using the Active Directory Users and Computers, or Active Directory Domains and Trusts management consoles.
Downgrading the Forest Functional Level: Active Directory Recycle Bin disabled
The Forest Functional Level (FFL) should be lowered first before the Domain Functional Level (DFL) can be lowered. Attempting to lower the DFL before the FFL will result in the error below:
Set-ADDomainMode : The functional level of the domain (or forest) cannot be lowered to the requested value
Ensure you are logged on with an Enterprise Admin account. Open Windows PowerShell, enter and execute the following command to lower the FFL of the forest:
Set-ADForestMode -Identity root.contoso.com -ForestMode Windows2008Forest -Server root.contoso.com -Confirm:$false
I am using the domain and forest names of my lab environment. Replace the -Identity and -Server switches with the appropriate domain names of your environment. Adding -Confirm:$false at the end of the command prevents being prompted to confirm your actions.
No confirmation message is received to confirm that the command was executed successfully. Not receiving any error messages is good. We need to verify the FFL to confirm that the functional level was lowered successfully. This can be completed using the following command in Windows PowerShell:
Get-ADForest | select Name,ForestMode
I want to verify the DFL of the domains, after the FFL was lowered, before I move on to the next step of lowering the DFL of the root domain. I use the following code in Windows PowerShell to accomplish this:
$domains = (Get-ADForest).domains
foreach ($domain in $domains) {
Get-ADDomain -Identity $domain | Select DNSRoot,DomainMode
}
Downgrading the Domain Functional Level: Active Directory Recycle Bin disabled
The FFL was successfully lowered to Windows Server 2008 while the DFL for all domains are still on Windows Server 2016. I will now lower the DFL of the root domain. I am still logged on with an Enterprise Admin account. Enter and execute the following command in Windows PowerShell to lower the DFL of the root domain:
Set-ADDomainMode -Identity root.contoso.com -DomainMode Windows2008Domain -Server root.contoso.com -Confirm:$false
Again, there is no confirmation message that the command was executed successfully and not receiving any error messages is good. Let’s review the DFL of all domains to confirm that the DFL of the root domain was lowered successfully.
I now want to attempt to lower the DFL of a child domain in the forest.
Please note that any of the domains can be lowered in any order, there is no dependency on the root domain DFL being lowered before lowering the DFL of any child domains. The only requirement is lowering the FFL before lowering the DFL of any domain in the forest.
I am still logged on with an Enterprise Admin account and Windows PowerShell is open. The command syntax is the same except for -Identity and -Server switches which should now be the Fully Qualified Domain Name (FQDN) of the child domain.
Set-ADDomainMode -Identity child1.root.contoso.com -DomainMode Windows2008Domain -Server child1.root.contoso.com -Confirm:$false
Attempting to lower the DFL when not logged onto the target domain, as I am doing now with the Enterprise Admin account, may result in an error: Set-ADDomainMode : A referral was returned from the server.
This is prevented by using the -server switch and specifying the Fully Qualified Domain Name (FQDN) of the target domain, as I have done in all my previous steps.
The command executes without any confirmation message or errors. Viewing the DFL of all domains confirms that the DFL of the child domain was successfully lowered to Windows Server 2008.
Summary
I’ve demonstrated that the Active Directory functional levels can successfully be lowered from a Windows Server 2016 functional level to Windows Server 2008 functional level. It is important to note that this was achieved with the Active Directory Recycle Bin disabled.
In part 3 of this series, I will raise the functional levels back to Windows Server 2016, enable the Active Directory Recycle Bin and attempt lowering the functional levels again.