Domain and forest functional level upgrade order

32 views
Skip to first unread message

Mike Leone

unread,
Jul 1, 2025, 3:31:16 PM7/1/25
to NTSysAdmin
Just need this double checked, please.

We have a root and sub-domain structure here. I need to upgrade all of the domain and forest functional levels to the latest (Win 2016?), because I'm going to start replacing DCs.And apparently you can't add a Win 2025 DC to a forest level less than Win 2016. My current levels are

Current both domains are at Windows2012R2Domain level, and the forest is WIn2012R2Forest.

Is this the correct order to upgrade those levels?

Upgrade sub-domain  DFL to Win 2016
Upgrade root domain DFL to Win 2016 
Upgrade forest FFL to Win 2016 

using accounts with the appropriate rights for each domain/forest



--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Wright, John M

unread,
Jul 1, 2025, 3:41:27 PM7/1/25
to ntsys...@googlegroups.com

I know that DFL has to precede FFL (see here: How to raise AD forest functional level - Windows Active Directory).

 

On the DFL, I think what you have is correct (subdomain then root).  But I’ll let someone else weigh in on that.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, July 1, 2025 3:31 PM
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Domain and forest functional level upgrade order

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhX9cw0uCjxgsi%3D6bi_T0VST2y%2BPhXd3KQHF-r2OEYBFw%40mail.gmail.com.

Kurt Buff

unread,
Jul 1, 2025, 3:42:52 PM7/1/25
to ntsys...@googlegroups.com

Mike Leone

unread,
Jul 2, 2025, 11:23:29 AM7/2/25
to NTSysAdmin
Thanks all. I raised both domains and the forest this morning, all went smoothly. All raised successfully. Now I can promote a Win 2025 to be a DC. Soon as I have enough Win 2025 DCs, I'll demote the Win 2019 DCs, and raise the levels to Win 2025 then.

Thanks

maxcoder1

unread,
Jul 3, 2025, 2:44:34 AM7/3/25
to ntsys...@googlegroups.com
I'm going to do something similar, but I have a few questions.

There is a forest root domain and a tree domain.

1 - Can I perform DFL and FFL raise on any DC server? Is a server with an FSMO role required?

2 - Is a domain admin account sufficient for DFL raise in the tree domain?

3 - Similarly, can FFL be performed in the root domain using an enterprise admin account?

4 - Is it necessary to wait for replication between DFL and FFL raise operations? Because there are 20 DCs in the environment.

5 - Finally, what can we check to verify these DFL and FFL operations? Is there any Event ID?

Henry Awad

unread,
Jul 3, 2025, 3:28:55 AM7/3/25
to ntsys...@googlegroups.com
This article should answer most of your questions:

Raise domain and forest functional levels in Active Directory Domain Services on Windows Server | Microsoft Learn https://share.google/KApFkl8eyzVAzgPIt

Henry Awad
Principal Engineer
Technology Services
The Catholic University of America

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAKXd-rCoAkxjhg8F4SXtczN%3DDk_f2mBMNetqxeDfzkwAJ-53ew%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages