🖥️

Active Directory Functional Levels Overview

Jun 20, 2025

Summary

  • The article outlines the functional levels available in Active Directory Domain Services (AD DS) for various Windows Server versions, including 2025, 2016, and 2012 R2.
  • Functional levels determine available AD DS features and which Windows Server versions can be used as domain controllers.
  • Guidance is provided for raising functional levels, using PowerShell, and resources for migration and certification.
  • Major new features in each functional level are highlighted, along with important compatibility notes.

Action Items

  • None documented in the source content.

Functional Levels Overview

  • Functional levels in AD DS define the features available in domains/forests and dictate which Windows Server versions are supported as domain controllers.
  • Workstation and member server operating systems are not impacted by functional levels.
  • It is recommended to set domain and forest functional levels to the highest possible value supported by the environment to access the latest features.

Windows Server 2025 Functional Levels

  • Only Windows Server 2025 can be used as domain controllers at this level.
  • All features from previous levels are available, with the addition of the "Database 32k pages" optional feature.
  • More information on this feature is available via dedicated documentation.

Windows Server 2016 Functional Levels

  • Supported domain controllers: Windows Server 2016, 2019, 2022, and 2025.
  • Requires DFS-R for SYSVOL replication; File Replication Service (FRS) is deprecated and no longer supported in newer versions.
  • New features:
    • Privileged access management (PAM) via Microsoft Identity Manager.
    • Enhanced password management for accounts with PKI requirements.
    • More granular NTLM network restrictions.
    • Kerberos PKInit Freshness Extension support.
  • Additional guidance is provided for migrating FRS to DFSR and understanding new Kerberos and credential protection features.

Windows Server 2012 R2 Functional Levels

  • Supported domain controllers: Windows Server 2012 R2, 2016, 2019, and 2022.
  • New features:
    • DC-side protections for "Protected Users" (NTLM disabled, restricted Kerberos cipher suites, constrained delegation).
    • Authentication policies to control sign-in hosts and service access.
    • Authentication Policy Silos for account isolation and management.

Functional and Domain Levels in Previous Windows Server Versions

  • Reference provided for functional levels in versions earlier than Windows Server 2012 R2.

Next Steps and Resources

  • To raise forest functional level: use PowerShell command Set-ADForestMode.
  • To raise domain functional level: use PowerShell command Set-ADDomainMode.
  • Further guidance available via Microsoft documentation on raising domain/forest functional levels.
  • Training modules and certification paths available for AD DS migration and hybrid administration.

Decisions

  • Recommendation to raise functional levels to the highest supported — to access the most advanced AD DS features and ensure compatibility with the latest Windows Server versions.

Open Questions / Follow-Ups

  • None identified in the source content.

View note sourcehttps://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels