Active Directory on Windows Server version(DFL, FFL) – new features


 List of changes with Domain and Forest functional levels


2008 Domain functional level:

  • Multiple password policies per domain
  • User-viewable last logon information
  • Increased Kerberos encryption
  • DFS replication for SYSVOL shares


2008 R2 Domain functional level:

  • Better and more automated service account management
  • Security logs and access lists based on authentication type


2008 R2 Forest functional level:

  •  AD “recycle bin”


2012 R2 Domain functional level:

  • Restricted admin mode – Mstsc /restrictedadmin (it is not store admin passwordon remote desktop to LSA)
  • LSA Protection
  • Protected user groups
  • Authentication Polices
  • Silos (management for authentication polices)
  • Kerberos Armoring


2012 R2 Forest functional level:

  • nothing

2016 forest functional level:

All of the features that are available at the Windows Server 2012R2 forest functional level, and the following features, are available:

  • Privileged access management (PAM) using Microsoft Identity Manager (MIM) (Groups memebrship expiration – JIT, JEA)

2016 domain functional level:

All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:

  • DCs can support rolling a public key only user’s NTLM secrets.
  • DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
  • Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID. – >
  • Temporary Group Membership : It will need to enable the Privileged Access Management Feature in Windows Server 2016 forest

For more information see What’s New in Kerberos Authentication and What’s new in Credential Protection