Thursday, January 27, 2011

Roll Back / Lower Active Directory Functional Levels in Windows Server 2008 R2


     In Windows Server 2008 R2, you can now roll back (lower) the Domain Functional Level (DFL) and Forest Functional Level (FFL). There are a couple of conditions and limitations to this new functionality, which I discuss below.

Background Information
     Functional levels control the Active Directory Domain Services (AD DS) features that are enabled in a domain or forest and restrict the operating systems that can run on domain controllers. For more details on functional levels, see Understanding AD DS Functional Levels (http://technet.microsoft.com/en-us/library/cc754918.aspx).
     In previous versions of Windows Server, changes to functional levels could not be rolled back. In other words, when you raise the DFL from Windows Server 2003 to Windows Server 2008, you cannot lower the DFL back to Windows Server 2003.
     In Windows Server 2008 R2, you can roll back functional levels provided you meet the below mentioned conditions.

Domain Functional Level
     In my test environment, I took a DC that has Windows Server 2008 R2 RC installed, and raised the DFL to Windows Server 2008 R2.
     You will notice in the image below that the warning for changing the DFL has changed in WS08R2 to state that the change might not be reversible:



To roll back / lower the DFL, you need to meet certain conditions:
  1. The current DFL must be set to Windows Server 2008 R2.
  2. The forest functional level (FFL) must support domains of the DFL you are rolling back to. For example, if the DFL and FFL are set to Windows Server 2008 R2, you cannot roll back / lower the DFL to Windows Server 2008 because the Windows Server 2008 R2 FFL can only have domains with a DFL of Windows Server 2008 R2.
     In addition, there is a limitation to rolling back / lowering the DFL. Specifically, you can only roll back to Windows Server 2008, no earlier. In other words, you cannot roll back from a DFL of Windows Server 2008 R2 to a DFL of Windows Server 2003, even if you had previously raised the DFL from Windows Server 2003 to Windows Server 2008 R2.


Roll Back / Lower the Domain Functional Level
     In build 7100 (RC) of Windows Server 2008 R2, there is no way to roll back / lower the DFL by using the GUI. Instead, you must use the Set-ADDomainMode cmdlet, which is included with the Active Directory Module for Windows PowerShell in Windows Server 2008 R2. The process is as follows:

  1. Open the Active Directory Module for Windows PowerShell (Start, Administrative Tools, Active Directory Module for Windows PowerShell)
  2. At the PowerShell prompt, type the following command and then hit Enter:
    Set-ADDomainMode -Identity WS08R2RCDomain.local -DomainMode Windows2008Domain
    NOTE: Replace WS08R2RCDomain.local with the FQDN of the domain you want to roll back / lower the DFL on.
  3. On the confirmation, shown in the image below, type Y, and then hit Enter to proceed.



     At this point, you will not see any confirmation that the change was successful in PowerShell (let’s hope this is added to the RTM). You will simply be back at the PowerShell prompt if it was successful.
     However, you can look for an event logged in the Directory Service log, with an event ID of 2039,that will tell you the DFL has been changed to 3, as shown below.



NOTE: A DFL shown as “3” represents Windows Server 2008. A DFL shown as “4” represents Windows Server 2008 R2.

     You can also use the Get-ADDomain cmdlet, which is included with the Active Directory Module for Windows PowerShell in Windows Server 2008 R2. The image below shows the output of this cmdlet.



Forest Functional Level
     When raising the FFL through Active Directory Domains and Trusts console, you will see a warning that the change might not be reversible.
To roll back / lower the FFL, you need to meet certain conditions:
  1. The current FFL must be set to Windows Server 2008 R2.
  2. Advanced Features (such as Recycling Bin) cannot be enabled. If you previously enabled the Recycling Bin feature, you are SOL because this feature cannot be disabled once it has been enabled. The fact that you cannot roll back / lower the FFL if Advanced Features are enabled is something you seriously need to consider and plan ahead for. If you have enabled other Advanced Features, but not the Recycling Bin, you can use the Disable-ADOptionalFeatures cmdlet, which is included with the Active Directory Module for Windows PowerShell in Windows Server 2008 R2.
     There is a the same limitation to rolling back / lowering the FFL as there is with the DFL. You can only roll back to Windows Server 2008, no earlier. In other words, you cannot roll back from a FFL of Windows Server 2008 R2 to a FFL of Windows Server 2003, even if you had previously raised the FFL from Windows Server 2003 to Windows Server 2008 R2.

Roll Back / Lower the Forest Functional Level
     In build 7100 (RC) of Windows Server 2008 R2, there is no way to roll back / lower the FFL by using the GUI. Instead, you must use the Set-ADForestMode cmdlet, which is included with the Active Directory Module for Windows PowerShell in Windows Server 2008 R2. The process is as follows:
  1. Open the Active Directory Module for Windows PowerShell.
  2. At the PowerShell prompt, type the following command and then hit Enter:
    Set-ADForestMode -Identity WS08R2RCDomain.local -ForestMode Windows2008Forest
    NOTE: Replace WS08R2RCDomain.local with the FQDN of the domain you want to roll back / lower the FFL on.
  3. On the confirmation, shown in the image below, type Y, and then hit Enter to proceed.



     Once again, you will not see any confirmation that the change was successful in PowerShell (let’s hope this is added to the RTM). You will simply be back at the PowerShell prompt if it was successful
     However, you can look for an event logged in the Directory Service log, with an event ID of 2040, that will tell you the FFL has been changed to 3, as shown below.



     You can also use the Get-ADForest cmdlet, which is included with the Active Directory Module for Windows PowerShell in Windows Server 2008 R2. The image below shows the output of this cmdlet.



Conclusion
     The ability to roll back / lower functional levels is a valuable new feature in Windows Server 2008 R2. I don’t think this is something that will be used on a frequent basis. However, having this as an option is definitely an added benefit.
It would be great if Microsoft fixes some of the issues with the steps to roll back / lower functional levels. Specifically:
  • Add a way to roll back / lower functional levels through the GUI.
  • Fix the Set-ADDomainMode cmdlet so that it reports the success of changing the DFL.
  • Fix the Set-ADForestMode cmdlet so that it reports the success of changing the FFL.

     Lastly, the fact that the FFL cannot be rolled back / lowered if the Recycling Bin is enabled, coupled with the fact that the Recycling Bin cannot be disabled after it has been enabled, are potential pain points.
     All in all, I’m glad to see this new functionality in Windows Server 2008 R2.

http://policelli.com/blog/?p=383

No comments:

Post a Comment