Grafvision - Fotolia


Do Active Directory functional levels still matter?

Will there be enough improvements in the next version of Active Directory for administrators to consider raising functional levels?

With every version of Windows, Microsoft introduces many new features and capabilities. However, this push for...

innovation also provides a challenge to maintain backward compatibility with previous Windows Server versions. Early on Microsoft found this to be especially problematic for Active Directory and introduced forest and domain functional levels as a workaround.

If you are not familiar with the concept of forest functional levels or domain functional levels, the idea is simple. Most Active Directory environments consist of multiple domain controllers. These domain controllers might not always run the same version of Windows Server. For instance, an organization might have a Windows Server 2008 domain controller and a Windows Server 2012 domain controller in the same domain. Due to the distributed nature of the Active Directory, this means that some features cannot be used unless they are supported by all of the domain controllers. This is where Active Directory functional levels come into play.

Functional levels guarantee a certain level of functionality. For example, a domain that has a domain functional level of Windows Server 2008 R2 is able to use the Active Directory features that were introduced in and prior to Windows Server 2008 R2. Domain controllers running Windows Server 2012 or 2012 R2 could be added to the domain, but Active Directory capabilities that were introduced in Windows Server 2012 or 2012 R2 cannot be used because the domain functional level prevents it.

Domain functional levels also limit the types of domain controllers that can participate in the domain. For example, a domain that is running at the Windows Server 2008 R2 functional level cannot accept domain controllers running on versions of Windows older than Windows Server 2008 R2.

Forest functional levels are similar to domain functional levels, except they apply to the Active Directory forest as a whole rather than to individual domains within the forest. A domain can operate at a higher functional level than the forest but cannot operate at a lower functional level.

Obviously no organization wants to deploy Windows Server 2012 R2 then get stuck at a Windows Server 2003 functional level, but there are other considerations.

Do functional levels still matter?

One way of looking at the question is to consider if you will ever need backward compatibility within your Active Directory environment. Suppose you decide to create a new Active Directory forest using Windows Server 2012 R2 domain controllers and set the forest and domain functional levels to Windows Server 2012 R2. This eliminates the ability to join older domain controllers to the forest. In a new deployment that's probably not an issue, but you will likely have to deal with functional levels eventually.

When Microsoft releases Windows Server 2016, an administrator will have to raise the functional levels to use the new Active Directory capabilities. Before that, the organization will have to upgrade the domain controllers in either the domain or the forest where the functional levels will be raised. There is no problem with having an Active Directory domain that is made up of both Windows Server 2012 R2 and Windows Server 2016 domain controllers, but you won't be able to raise the functional level and use the new features until all legacy domain controllers have been upgraded, replaced or retired.

Also, consider the functionality you gain by moving to a higher functional level. Windows Server 2003 introduced a huge number of new capabilities over what was available through Windows 2000 domain controllers. Windows Server 2003 R2 introduced even more improvements and new features over Windows Server 2003, so once again there was a real incentive to raise the functional level. This trend continued in Windows Server 2008 but began to slow in Windows Server 2008 R2. Subsequent Windows Server releases introduced relatively few improvements to the Active Directory. You can see a list of exactly which features are supported in each functional level here.

Follow this general rule

Given the relatively small number of improvements introduced in the last few versions of the Active Directory, functional levels aren't quite as big a deal they once were. But this trend could be reversed when the next version of Windows Server arrives.

Microsoft recommends setting the functional level for domains and forests to match the earliest domain controller version the IT staff needs to support. There is no advantage to using a low functional level if all of your domain controllers are running modern versions of Windows.

Next Steps

ADFS features ready for the cloud

The best way to back up and restore Active Directory

Third-party Active Directory backup tools

Dig Deeper on Windows systems and network management