Just like the Active Directory DFL, the FFL also determines the availability of new Active Directory functionality. Where the DFL dictates the minimum version of Windows Server to run as domain controllers, the FFL dictates the minimum version of the DFL in the Active Directory forest.

The new functionality that is unlocked by raising the FFL includes the following:

• Privileged Access Management (PAM) that requires the Windows Server 2016 FFL
• Active Directory Recycle Bin that requires the Windows Server 2008 R2 FFL
• Linked-value replication that requires the Windows Server 2003 FFL

Microsoft recommends raising the FFL from the Active Directory domain controller that holds the Domain Naming Master FSMO role.

To locate this domain controller, run the following command on any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Alternatively, use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Use an account that is a member of the Enterprise Admins group in the Active Directory forest for which you want to raise the FFL.

On domain controllers running Windows Server with the Desktop Experience, follow these steps:

1. Sign in to the domain controller holding the Domain Naming Master FSMO role.
2. Open Active Directory Domains and Trusts (domain.msc).
3. In the left navigation pane, right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
   The Raise forest functional level window appears:

4. From the Select an available forest functional level drop-down list, select the desired FFL, and then click Raise.

Alternatively, you can use the following two lines of PowerShell:

Import-Module ActiveDirectory

Set-ADForestMode lucernpub.com Windows2016Forest

Replace lucernpub.com with values for your Active Directory environment.

When a domain controller operates, it references the FFL to know how it can optimally interoperate with other domain controllers in the Active Directory forest. Additionally, when you want to enable optional Active Directory features, the msDS-Behavior-Version attribute is referenced to see whether it's a permittable action.

When a new Active Directory domain is added to an Active Directory forest, the available DFLs for the domain are shown, based on the msDS-Behavior-Version attribute for the forest too.

If there is a domain running a DFL that does not meet the requirements of a certain FFL, the level is grayed out in Active Directory Domains and Trusts and the level cannot be raised to this level. When you try to raise the FFL using Windows PowerShell or other programmatic means, it will error out.