Raising the forest functional level in Active Directory is a one-way operation (in most cases) that unlocks newer AD DS features across your entire forest. You do it through either the Active Directory Domains and Trusts console or PowerShell, but the real work happens before you click anything: verifying that every domain controller in every domain meets the minimum OS requirement for the level you’re targeting.
What Forest Functional Level Actually Controls
The forest functional level sets a floor for which Windows Server versions can operate as domain controllers anywhere in your forest. It also gates access to forest-wide Active Directory features like the AD Recycle Bin (2008 R2+), Privileged Access Management (2012 R2+), and newer authentication improvements. Raising the level doesn’t change anything for member servers or workstations joined to the domain. It only affects domain controllers.
One detail that trips people up: Windows Server 2019 and Windows Server 2022 did not introduce their own functional levels. Both use Windows Server 2016 as their highest functional level. The next jump is Windows Server 2025, which introduces a new level that requires all domain controllers to run Server 2025.
Check Your Prerequisites First
Before raising the forest functional level, you need to confirm two things: every domain in the forest has already been raised to at least the domain functional level you’re targeting, and every domain controller across the forest is running a compatible OS version. Here’s the current compatibility matrix:
- Windows Server 2012 R2 functional level: supports DCs running Server 2012 R2, 2016, 2019, or 2022
- Windows Server 2016 functional level: supports DCs running Server 2016, 2019, 2022, or 2025
- Windows Server 2025 functional level: supports only DCs running Server 2025
If even one domain controller in your forest is running an older OS than the target level allows, the raise will fail. You’ll get error 8568 (ERROR_DS_LOW_DSA_VERSION), which means “there exist one or more domain controllers at a lower incompatible functional level.” The fix is straightforward: upgrade or decommission those older DCs before attempting the raise.
Run Health Checks Before You Start
Replication problems between domain controllers can cause the functional level change to apply inconsistently or fail. Run these checks from any DC or a management workstation with RSAT installed:
- repadmin /showrepl * /csv pipes all replication status into a format you can review (add
| convertfrom-csv | out-gridviewin PowerShell for an interactive table). Fix any replication failures before proceeding. - dcdiag /v on each domain controller catches DNS issues, connectivity problems, and other health concerns that could interfere with the level raise.
You also want to verify no stale or orphaned DC metadata exists in the directory. Old entries from domain controllers that were removed without proper cleanup count against your compatibility check.
Raise Domain Functional Levels First
The forest functional level cannot exceed the lowest domain functional level in the forest. If you have three domains and one is still at 2012 R2, the forest stays at 2012 R2 until you raise that domain. You must raise every domain individually before raising the forest.
To raise a domain’s functional level using the GUI, open Active Directory Domains and Trusts from the Start menu (or from a machine with RSAT installed). Right-click the domain name in the left pane and select “Raise Domain Functional Level.” The dialog shows the current level and a dropdown with available targets. Select the level you want and confirm.
In PowerShell, the equivalent command is:
Set-ADDomainMode -Identity yourdomain.com -DomainMode Windows2016Domain
Repeat for every domain in the forest.
Raise the Forest Functional Level
Using the GUI
Open Active Directory Domains and Trusts. Right-click the top node labeled “Active Directory Domains and Trusts” (not an individual domain). Select “Raise Forest Functional Level.” Choose your target level from the dropdown and confirm. The change replicates to all domain controllers in the forest, so give it time to propagate, especially in multi-site environments.
Using PowerShell
The cmdlet is Set-ADForestMode. The syntax looks like this:
Set-ADForestMode -Identity yourdomain.com -ForestMode Windows2016Forest
The -ForestMode parameter accepts named values or numeric equivalents. The most commonly used ones:
- Windows2012R2Forest (or 6)
- Windows2016Forest (or 7)
- Windows2025Forest (or 10)
The -Identity parameter takes a fully qualified domain name, GUID, DNS host name, or NetBIOS name. Add -WhatIf to preview the change without committing it, which is worth doing in production.
Common Errors and What They Mean
Three errors cover the majority of failed attempts:
- Error 8568 (0x2178): One or more domain controllers are running an OS version too old for the target functional level. Identify them with
Get-ADDomainController -Filter *and check the OperatingSystem property. - Error 8569 (0x2179): At least one domain is still in mixed mode, meaning its domain functional level hasn’t been raised high enough. Raise all domain functional levels first.
- Error 8563 (0x2173): The DC you’re running the command from has an OS version that’s incompatible with the target functional level. This appears when trying to set the 2025 level from a Server 2022 machine, for example.
Reversibility Is Limited
Raising the forest functional level is generally a one-way operation. In some cases, you can lower the forest functional level back to certain previous levels, but only if you haven’t enabled features that depend on the higher level. For practical purposes, treat this as irreversible. Once you raise to Windows Server 2016 forest level and enable features like Privileged Access Management, you cannot go back.
This is the main reason to be deliberate about the raise. It doesn’t affect day-to-day authentication for client machines or member servers, so there’s no urgency unless you need a specific feature that requires the higher level. But once you commit, any future domain controller you add to the forest must run a compatible OS version. At the 2025 level, that means every DC must be Server 2025, with no room for 2022, 2019, or 2016 machines.
Verify the Change
After raising the level, confirm it took effect:
Get-ADForest | Select-Object ForestMode
This returns the current forest functional level. Run repadmin /showrepl again after a replication cycle to confirm the change has propagated to all DCs. In large, multi-site forests, allow at least one full replication cycle (which depends on your site link schedule) before assuming something went wrong.