Exchange 2016 CU7 AD Forest Function Level Requirements

In September 2016, just over a year ago from the time of writing, Exchange 2016 CU3 added support for Windows 2016.  Exchange 2016 CU3 added support for installing Exchange 2016 onto Windows Server 2016 and also to have Windows 2016 Domain Controllers (DCs) in the environment.  There is a nuance with the latter.  In order to be supported with Windows 2016 DCs, the Active Directory (AD DS) had to be at a minimum of Windows 2008 R2 Forest Functionality Level (FFL).

As the initial blog and a subsequent addendum explained, this support requirement was initially policy based.  The requirement was present and documented, but not initially enforced by Exchange 2016 setup.  A years advance notification was provided, so that in September 2017 the validation check would be added to Exchange 2016 setup.

Well here we are, it is now Fall Autumn 2017, and Exchange 2016 CU7 setup will check AD DS FFL to be at a minimum of Windows Server 2008 R2 as promised.

Note that this post is for Exchange 2016 only.

What happens if this AD DS requirement is not met?  Example is below.

Lab Configuration

This is a standard Exchange 2016 lab with a single Exchange 2016 server and a single Windows 2008 R2 Domain Controller.  Exchange is installed onto Windows 2012 R2.

If we look at the Exchange 2016 installation, we can see that Exchange 2016 CU2 is currently installed.  Since this is not Exchange 2007/2010 we can look at the AdminDisplayVersion property to determine the installed build, a separate process was required for older Exchange versions.

Get-ExchangeServer | Select-Object Name, ServerRole, AdminDisplayVersion

Check Exchange Server Version in Exchange Management Shell

For the AD DS aspect of the lab, the Active Directory Domain Functional Level (DFL) and Forest Functional Level (FFL) are both set to Windows 2008.  We can easily verify this by looking at the properties of the domain in domain.msc and also by PowerShell.

Using AD Domains and Trusts To Check AD DFL and FFL

Get-ADDomain | Select-Object Name,DomainMode
Get-ADForest | Select-Object Name,ForestMode

Using PowerShell To Check AD DFL and FFL

Feel free to use whichever method you prefer, there are many more.

For those wondering why this is also checking for the DFL when the FFL requires at least the same level function level for all domains in the forest there is a reason.  While we could look at just the FFL to ensure that the Forest Functional requirement is met, the domain command was added for those who may need to check which domains were not set to an appropriate level thus blocking the overall FFL.  If you need to raise or modify any of these settings, make sure to follow your normal change process...

TopTip: If you have to ask yourself  if a change requires approval, then the answer is inevitably yes!

Exchange 2016 CU7 Setup With 2008 FFL

If we attempt to run the Exchange 2016 CU7 setup with the FFL set to Windows 2008 you will be a lucky recipient of the error below.  This will occur not only when trying to update/install a mailbox server, it will also error out when running /PrepareSchema.

setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema

Exchange 2016 CU7 Setup Checks for Windows 2008 FFL - Running PrepareSchema

setup.exe /IAcceptExchangeServerLicenseTerms /Mode:Upgrade

Exchange 2016 CU7 Setup Checks for Windows 2008 FFL - Running Upgrade

For make most glorious benefit search engines:

Active Directory Forest Functional level in the organization must be upgraded to Windows Server 2008 R2 or later.
For more information, visit:

The Exchange Server setup operation didn't complete. More details can be found in ExchangeSetup.log located
in the <SystemDrive>:ExchangeSetupLogs folder.

The same will be found in the Exchange server setup log file which is in C:ExchangeSetupLogs.

[10/03/2017 03:34:25.0066] [1] Failed [Rule:MsDSBehaviorVersionRequirement] [Message:Active Directory Forest Functional level in the organization must be upgraded to Windows Server 2008 R2 or later.]
[10/03/2017 03:34:25.0066] [1] [RECOMENDED] Setup can't detect a Send connector with an address space of '*'. Mail flow to the Internet may not work properly.
[10/03/2017 03:34:25.0082] [1] [REQUIRED] Active Directory Forest Functional level in the organization must be upgraded to Windows Server 2008 R2 or later.
[10/03/2017 03:34:25.0082] [1] Help URL: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.MsDSBehaviorVersionRequirement.aspx


As per Active Directory Forest Functional Levels for Exchange Server 2016, it was announced that Exchange Server 2016 would enforce a minimum 2008 R2 Forest Functional Level requirement for Active Directory.  Cumulative Update 7 for Exchange Server 2016 will now enforce this AD DS requirement.

The help URL can be found here on TechNet.



Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *