Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
When you install Active Directory Domain Services (AD DS), a set of basic Active Directory features is enabled by default. In addition to the basic Active Directory features on individual ___domain controllers, there are ___domain-wide and forest-wide Active Directory features available when all ___domain controllers in a ___domain or forest are running a later version of Windows Server.
For the all ___domain-wide features to be enabled, all ___domain controllers in the ___domain must be running the latest version of Windows Server, and the ___domain functional level must be raised to that level. But you should not raise the ___domain functional level to a higher value if you plan to deploy any ___domain controllers running earlier versions of Windows Server. After you set the ___domain functional level to a certain value, you can roll back or lower the ___domain functional level only by using Windows PowerShell and only under specific conditions. For more information, see Understanding Active Directory Domain Services (AD DS) Functional Levels.
Membership in Domain Admins or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.
To raise the ___domain functional level
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .
In the console tree, right-click the ___domain for which you want to raise functional level, and then click Raise Domain Functional Level .
In Select an available ___domain functional level , select the value and then click Raise .
Important
Authentication errors may occur on a ___domain controller after the ___domain functional level is raised to Windows Server 2008 or higher if the ___domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. In this case, a restart of the KDC service on the ___domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.
Additional considerations
You can also raise the ___domain functional level by right-clicking a ___domain in the Active Directory Users and Computers snap-in, and then clicking Raise Domain Functional Level .
The current ___domain functional level is displayed under Current ___domain functional level in the Raise ___domain functional level dialog box.
To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.
You can also perform the task in this procedure by using the Active Directory module for Windows PowerShellâ„¢. To open the Active Directory module, click Start , click Administrative Tools , and then click Active Directory Module for Windows PowerShell . For more information, see Raise the Domain Functional Level (https://go.microsoft.com/fwlink/?LinkId=137825). For more information about Windows PowerShell, see Windows PowerShell (https://go.microsoft.com/fwlink/?LinkID=102372).