Functional levels in AD are stored in an attribute named msDS-Behavior-Version. Depending on the object the attribute is attached to, it returns the functional level of the forest, domain or the capabilities of a domain controller.
This information can be used in a script, for example to verify if the forest or domain is in a certain mode or if you want to make sure there are no Windows 2003 controllers.
Note that when the value is missing, 0 is assumed.
Forest Functional Level
For the forest, you can determine the functional level by inspecting the msDS-Behavior-Version property of cn=partitions,cn=configuration,. For example, to find out the current forest functional level using PowerShell:
([ADSI]”LDAP://cn=partitions,cn=configuration,dc=contoso,dc=local”).get(“MSDS-Behavior-Version”)
Domain Functional Level
For the domain, you can determine the functional level by inspecting the msDS-Behavior-Version property of . For example, to find out the current domain functional level:
([ADSI]”LDAP://dc=contoso,dc=local”).get(“MSDS-Behavior-Version”)
Domain Controllers
To determine the (maximum) capabilities of a domain controller, inspect inspect the msDS-Behavior-Version property of cn=NTDS Settings,cn=,cn=servers,cn=sites,cn=configuration,.The class of the “NTDS Settings” object is NTDSDSA, which you can use to query the value for all domain controllers (sample script here).
Levels
| msDS-Behavior-Version | Forest | Domain | Domain Controller |
| 0 | 2000 | 2000 Mixed / Native | 2000 |
| 1 | 2003 Interim | 2003 Interim | N/A |
| 2 | 2003 | 2003 | 2003 |
| 3 | 2008 | 2008 | 2008 |
| 4 | 2008 R2 | 2008 R2 | 2008 R2 |
| 5 | 2012 | 2012 | 2012 |
| 6 | 2012 R2 | 2012 R2 | 2012 R2 |
| 7 | 2016 | 2016 | 2016 |
| 7 | 2019 | 2019 | 2019 |
EighTwOne (821) 
Pingback: Retrieving DCs functional levels | EighTwOne (821)
Pingback: Active Directory Schema Version | EighTwOne (821)
Pingback: Windows Server 2012 RC Version and Levels | EighTwOne (821)