Windows Server 2012-based Domain Controllers and required Active Directory domain and forest functional levels

Reading Time: 2 minutes

When your organization is looking to implement Windows Server 2012-based Domain Controllers, your Active Directory environment needs to meet certain requirements. Two of these requirements are the domain functional level and forest functional level.

In this blogpost I’ll explain the required domain and forest functional levels for the specific implementation steps.

About Active Directory functional levels

With every new Windows Server Operating System since Windows 2000 Server, Microsoft has introduced corresponding Active Directory functional levels. Two distinct Active Directory functional levels exist: the domain functional level and the forest functional level. Functional levels unlock Active Directory and Domain Controller functionality, while also limiting the possibility of adding Domain Controllers and/or domains with lower Operating System versions.

Let’s illustrate this with two examples. The Windows Server 2008 R2 Domain Functional Level (DFL) unlocks Authentication Mechanism Assurance (among other things) but also prevents admins from having Domain Controllers running Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2 or Windows Server 2008 in the domain. The Windows Server 2008 R2 Forest Functional Level (FFL) adds the Active Directory Recycle Bin, while limiting the creation of domains in the forest running a lower Domain Functional Level.

 

Preparation

To prepare an Active Directory domain, the domain needs to run the Windows 2000 Server Native Domain Functional Level (DFL).

 

Implementation

Windows Server 2012-based writable Domain Controllers

To introduce Window Server 2012-based Domain Controllers, the Active Directory forest needs to run the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 (not Windows Server 2003 interim)or higher.

Windows Server 2012-based Read-only Domain Controllers

If your goal is to introduce Read-only Domain Controllers in an existing environment, make sure the Active Directory forest runs the Windows Server 2003 Forest Functional Level (FFL). In an environment where the forest functional level is Windows Server 2003, the Domain Functional Level of all domains in the forest needs to be Windows Server 2003 or higher.

Also, at least one writable domain controller running Windows Server 2008 or higher must be deployed in the same domain as the Read-only Domain Controller and must also be a DNS server that has registered a name server (NS) resource record for the relevant DNS zone.

The third requirement for implementing Read-only Domain Controllers is you must have prepared the Active Directory forest for Read-only Domain Controllers using

adprep.exe /rodcprep.

Related Knowledgebase Articles

3226992 How to raise Active Directory domain and forest functional levels

Further reading

Understanding Active Directory Domain Services (AD DS) Functional Levels
Prerequisites for Deploying an RODC
What Are Active Directory Functional Levels?
Differences in domain and forest functional levels 2000 to 2008
Determining the Functional Level in Windows Server 2003
Active Directory Domain and Forest Functional Levels

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.