Menu

AEG: How to Check the Functional Levels in Active Directory

Dec 8, 2022

AEG: How to Check the Functional Levels in Active Directory

Introduction

AEG leverages both Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) capabilities. In this sense, functional levels determine the available AD DS domain and forest capabilities. AD DS and AD CS work together, and some features such as the Certificate Enrollment Web Services and the Cross-forest Enrollment require the following

  • AEG requires that the forest functional level must be Windows Server 2008 R2 or higher.
  • The domain functional level must be the same or higher than the forest functional level.
    • You can set the domain functional level to a value that is higher than the forest functional level, but you cannot set the domain functional level to a value that is lower than the forest functional level.
  • If your environment has more than one forest, the forests must also include a two-way trust relationship to support cross-forest enrollment.

Windows Server 2008 R2 Functional Level supports the following Windows Server versions:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Guidelines

There are three ways to verify your current forest and domain functional levels on your Active Directory Domain Controller. You can use the Server Manager, the Administrative Tools, or the PowerShell. In this article, we show you the steps to use any of those tools.

Using the Server Manager

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Open the Server Manager, click Tools, and then click Active Directory Domains and Trusts as shown in the diagram below.

  3. Right-click the root domain, and click Properties to proceed.

  4. Under the General tab, you will find the forest and domain functional levels currently configured on your Active Directory Domain Controller.

Using the Administrative Tools

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Click the Start Menu, and click Windows Administrative Tools.

  3. Find Active Directory Domains and Trusts on the list, and double click on it.

  4. Right-click the root domain, and click Properties.

  5. Under the General tab, you will find the forest and domain functional levels currently configured on your Active Directory Domain Controller.

Using the PowerShell

  1. Log in to your Active Directory Domain Controller. Note: If you have more than one domain controller, you should log in to the forest root domain controller.

  2. Click the Start Menu, and click Windows PowerShell. Hover over More, and click Run as administrator to proceed.

  3. If there is a pop-up screen from the User Account Control, or UAC, asking if you want to allow the app to make changes, click Yes.

  4. To find the Domain Functional Level, use the command "Get-ADDomain | fl Name,DomainMode”.

  5. To find the Forest Functional Level, use the command “Get-ADForest | fl Name,ForestMode”.

After following the previous steps, you will have a clear idea on what Domain and Forest Functional Levels your environment is running on. If your environment does not support the Windows Server 2008 R2 functional level, you should plan on how to upgrade your infrastructure before deploying AEG.

Related Articles

AEG: How to Enable Advanced Logging for AEG Server

Feb 29, 2020, 5:07 AM

This article will guide you through enabling AEG’s advanced logging feature. If this is not the solution you are looking for, please search for the solution in the search bar above. Note: This support article applies to AEG version 5.x and below. Also, when facing issues to enroll for Certificates, our support staff may require more information to determine the root cause of the problem.

Read More

AEG: How to Create Custom Certificate Templates

Mar 2, 2020, 1:56 AM

This article will go over how to create templates from duplicates of default templates for both User and Machine Authentication. Depending on the use case that you implement, you will need to duplicate one of the default Certificate templates. Duplication is not required but is strongly recommended to avoid changing the properties of default templates and to better control the changes applied to templates that work with the AEG.

Read More

AEG: How to Create and Link a GPO in Active Directory

Mar 2, 2020, 2:58 AM

This article will walk you through on how to create and link a Group Policy in Active Directory. Creating a GPO is a fairly simple task, so long as you know what settings you need to change, and how to apply it to the endpoints you are trying to affect.

Read More

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support

Contact Us
close
Sales: 1-877-775-4562
Support: 1-877-775-4562
E-Mail: sales-us@globalsign.com