However, there are also certain things to take care of before raising the functional level, so that all systems remain functional. Firstly, you will have to ensure that all the DCs in the forest are running the same Windows server version as the forest functional level you intend to have, or higher.
If not, identify those DCs, and either upgrade their Windows Server versions or demote them as necessary. You will also have to ensure that the domain functional level is the same or higher than the forest functional level you intend to have. These steps will ensure a smooth upgrade to the higher functional level of choice, and you will not have any nasty surprises after the upgrade process. Forest functional level also dictates the minimum functional level at which all DCs in the forest should operate.
This restriction, however, is only applicable to DCs. Member servers and workstations in the forest will remain unaffected. So, the best practice is to raise the domain functional level first and then raise the forest functional level.
Although, raising the forest functional level will automatically raise the domain functional level too. Read how you can raise the domain functional level. A good practice before raising the forest functional level is to understand the functionalities that each functional level brings to the table so that you can take an informed decision.
Each functional level carries over the functionalities of the previous one and adds additional functionalities on top. Some levels do not introduce any major functionalities, while others bring massive improvements. The availability of each function is what determines the functional level of an active directory forest. To help you understand better, here is a split-up of all functionalities that were introduced with each Windows Server version.
Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. A one-stop place for all things Windows Active Directory. Follow us for more content. Read more. What are Functional Levels? Right click on the domain name, and select Raise Domain Functional Level.
In the window that opens, select the functional level Windows Server , and click the Raise button. Before you can raise the forest functional level, all domains in the forest must be upgraded to the same or a higher domain functional level. To raise the functional level of a forest, you must be a member of the Enterprise Admins group.
The Active Directory Domains and Trusts snap-in is also used to raise the functional level of the forest. Right click on the root of the snap-in, and select Raise Forest Functional Level. As a result, any domain controller that runs Windows Server R2 and older should be removed from the domain. For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.
This configuration is also known as "Smart card required for interactive logon". A new domain that is created on a domain controller that runs at least Windows Server R2 must be set to the Windows Server domain functional level or higher. Domain-based DFS namespaces running in Windows Server Mode, which includes support for access-based enumeration and increased scalability.
Domain-based namespaces in Windows Server mode also require the forest to use the Windows Server forest functional level. For more information, see Choose a Namespace Type. In order for TGTs to be issued using AES, the domain functional level must be Windows Server or higher and the domain password needs to be changed.
For more information, see Kerberos Enhancements. Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password.
In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.
0コメント