Cloud is the Normal

I was asked many times “what may break if I update the forest or domain mode?”. Usually … nothing! Actually I’ve never heard of anything breaking when you increased the forest or domain mode. However, in Windows Server 2008 or lower versions of domain controllers there was no possibility to roll back the forest or domain mode.

…

No way!

…

No way?

…

OK – you were able to do a forest recovery (recovering at least one DC of each domain in the forest and rebuild the forest), however I doubt that this is a option usually.

What domain or forest modes for? Actually the only thing they are responsible for, is to tell all domain controllers that each domain controller at the domain or forest has now a certain operating system level, that there will not be new dcpromos of down level operating systems (or at least will not be successful, so no down level DCs will be added to the domain), and that the domain controller can enable certain features which are only allowed if all DCs are at the same level. Examples for this is linked value replication at the Windows Server 2003 Level, fine grained password policies at the Windows Server 2008 domain mode, automatic changes of SPNs or the possibility to turn on AD Recycle Bin at the Windows Server 2008 R2 forest mode. The domain or forest functional level change does only ensure that there are no downlevel DCs at that point, and publishes the status letting all DCs know. Each DC locally will do the changes he needs to do to communicate at the new level, such as changing the database when the recycle bin is turned on, or publishing that he is willing to replicate attribute values separately instead of on a big blob.

However, companies were anxious to increase the forest or domain level. Not because there’s known harm, but because a recovery is not easy if there might happen anything.

In Windows Server 2008 R2 the Active Directory product group made some changes: you are able to increase the domain and forest mode, and you are also able rollback the mode to Windows Server 2008, and switch around as you like. The upgrade of the forest or domain mode is reversible …

… unless you enable a optional feature which requires this mode!

So this has changed. Forest or domain mode upgrades do not automatically enable features which make the mode non-reversible, you can first upgrade the forest or domain mode, wait for a few hours/days/weeks (as you like or your companies working behaviors require), and after you ensured that all applications are working turn on the features you like. Each new Active Directory feature (right now in Windows Server 2008 R2 there is only the Recycle Bin) states if it is able to turn it off and whether it requires a forest or domain level. The Recycle Bin cannot be reversed and – as stated – needs Windows Server 2008 R2 Forest level.

So rollback of the forest / domain mode is possible. However, once you increased the mode to Windows Server 2008 R2, the user interface will not allow you to decrease the mode again. This might lead to some confusion.

But we also got the Powershell Commandlets for Active Directory to help us out.

First we need to load the Powershell Commandlets for AD:

Import-Module ActiveDirectory

Then we need to decrease the forest mode first (the forest mode specifies the minimum version of the domain mode of any domain in the forest, therefore we cannot decrease the domain mode when the forest mode is higher):

Set-ADForestMode -identity (Get-ADForest).name -ForestMode Windows2008Forest

You can also specify the forest name in the “-identity” parameter, however I’m lazy, so I’m just getting the name of the current forest.

Next we are are able to decrease the domain mode:

Set-ADDomainMode -identity (Get-ADDomain).name -DomainMode Windows2008Domain

And here is the result, the mode has changed and is changeable again:

Voila, hopefully you don’t have to do this in production, but at least it is possible and should ease your migration efforts.

Ulf