Active Directory Function Levels refer to the level of features and capabilities that are available in an Active Directory forest or domain. The higher the function level, the more advanced features are available.
There are two types of function levels in Active Directory: Forest Functional Level and Domain Functional Level.
Forest Functional Level: The Forest Functional Level determines the set of features that are available for the entire forest. This level controls the Active Directory forest-wide features and determines the lowest level of domain functional level that can be set for any domain in the forest. In other words, the forest functional level sets a minimum requirement for the domain functional level. Some of the features and capabilities that are enabled by raising the Forest Functional Level include:
- Ability to create an Active Directory domain in Windows Server 2008 mode or higher
- Ability to use new features such as Active Directory Recycle Bin, Claims-based authentication, and Fine-grained Password Policies.
Domain Functional Level: The Domain Functional Level determines the set of features and capabilities that are available for a particular domain. The Domain Functional Level can be set independently for each domain in an Active Directory forest. Some of the features and capabilities that are enabled by raising the Domain Functional Level include:
- Ability to use new authentication protocols such as Kerberos Armoring and Protected Users Group
- Ability to use new features such as DFS Replication, Managed Service Accounts, and Dynamic Access Control.
To raise the Forest or Domain Functional Level, the following prerequisites must be met:
- All domain controllers in the forest/domain must be running at least the minimum required operating system version (e.g., Windows Server 2008 or higher)
- All domain controllers in the forest/domain must be running at least the minimum required Active Directory Domain Services (AD DS) version
- There must be no Active Directory replication errors in the forest/domain
It’s important to note that once you raise the functional level of a domain or forest, you cannot revert to a lower functional level.
Adprep is a command-line tool that is used to prepare the Active Directory forest and domain for a Windows Server installation. There are three main types of Adprep operations: Domainprep, Forestprep, and RODCprep.
- Domainprep: The Domainprep operation is used to prepare a domain for the introduction of a new domain controller that runs a newer version of Windows Server than the current domain controller. This operation updates the security descriptors on objects in the domain and creates new objects that are required for the new domain controller.
- Forestprep: The Forestprep operation is used to prepare the Active Directory forest for the introduction of a new domain controller that runs a newer version of Windows Server than the current domain controller. This operation updates the schema of the forest and adds new classes and attributes that are required for the new domain controller.
- RODCprep: The RODCprep operation is used to prepare the Active Directory forest and domain for the installation of a Read-Only Domain Controller (RODC). This operation adds new attributes to the schema, creates new objects in the forest, and sets permissions on objects in the domain to allow for replication to RODCs.
Here are some more details about each type of Adprep operation:
- Domainprep: To run the Domainprep operation, you must be a member of the Domain Admins group or have been delegated the appropriate permissions. The syntax for running the Domainprep operation is as follows:
adprep /domainprep - Forestprep: To run the Forestprep operation, you must be a member of the Schema Admins group or have been delegated the appropriate permissions. The syntax for running the Forestprep operation is as follows:
adprep /forestprep - RODCprep: To run the RODCprep operation, you must be a member of the Enterprise Admins group or have been delegated the appropriate permissions. The syntax for running the RODCprep operation is as follows:
adprep /rodcprep
It’s important to note that Adprep operations should only be performed by experienced administrators who understand the implications of making changes to the Active Directory schema and objects. It’s also important to perform a full backup of the Active Directory environment before running Adprep operations.
