Downgrading Active Directory Domain and Forest Functional Levels (Part 1)

Background

With Windows Server 2008/2008 R2 approaching end of support, more organisations are upgrading their Operating Systems to the latest supported versions.

Upgrading of Active Directory Domain Services (AD DS) requires a schema update, and ultimately raising the domain and forest functional levels. Customers are concerned that applications may stop functioning after raising the functional levels, and traditionally there was no turning back once functional levels are raised.

Since the introduction of Windows Server 2008 R2 it is possible to downgrade your functional levels. We are receiving more questions regarding Active Directory functional level downgrade capabilities, as organisations plan their migration to Windows Server 2016/2019. There seems to be a misunderstanding of the downgrade capabilities, especially where the Active Directory Recycle Bin is enabled.

You may find this post by Jose Rodrigues useful. It provides information on the importance of the Microsoft Product Lifecycle Dashboard, which can help identify if products are no longer supported or reaching end of life, and keep your environment supported.


Disclaimer

We always recommend in-depth testing in a LAB environment before completing major upgrades in your production environment if possible. At a minimum, ensure that you have a well-documented and fully tested forest recovery plan. Active Directory functional level rollback is not a substitution for these core recommendations.


The basics

The Domain Functional Level (DFL) for all the domains in a forest has to be raised first, before you can raise the Forest Functional Level (FFL). When attempting to downgrade (lower) the DFL of a domain, you would first need to downgrade the FFL to the same level as the required DFL to be configured. The FFL can never be higher than the DFL of any domain in the forest.

Functional levels determine the available AD DS domain or forest capabilities. They also determine which Windows Operating Systems can be installed on Domain Controllers in the domain or forest. You cannot introduce a Domain Controller running an Operating System which is lower than the DFL or FFL. This needs to be considered when upgrading functional levels but would not have any impact when downgrading functional levels.

Distributed File Service Replication (DFSR) support for the System Volume (SYSVOL) was introduced in Windows Server 2008. Whether you are using Distributed File Service Replication (DFSR) or File Replication Service (FRS), it will not impact the ability to complete a functional level rollback.

Tip: SYSVOL replication should be migrated to DFSR before deploying Windows Server 2016 (Version 1709) or Windows Server 2019 Domain Controllers. FRS deprecation may block the Domain Controller deployment. Beystor Makoala posted a great article about FRS to DFSR Migration and some issues you may experience.

Let’s explore another feature that was introduced with Windows Server 2008 R2.


Active Directory Recycle Bin

The Active Directory Recycle Bin was first introduced with Windows Server 2008 R2. Considering the functional level rollback capability was also introduced with Windows Server 2008 R2, there were clear instructions on rollback capabilities.

You cannot roll back to Windows Server 2008 functional level after the Recycle Bin is enabled. Simple reason being that Windows Server 2008 doesn’t support the Recycle Bin, and the Recycle Bin cannot be disabled.

I’ve seen inconsistent information regarding rollback capabilities when working on newer Operating Systems such as Windows Server 2016 or Windows Server 2012 R2. Some articles indicate rollback cannot be performed at all after the Recycle Bin is enabled and others indicate the lowest functional level that can be utilized is Windows Server 2012.

The Recycle Bin was the only blocker when attempting to lower functional levels initially. The Recycle Bin has been supported since Windows Server 2008 R2 and thus it has no impact when working with any functional levels higher than Windows Server 2008 R2 (which all support the Recycle Bin feature). The Recycle Bin will only be a blocker when attempting rollback to Windows Server 2008.


Summary

We’ve discussed several Active Directory features and their impact when lowering Active Directory functional levels. We’ve determined that, in theory, the lowest functional level that can be utilized with the Active Directory Recycle Bin enabled is Windows Server 2008 R2, and the lowest functional level that can be utilized with the Active Directory Recycle Bin disabled is Windows Server 2008.

In part 2 of this series, I will demonstrate how to lower the domain and forest functional levels, and test the theory to determine the lowest functional levels that can be utilized while running a Windows Server 2019 Active Directory Domain.


Series

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.