Just like the Active Directory DFL, the FFL also determines the availability of new Active Directory functionality. Where the DFL dictates the minimum version of Windows Server to run as domain controllers, the FFL dictates the minimum version of the DFL in the Active Directory forest.

The new functionality that is unlocked by raising the FFL includes the following:

• Privileged Access Management (PAM) that requires the Windows Server 2016 FFL
• Active Directory Recycle Bin that requires the Windows Server 2008 R2 FFL
• Linked-value replication that requires the Windows Server 2003 FFL

Getting ready

Microsoft recommends raising the FFL from the Active Directory domain controller that holds the Domain Naming Master FSMO role.

To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Required permissions

Use an account that is a member of the Enterprise Admins group in the Active Directory forest for which you want to raise the FFL.

How to do it…

On domain controllers running Windows Server with the Desktop Experience, follow these steps:

1. Sign in to the domain controller holding the Domain Naming Master FSMO role.
2. Open Active Directory Domains and Trusts (domain.msc).
3. In the left navigation pane, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
   The Raise forest functional level window appears:

4. From the Select an available forest functional level drop-down list, select the desired FFL, and then click Raise.

Alternatively, you can use the following two lines of PowerShell:

Import-Module ActiveDirectory

Set-ADForestMode lucernpub.com Windows2016Forest

Replace lucernpub.comwith values for your Active Directory environment.