UCF STIG Viewer Logo

The domain functional level must be at a Windows Server version still supported by Microsoft.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8551 AD.0160 SV-9048r3_rule ECSC-1 Medium
Description
Domains operating at functional levels below Windows Server versions no longer supported by Microsoft reduce the level of security in the domain and forest as advanced features of the directory are not available. This also prevents the addition of domain controllers to the domain using Windows Server versions prior to the current domain functional level.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2016-02-19

Details

Check Text ( C-58021r1_chk )
Open "Active Directory Domains and Trusts" (run "domain.msc") or "Active Directory Users and Computers" (run "dsa.msc").
Right click in the left pane on the name of the Domain being reviewed.
Select "Raise domain functional level…"
The current domain functional level will be displayed (as well as the option to raise the domain functional level).
Select "Cancel" to exit.

Alternately, using PowerShell (Windows 2008 R2 or later).
Select "Active Directory Module for Windows PowerShell", available in Administrative Tools or the Start Screen.
Run "Get-ADDomain".
View the value for "DomainMode:"

If the current domain functional level is a Windows Server version no longer supported by Microsoft, this is a finding.

Microsoft will no longer support Windows Server 2003 after 14 July 2015.
Fix Text (F-62383r1_fix)
Raise the domain functional level to a Windows Server version still supported by Microsoft.

Microsoft will no longer support Windows Server 2003 after 14 July 2015.

Raising the domain functional level needs to be carefully planned and implemented. This prevents the addition of domain controllers to the domain using Windows versions prior to the current domain functional level.

See Microsoft documentation for the process and requirements of raising the domain functional level.