Active Directory on Windows Server version(DFL, FFL) – new features

 

 List of changes with Domain and Forest functional levels

 

2008 Domain functional level:

  • Multiple password policies per domain
  • User-viewable last logon information
  • Increased Kerberos encryption
  • DFS replication for SYSVOL shares

 

2008 R2 Domain functional level:

  • Better and more automated service account management
  • Security logs and access lists based on authentication type

 

2008 R2 Forest functional level:

  •  AD „recycle bin“

 

2012 R2 Domain functional level:

  • Restricted admin mode – Mstsc /restrictedadmin (it is not store admin passwordon remote desktop to LSA)
  • LSA Protection
  • Protected user groups
  • Authentication Polices
  • Silos (management for authentication polices)
  • COMPOUND ID
  • Kerberos Armoring

 

2012 R2 Forest functional level:

  • nothing

2016 forest functional level:

All of the features that are available at the Windows Server 2012R2 forest functional level, and the following features, are available:

  • Privileged access management (PAM) using Microsoft Identity Manager (MIM) (Groups memebrship expiration – JIT, JEA)

2016 domain functional level:

All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:

  • DCs can support rolling a public key only user’s NTLM secrets.
  • DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
  • Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. – > https://datatracker.ietf.org/doc/rfc8070/?include_text=1

For more information see What’s New in Kerberos Authentication and What’s new in Credential Protection