Raising the Active Directory forest functional level is one of those tasks that many administrators either delay indefinitely or rush through without adequate preparation – and both approaches carry real risk. Whether you are modernizing a legacy environment, unlocking new AD features, or completing a domain controller upgrade cycle, selecting the correct forest functional level from the drop-down in Active Directory Domains and Trusts is a point of no return. This guide walks you through the entire process: understanding what forest functional levels are, confirming your environment is ready, executing the change via both the GUI and PowerShell, and verifying success afterward.
What Is the Active Directory Forest Functional Level?
The forest functional level is a setting that controls which Active Directory features are available across your entire forest – spanning all domains and all domain controllers within it. Microsoft ties new capabilities to specific Windows Server versions, and the forest functional level acts as the gatekeeper that says “every domain controller in this forest meets at least this version baseline.”
Unlike the domain functional level, which applies only to a single domain, the forest functional level affects forest-wide features such as the Active Directory Recycle Bin, Privileged Access Management (PAM), and the ability to create Read-Only Domain Controllers with specific replication filtering. Raising this level is irreversible – there is no rollback without a full forest restore – so treating it with the same seriousness as a firmware upgrade is entirely appropriate.
Forest Functional Level Values and Their Features
Each level unlocks specific capabilities that were not available in earlier versions. Here is a quick reference for the most relevant levels in modern environments:
- Windows Server 2008 / 2008 R2 – Baseline for many legacy environments; supports Distributed File System Replication (DFSR) for SYSVOL.
- Windows Server 2012 / 2012 R2 – Adds dynamic access control support and Kerberos armoring (FAST).
- Windows Server 2016 – Unlocks Privileged Access Management (PAM) and support for optional features tied to Windows Server 2016 domain controllers. This is the minimum recommended level for any new deployment today.
- Windows Server 2025 – The current ceiling for environments running Windows Server 2025 domain controllers, enabling the latest schema extensions and security features.
Selecting the right level from the drop-down is not just about enabling a feature checklist – it also signals to your team and auditors that your environment is running on a supported, current baseline.
Prerequisites Before You Raise the Forest Functional Level
Skipping preparation is how administrators create recovery scenarios at the worst possible time. Before you touch the drop-down, confirm every item on this checklist.
1. All Domain Controllers Must Be at the Target OS Version
The forest functional level cannot exceed the lowest Windows Server version running as a domain controller anywhere in the forest. If you want to raise to Windows Server 2016, every DC in every domain must be running Windows Server 2016 or later. Use the following PowerShell one-liner to audit your DC versions across all domains in the forest:
Get-ADForest | Select-Object -ExpandProperty Domains | ForEach-Object {
Get-ADDomainController -Filter * -Server $_ | Select-Object Name, OperatingSystem, Domain
}Any DC returned with an OS version below your target is a blocker. Either upgrade or decommission it before proceeding.
2. All Domain Functional Levels Must Already Be Raised
The forest functional level cannot exceed the lowest domain functional level within the forest. Raise each domain’s functional level first. You can check the current domain functional level with:
Get-ADDomain | Select-Object DomainModeAnd the forest functional level with:
Get-ADForest | Select-Object ForestMode3. Take a Verified Backup
Because raising the forest functional level is irreversible, a current system state backup of at least one domain controller per domain is non-negotiable. This is especially true for your Schema Master and Domain Naming Master. A solid disaster recovery posture means having tested restores, not just backups that have never been verified. If your organization lacks a formal backup strategy, this is the moment to address that gap before making any irreversible Active Directory changes.
4. Confirm Replication Health
Raising the functional level during a replication failure can create inconsistent state across the forest. Run replication diagnostics before proceeding:
repadmin /replsummary
repadmin /showreplResolve any replication errors shown before moving forward.
How to Raise the Forest Functional Level Using the GUI
The graphical approach is straightforward and is often preferred for one-time changes where visibility and confirmation prompts are valuable.
Step 1 – Open Active Directory Domains and Trusts
On a domain controller or a management workstation with RSAT installed, open the Active Directory Domains and Trusts snap-in. You can launch it from Server Manager, the Administrative Tools folder, or by running domain.msc from a Run dialog.
Step 2 – Right-Click the Root Node
In the left-hand navigation pane, right-click the topmost node labeled Active Directory Domains and Trusts – not an individual domain, but the root of the console tree. From the context menu, select Raise Forest Functional Level.
Step 3 – Select an Available Forest Functional Level from the Drop-Down
A dialog box titled Raise Forest Functional Level will appear. It displays the current forest functional level and presents a drop-down list labeled Select an available forest functional level. This drop-down will only show levels that are valid based on your current environment – levels below your current setting will not appear, and levels that would require domain controllers you have not yet upgraded will also be absent. This is essential for Active Directory forest functional level.
Choose your target level from the list. If the drop-down shows only the current level and no higher options, it means one or more domain controllers or domain functional levels are blocking the raise. Return to your prerequisites checklist.
Step 4 – Confirm and Raise
After selecting the target level, click Raise. A warning dialog will remind you that this action cannot be reversed. Click OK to confirm. The change is applied immediately and replicated to all domain controllers in the forest through normal AD replication. Allow sufficient replication time – typically one replication cycle – before assuming all DCs reflect the new level.
How to Raise the Forest Functional Level Using PowerShell
For environments managed through automation, scheduled change windows, or where GUI access is limited, PowerShell is the preferred method. It also provides a clear audit trail when logged appropriately.
Check Current Level
Get-ADForest | Select-Object Name, ForestModeRaise to Windows Server 2016
Set-ADForestMode -Identity "yourdomain.local" -ForestMode Windows2016Forest -Confirm:$falseReplace yourdomain.local with your actual forest root domain DNS name. The -ForestMode parameter accepts the following values for common targets:
Windows2012Forest– Windows Server 2012Windows2012R2Forest– Windows Server 2012 R2Windows2016Forest– Windows Server 2016
For Windows Server 2019 and 2022, the forest functional level remains at the Windows2016Forest value – Microsoft did not introduce new functional levels for those releases. Windows Server 2025 introduces a new level where applicable.
Verify the Change
Get-ADForest | Select-Object Name, ForestModeThe output should now reflect your target functional level. You can also verify replication of the change by querying a remote domain controller:
Get-ADForest -Server "RemoteDCName" | Select-Object ForestModeWhat Happens After You Raise the Forest Functional Level
The change propagates through AD replication, which in a healthy environment completes within minutes for a single site and within the replication schedule for multi-site environments. Once all DCs have replicated the change, the new forest-wide features become available. This is essential for Active Directory forest functional level.
If you raised to Windows Server 2016 Forest functional level, you can now enable the Privileged Access Management optional feature, which supports time-limited group memberships – a powerful control for reducing standing privileged access. Enable it with:
Enable-ADOptionalFeature -Identity "Privileged Access Management Feature" \
-Scope ForestOrConfigurationSet \
-Target "yourdomain.local"Common Pitfalls and How to Avoid Them
The most frequent mistake is raising the forest functional level before confirming that all domain functional levels have been raised. The GUI will grey out incompatible options, but PowerShell will return an error that can be confusing if you are not expecting it. Always verify domain levels first. This is essential for Active Directory forest functional level.
Another common issue is overlooking a forgotten domain controller – particularly in environments that have grown through acquisitions or mergers. A DC running Windows Server 2012 R2 in a child domain or resource domain that nobody actively manages will block the raise silently until you audit every domain in the forest. This is essential for Active Directory forest functional level.
Finally, do not raise during peak business hours. While the change itself is quick, unexpected replication issues or the need to roll back (via forest restore) are far less disruptive when performed during a maintenance window. If your organization lacks a structured IT strategy for managing change windows and environment audits, formalizing that process will pay dividends well beyond this single task.
Planning Your Broader AD Modernization
Raising the forest functional level is rarely a standalone task – it is typically one step in a broader Active Directory modernization effort that may include decommissioning legacy domain controllers, migrating to newer Windows Server versions, or as part of a cloud migration project that integrates on-premises AD with Azure Active Directory or Entra ID. Treating it as part of a planned roadmap rather than an ad hoc change reduces risk and makes the process repeatable across future upgrade cycles.
Conclusion
Raising the Active Directory forest functional level is a precise, high-impact operation that rewards careful preparation. By auditing your domain controllers, verifying replication health, confirming domain functional levels, and maintaining a tested backup, you can execute the change confidently – whether through the GUI drop-down or a PowerShell one-liner. The irreversibility of the action is not a reason to avoid it; it is a reason to approach it methodically.
If your organization is planning an Active Directory upgrade, forest consolidation, or hybrid identity project and you want expert guidance through each stage, the team at SSE is ready to help. Reach out to discuss your environment and how we can support a smooth, risk-managed transition. This is essential for Active Directory forest functional level.
