Azure AD Connect: Forest & Domain Functional Level

Issue

When installing Azure AD Connect and adding a directory, the installer throws up the following error and cannot proceed:

“The Active Directory forest functional level must be Windows2003Forest or higher.”

ADC Domain Level Error

The Domain and Forest functional levels are both Windows 2000.

domain-levels

Resolution

Both the AD schema version (domain functional level) and forest functional level must be Windows Server 2003 or later.

Before raising both the domain and forest functional levels, being acutely aware of the lack of undo button, I considered the following:

  • Checked that all AD Domain Controllers were at the minimum of the OS version to which the functional levels are going to be raised.  In this case it’s Windows 2003 so won’t be an issue; however, still check for decommissioned AD Domain Controllers where metadata wasn’t cleaned up properly.
  • Lost and Found container in the Configuration container.  Is there an NTDS Settings object in there for a downlevel AD Domain Controller?  If so this needs to be cleaned up.
  • Verify replication between AD Domain Controllers.  Raising the functional levels basically updates AD attribute that must be replicated to all AD Domain Controllers.

From the AD Domain Controller that holds the PDC Emulator Role (if you’re unsure – netdom query fsmo), open the Active Directory Domains and Trusts MMC.

Forest Functional Level

Right click on Active Directory Domains and Trusts, select Raise Forest Functional Level.

From the “Select an available forest functional level” drop down box, select the desired level.  Here I’ve selected Windows Server 2003.  Click Raise.

raise-forest-1

WARNING: “This change affects the entire forest.  After you raise the forest functional level, it is possible that you may not be able to reverse it”.  Click OK.

raise-forest-2

SUCCESS: “The functional level was raised successfully.  The new functional level will now replicate to each Active Directory Domain Controller in the forest.  The amount of time this will take varies, depending on your replication topology”.  Click OK.

raise-forest-3

Domain Functional Level

Right click on the domain name (e.g. x500.local), select Raise Domain Functional Level.

From the “Select an available domain functional level” drop down box, select the desired level.  Here I’ve selected Windows Server 2003 as I want it to match the forest functional level (note you cannot set the domain functional level to a value that is lower than the forest functional level).  Click Raise.

raise-domain-1

WARNING: “This change affects the entire domain.  After you raise the domain functional level, it is possible that you may not be able to reverse it”.  Click OK.

raise-domain-2

SUCCESS: “The functional level was raised successfully.  The new functional level will now replicate to each Active Directory Domain Controller in the domain.  The amount of time this will take varies, depending on your replication topology”.  Click OK.

raise-domain-3

Rerun the Azure AD Connect installation and you’ll be able to add the directory.  Sorted!

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s