First published on TechNet on Jun 14, 2011 Hello all, Jonathan here again. Today, I want to address a question that we see regularly. As customers upgrade Active Directory, and they inevitably ...
Updated Nov 01, 2023
Version 3.0
Blog Post
Abdelrahman-Gaml
Microsoft
MicrosoftRaising Domain Functional Level Risks
Raising the domain functional level in Active Directory involves upgrading all domain controllers (DCs) to a newer version of Windows Server. This process enables new features and capabilities that are only supported by the newer version. However, it also comes with certain risks and considerations.
Key Considerations
- Compatibility: Before raising the domain functional level, ensure that all DCs are running the minimum required version of Windows Server. For example, if you are raising the level to Windows Server 2008 R2, all DCs must be running at least Windows Server 2008 R21. This ensures that all DCs can support the new features and changes.
- Irreversibility: Once the domain functional level is raised, it cannot be downgraded. This means that you cannot add DCs running older versions of Windows Server to the domain1. Therefore, it is crucial to verify that all DCs are compatible and that there are no remnants of older DCs in the Active Directory metadata.
- Application Compatibility: While raising the domain functional level generally does not impact applications that rely on Active Directory, it is advisable to check with application vendors to ensure compatibility1. Some applications may have dependencies on specific domain functional levels, and it is important to verify that they will continue to function correctly after the upgrade.
Potential Risks
- Replication Issues: Ensure that Active Directory replication is functioning correctly across all DCs before raising the domain functional level. Replication issues can prevent the new functional level from being properly propagated, leading to inconsistencies and potential failures1.
- Kerberos Issues: Raising the domain functional level can trigger changes in Kerberos authentication, such as generating a new password for the KRBTGT account. This can cause temporary authentication issues until replication is complete and all DCs are updated3.
- Legacy Systems: If there are any legacy systems or applications that rely on older domain functional levels, they may stop working after the upgrade. It is important to identify and address any such dependencies before proceeding3.
Best Practices
- Backup: Take a System State backup of at least one DC in each domain before raising the domain functional level. This provides a recovery point in case something goes wrong1.
- Testing: Test the upgrade process in a lab environment that mirrors your production environment. This helps identify any potential issues and allows you to develop a mitigation plan1.
- Communication: Inform all stakeholders about the planned upgrade and its potential impact. Schedule the upgrade during a maintenance window to minimize disruption2.
- Monitoring: After raising the domain functional level, monitor the environment closely for any issues. Check replication status, Kerberos authentication, and application functionality to ensure everything is working as expected3.
By following these best practices and addressing the key considerations, you can minimize the risks associated with raising the domain functional level and take advantage of the new features and capabilities offered by the newer version of Windows Server.