What are Active Directory functional levels?
Active Directory functional levels are controls that specify which advanced Active Directory domain features can be used in an enterprise domain. The enterprise domain is usually comprised of domain controllers (DCs) that run on different versions of the Microsoft Windows Server operating system (OS).
From Windows Server 2016 onward, AD functional levels control the domain and forest features of the organization's Active Directory Domain Services (AD DS). Functional levels also limit the Windows Server OS versions that can run DCs within the domain or forest -- though this doesn't limit the OS versions that can run on nodes joined to the domain or forest.
The OS typically designates the AD functional levels. For example, a domain might operate at a Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 or later functional level.
Functional levels are selected when a new forest is deployed, letting administrators set both the forest functional level and the domain functional level. A domain functional level can be set higher than the forest functional level, but not vice versa.
No new forest or domain functional levels have been added since Windows Server 2016. The actual list of functions at domain and forest levels can be cumbersome to parse because later Windows Server versions build on previous versions. The list is additive, where each new version adds one or more features or capabilities over previous versions.
It's generally preferred policy to deploy AD DS with the highest domain and forest functional levels available within the environment to allow the broadest possible range of AD DS features. For example, if the environment is running Windows Server 2022 OSes, the AD functional level assigned to domain controllers is likely Windows Server 2016.
For example, the Windows Server 2016 and later forest functional level includes all of the features available in the Windows Server 2012 R2 forest functional level in addition to privileged access management using Microsoft Identity Manager.
Similarly, the Windows Server 2016 and later domain functional level includes all the AD features from the Windows Server 2012 R2 domain functional level in addition to the following:
- DC support for Windows NT LAN Manager (NTLM) and other password-based secrets on user accounts.
- DC support for network NTLM.
- Changes to Kerberos client authentication.
Consequently, admins need to reference documentation for Windows Server 2012 R2 to determine specific AD features and functions -- only to reference functions and capabilities in earlier versions of Windows Server.
For educational purposes, it's sufficient to know that AD functional levels are inclusive and backward-compatible with AD in previous Windows Server versions. Newer Windows Server versions simply add more functions. Today, this backward-compatibility extends to Windows Server 2012. Any domain controller that runs Windows Server 2008 R2 or older should be upgraded or removed from the domain.
What are the three main functions of Active Directory?
AD is most commonly associated with AD DS, which is the most used AD service. AD is fundamentally a hierarchical database designed to retain, organize and manage information about items attached to a network such as computers and user accounts. AD DS provides many common techniques for storing and accessing data within the database. It also provides three major functions for the enterprise by doing the following:
- Centralizing network resources and security. Centralization is a principal benefit of AD, offering a single enterprise-wide mechanism for admins to manage and secure network objects and resources while ensuring security for those assets.
- Providing global authorization and authentication. AD provides logon control and management for access to network resources within the domain. Users are authenticated once using a single sign-on approach. They can then access any resources for which their account, group or role is authorized.
- Simplifying resource management. AD can be searched to allow for fast and easy resource location. Users can locate published, or visible resources, and then securely access those resources as needed.
Although AD is comprised of many individual features and functions, most fit into one of these three general categories.
What are the benefits of the latest functional level?
Typically, the highest or latest functional level allows AD domain controllers to provide the largest suite of features and functions. Each newer AD version released with a Windows Server OS is backward-compatible but adds capabilities and features only available when all the domain controllers within the forest or domain are operating at the same OS functional level.
For example, Windows Server 2008 R2 adds the AD Recycle Bin, letting admins restore deleted objects from the AD database. This requires changes to the way AD delete behaves, which requires all domain controllers to run Windows Server 2008 R2. While it's certainly possible to operate a mixed environment with domain controllers operating at a lower or older functional level, the features of the higher functional level are disabled until all domain controllers are upgraded to operate at the higher functional level.
After upgrading all domain controllers in the domain or forest, an admin can raise the AD functional level. The level selection informs the domain controllers that certain features can now be enabled. There are two basic caveats to AD functional levels:
- Active Directory functional levels can also apply to higher-level forests composed of multiple domains, but the forest functional level is the maximum limiting attribute. A domain within a forest can operate at a higher functional level than a forest, but no domain can operate at a functional level lower than a forest. For example, a forest configured for a Windows Server 2012 R2 functional level lets domains beneath it use a Windows Server 2012 R2 functional level. But admins can configure domain within the forest to use a higher functional level, such as Windows Server 2016.
- Once an AD functional level is raised, it could be difficult -- or impossible -- to roll back without rebuilding the domain or restoring it from a backup. For example, functional level increases in versions of Windows Server earlier than 2008 R2 can't be rolled back; the admin must rebuild or restore the domain. For versions of Windows Server 2008 R2 and later, the admin can usually roll back the functional level with PowerShell cmdlets if the domain's functional level is higher than the forest's functional level. For example, if the domain operates at Windows Server 2012 R2 and the forest operates at Windows Server 2008, the admin can opt to roll back the domain to Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. However, if both the domain and forest operate at the same functional level, there are no rollback options for the domain.
Admins can use AD functional levels to restrict which domain controllers can participate in the domain. For example, an admin can ensure minimum functionality by configuring a domain to run at a Windows Server 2012 R2 functional level; domain controllers that run on earlier Windows Server versions won't be accepted on the domain.
What is the difference between a domain functional level and a forest functional level?
The primary difference between a domain and a forest is scope. An AD domain is a logical grouping of objects within a single network domain, such as "mycompany.com." A domain can operate two or more domain controllers for AD replication and load sharing. An AD forest is a collection of two or more domains organized to represent an entire enterprise. For example, a forest can include a U.S.-based domain, such as "mycompany.com," and another domain for a European facility, such as "mycompany.co.uk."
The ideas of AD functional levels apply equally to forests and domains. A domain functional level defines the functional level selected for all AD domain controllers within the given domain. Similarly, forest functional level selection sets the features and functionality of AD DS across the entire forest.
Given the caveats involved in AD functional levels, organizations generally operate domain controllers at the forest functional level when a forest exists, ensuring that all domain controllers in every domain across the entire forest are configured similarly. An organization without a forest will typically operate and manage AD at the domain functional level.
Learn which features Windows Server 2022 offers in its Datacenter Azure edition.