Book Image

Active Directory Administration Cookbook

By : Sander Berkouwer
Book Image

Active Directory Administration Cookbook

By: Sander Berkouwer

Overview of this book

Active Directory is an administration system for Windows administrators to automate network, security and access management tasks in the Windows infrastructure. This book starts off with a detailed focus on forests, domains, trusts, schemas and partitions. Next, you'll learn how to manage domain controllers, organizational units and the default containers. Going forward, you'll explore managing Active Directory sites as well as identifying and solving replication problems. The next set of chapters covers the different components of Active Directory and discusses the management of users, groups and computers. You'll also work through recipes that help you manage your Active Directory domains, manage user and group objects and computer accounts, expiring group memberships and group Managed Service Accounts (gMSAs) with PowerShell. You'll understand how to work with Group Policy and how to get the most out of it. The last set of chapters covers federation, security and monitoring. You will also learn about Azure Active Directory and how to integrate on-premises Active Directory with Azure AD. You'll discover how Azure AD Connect synchronization works, which will help you manage Azure AD. By the end of the book, you have learned about Active Directory and Azure AD in detail.
Table of Contents (16 chapters)

Raising the domain functional level to Windows Server 2016

When implementing new Active Directory domain controllers and removing domain controllers running previous versions of Windows Server, many admins forget to raise the Active Directory domain functional level (DFL) to the earliest Windows Server version still running as domain controllers. After upgrading all domain controllers from Windows Server 2008 R2 to Windows Server 2012 R2, for instance, they would not raise the DFL to Windows Server 2012 R2, but keep it at the Windows Server 2008 R2 level.

The Windows 2016 domain is the highest available DFL for Active Directory; there is no Windows 2019 domain level.

It's a shame, really, because many new Active Directory features and optional Active Directory features are only available when the functional level is raised. Furthermore, the DFL dictates the lowest version of Windows Server that admins can use to promote new domain controllers. In addition, since Windows Server 2008 R2, the DFL can also be reverted, as long as no new optional features have been enabled and the Active Directory forest functional level (FFL) is the same as the DFL that you want to revert to, or lower.

From an Active Directory point of view, the Windows Server 2008 DFL (or any newer version of the DFL), is required when you want to deploy Windows Server 2016-based domain controllers.

Getting ready

Microsoft recommends raising the DFL from the Active Directory domain controller that holds the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role.

To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following lines of PowerShell on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADDomain | Format-List PDCEmulator

Required permissions

Use an account that is a member of the Domain Admins group in the Active Directory domain for which you want to raise the DFL.

How to do it...

On domain controllers running Windows Server with the Desktop Experience, follow these steps:

  1. Sign in to the domain controller holding the PDC emulator FSMO role.
  2. Open Active Directory Domains and Trusts (domain.msc).
  3. In the left navigation pane, right-click the domain for which you want to raise the functional level, and then click Raise Domain Functional Level.
    The Raise domain functional level window appears:
  1. From the Select an available forest functional level drop-down list, select the desired DFL, and then click Raise.

Alternatively, you can use the following two PowerShell commands:

Import-Module ActiveDirectory 
Set-ADDomainMode Windows2016Domain

Replace with values for your Active Directory environment.

Even when under time pressure, you'll want to check for the proper replication of changes to Active Directory functional levels before making any other changes in Active Directory that might depend on them. Especially in large environments with elaborate replication technologies, replication might take a while.

To check for the proper replication of changes to Active Directory functional levels, use the following command:

repadmin.exe /showattr * "dc=lucernpub,dc=com" /atts:msDS-Behavior-Version

Replace, lucernpub, and com with values for your Active Directory environment.

The command checks the value for the msDS-Behavior-Version attribute on each of the domain controllers in the respective Active Directory domain, and return the value.

The following table shows the msDS-Behavior-Version attribute value per Active Directory DFL:



Windows 2000 Server


Windows Server 2003 Mixed


Windows Server 2003


Windows Server 2008


Windows Server 2008 R2


Windows Server 2012


Windows Server 2012 R2


Windows Server 2016


Windows Server 2019


The output shows you the domain controllers that are replicating a change from a lower value to a higher value. When each domain controller returns the same value, the DFL has successfully replicated throughout the Active Directory environment.

How it works...

When a domain controller operates, it references the DFL to know how it can optimally interoperate with other domain controllers in the Active Directory domain. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permittable action.

If there is a domain controller running a version of Windows Server that does not meet the requirements of a certain DFL, the level is grayed out in Active Directory Domains and Trusts and the level cannot be raised to this level (DFL). When you try to raise the DFL using Windows PowerShell or other programmatic means, it will error out.