Active Directory on Windows Server version(DFL, FFL) – new features

 List of changes with Domain and Forest functional levels

2008 Domain functional level:

  • Multiple password policies per domain
  • User-viewable last logon information
  • Increased Kerberos encryption
  • DFS replication for SYSVOL shares

2008 R2 Domain functional level:

  • Better and more automated service account management
  • Security logs and access lists based on authentication type

2008 R2 Forest functional level:

  •  AD „recycle bin“

2012 R2 Domain functional level:

  • Restricted admin mode – Mstsc /restrictedadmin (it is not store admin passwordon remote desktop to LSA)
  • LSA Protection
  • Protected user groups
  • Authentication Polices
  • Silos (management for authentication polices)
  • Kerberos Armoring

2012 R2 Forest functional level:

  • nothing

2016 domain functional level:

All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:

  • DCs can support rolling a public key only user’s NTLM secrets.
  • DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
  • Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. – >
  • Temporary Group Membership : It requires to enable the Privileged Access Management Feature in Windows Server 2016 forest

For more information see ‚What’s New in Kerberos Authentication and What’s new in Credential Protection‘

2016 forest functional level:

All of the features that are available at the Windows Server 2012R2 forest functional level, and the following features, are available:

  • Privileged access management (PAM) using Microsoft Identity Manager (MIM)
  • (PAM) Groups membership expiration, (PIM)Shadow Security Principals )


2025  vNext forest functional level (no changes in 2019 & 2022):

All of the features that are available at the Windows Server 2016-2019-2022 forest functional level, and the following features, are available:

  • ADDS DB update – > Jet Blue extends the page size to 32K
  • New NUMA (Non-Uniform Memory Access) support benefits
  • Priority of replication partners – > Administrators now have the ability to increase the priority for specific replication partners
  • New algorithm for locating DC – >The new discovery algorithm allows DCs to be found based on NetBIOS names without relying on this outdated protocol
  • Security enhancements – RC4 is now added to the cipher list for methods that should not be used, LDAP communication now supports TLS 1.3 for LDAP over TLS. In addition, LDAP sealing is automatically enabled after SASL authentication.
  • Password change methods – > SAM-RPC method for changing passwords uses AES encryption and is accepted as the new default. SAM-RPCs will be blocked in the future. Protected Users group and for local accounts of domain computers, the SAM-RPC interface will be blocked by default.

marwin se představuje:

IT Engineer Design, Implementation and Administration of Microsoft products. Active Directory and MS Exchange systems, Hyper-V, SCOM
Příspěvek byl publikován v rubrice Active Directory. Můžete si uložit jeho odkaz mezi své oblíbené záložky.