NIST's guidance for a Zero Trust Architecture

Top Read Articles

Forest Functional Level

Active Directory Forest Levels

When the functional level of a forest or domain within Active Directory is raised, certain set of advanced features become available to the users. The forest functional level (FFL) determines the features of Active Directory Domain Services (AD DS) that are enabled in a forest. It specifies a minimum functional level at which all DCs operate.

Every FFL incorporates its own set of features that take effect on a DC only if it runs on an OS version that is compatible with that of the FFL. Any DC that runs on an outdated version of server OS should be gracefully demoted. The FFL should always be compatible with the OS versions in use. This constraint on the OS version is applicable only to the DC and not to the member servers or workstations.

Domain functional level (DFL) can also be updated similarly. Raising the DFL enhances the capabilities and security of the domain. To learn more about domain functional level, click here. While raising the DFL ensures that all domain-wide features are enabled on all DCs throughout the domain, raising the FFL ensures that new forest-wide features are enabled on all DCs in the forest.

Choosing the Forest Functional Level

When AD DS is deployed, one can choose the FFL. The DFL should always be chosen at the same level or higher than the FFL. Any new domain added to the forest will take the same level as the FFL by default. For example, if the FFL is Windows Server 2012, then DFL can be at Windows Server 2012 or Windows Server 2016. Setting the latest version of Windows as the functional level leverages all the available AD DS features.

Raising the Forest Functional Level

The following steps illustrate how to raise the forest functional level:

  • Go to Start → Administrative Tools → Active Directory Domains and Trusts
  • In the left pane, right click Active Directory Domains and Trusts and select Raise Forest Functional Level.
  • From the list of available forest functional levels, select the required functional level and click Raise.

The functional level of the forest has been raised.

Best Practices:

The following are some of the best practices that can be adopted while raising the forest and/or domain functional levels:

  • Identify and isolate DCs that run on earlier versions of Windows Server OS. Upgrade them or remove them if needed.
  • Ensure that replication works properly.
  • Verify the compatibility of enterprise applications and services with the target functional level.
  • Use Run as to perform the procedure for enhanced security.

Forest Functional Levels and their Features

Just like DFLs, each FFL carries over the existing features from the lower levels, and activates a set of new features. The following table lists out the Windows Server versions and the associated FFL features:

Windows Server 2016Privileged Access Management (PAM) using Microsoft Identity Manager (MIM)
Windows Server 2012R2All available features of Windows Server 2012 FFL
Windows Server 2012All available features of Windows Server 2008R2 FFL
Windows Server 2008R2Active Directory Recycle BinAll available features of Windows Server 2003 FFL
Windows Server 2008All available features of Windows Server 2003 FFL
Windows Server 2003Forest trustDomain renameLinked-value replicationAbility to deploy a read-only DC (RODC)Improved Knowledge Consistency Checker (KCC) algorithms and scalabilityCreation of instances of the dynamic auxiliary class named dynamicObject in a domain directory partitionConversion of an inetOrgPerson object instance into a User object instance and the converseCreation of instances of new group types for role-based authorizationDeactivation and redefinition of attributes and classes in the schemaDomain-based DFS namespacesAll default AD DS features
Windows 2000 nativeAll default AD DS features
Related posts
Top Read Articles

Group Policy Backup

Top Read Articles

Active Directory Maintenance Checklist

Top Read Articles

Local Group Policy Editor

Leave a Reply

Your email address will not be published. Required fields are marked *