Evolution of
Active Directory Partitions
Throughout
these generations, the AD database has maintained a logical separation to
ensure efficient replication across the forest:
· Schema Partition: One per forest; defines objects and rules.
· Configuration Partition: One per forest; contains forest-wide topology (sites/services).
· Domain Partition: One per domain; contains users, groups, and OUs.
· Application Partition: Stores app-specific data (e.g., AD-integrated DNS).
This breakdown
separates the specific capabilities unlocked at each level for the Domain
and the Forest, ensuring a clear distinction between features that
affect a single domain versus those that impact the entire multi-domain forest.
Active
Directory Domain Functional Levels (DFL)
The Domain
Functional Level (DFL) controls features that are specific to a single domain
and requires all Domain Controllers (DCs) in that specific domain to be running
the required version of Windows Server.
Windows 2000
Domain Functional Level:
- Mixed
Mode (Default): Supports
a combination of Windows 2000 and legacy Windows NT 4.0 domain controllers.
- Native
Mode: Only
supports Windows 2000 domain controllers, enabling nesting of security
groups and universal groups.
- FSMO
Roles: The
domain-specific roles (RID Master, PDC Emulator, and Infrastructure
Master) become available to manage identity and security.
Windows
Server 2003 Domain Functional Level:
- Domain
Rename: Provides
the ability to rename a domain without rebuilding the entire forest.
- Resultant
Set of Policy (RSoP):
Enables administrators to calculate and troubleshoot the effective Group
Policy settings for a user or computer.
- Install
from Media (IFM):
Allows for the creation of new domain controllers using backup media to
reduce replication traffic over the network.
Windows
Server 2008 / 2008 R2 Domain Functional Level:
- Distributed
File System Replication (DFS-R):
Replaces the legacy File Replication Service (FRS) for SYSVOL replication,
providing better performance and reliability.
- Fine-Grained
Password Policies:
Allows for different password and account lockout policies to be applied
to different sets of users within the same domain.
- Read-Only
Domain Controllers (RODC):
Supports the deployment of DCs with read-only partitions for use in branch
offices or physically insecure locations.
Windows
Server 2012 / 2012 R2 Domain Functional Level:
- Kerberos
Armoring (FAST): Implements
Flexible Authentication Secure Tunneling (FAST) to protect against
dictionary attacks and spoofing .
- Managed
Service Accounts (gMSAs):
Provides automated password management for services running across
multiple servers.
- KDC
Support for Claims:
Supports the use of user and device claims in Kerberos tickets for
advanced access control.
Windows
Server 2016 Domain Functional Level:
- Privileged
Access Management (PAM):
Introduces "shadow principal" objects and time-based group
memberships for Just-In-Time (JIT) administration.
- Rolling
Upgrades: Supports
easier transitions from Windows Server 2012 R2 to 2016 within the same
domain.
Windows
Server 2025 Domain Functional Level:
- 32k
Database Page Size:
Updates the internal AD database engine to support 32k pages, allowing for
larger objects and more efficient indexing.
- Next-Gen
Identity Security:
Enforces modern cryptographic defaults for machine accounts and service
principals.
Active
Directory Forest Functional Levels (FFL)
The Forest
Functional Level (FFL) controls features that impact every domain within the
forest. Raising the FFL requires that every single Domain Controller in every
domain within the forest be running the required Windows Server version.
Windows 2000
Forest Functional Level:
- Global
Catalog: Enables a
DC to store a partial copy of all objects in the forest for search
operations.
- Forest-wide
FSMO Roles:
Establishes the Schema Master and Domain Naming Master roles, which are
unique to the entire forest .
- Schema
Partition: Creates
a single forest-wide partition that defines all object attributes and
rules.
Windows
Server 2003 Forest Functional Level:
- Forest
Trust: Enables the
creation of a two-way transitive trust between two different Active
Directory forests.
- Domain
Controller Rename:
Allows for the renaming of domain controllers while they are still members
of the forest.
- Linked-Value
Replication (LVR):
Improves replication efficiency by replicating individual group members
rather than the entire group object.
Windows
Server 2008 / 2008 R2 Forest Functional Level:
- Active
Directory Recycle Bin:
When the FFL is at 2008 R2, administrators can restore deleted AD objects
without requiring a full system state restore.
- New
Identity Features:
Expands the support for cryptographic enhancements and authentication
mechanisms across all domains in the forest.
Windows
Server 2012 / 2012 R2 Forest Functional Level:
- FAST
Requirement: For
full support of Kerberos FAST and armoring, the Forest Functional Level
must be raised to at least 2012.
- Compound
Authentication:
Allows the KDC to verify both the user and the device identity before
granting access to resources.
Windows
Server 2016 / 2019 / 2022 Forest Functional Level:
- Feature
Parity: Microsoft
maintained the Windows Server 2016 Forest Functional Level as the standard
for 2019 and 2022 to ensure maximum compatibility.
- Azure
Integration: Focuses
on hybrid identity management and cloud-based authentication via Azure Arc
and ADFS v4.
Windows
Server 2025 Forest Functional Level:
- Forest-wide
Performance Scaling:
Unlocks hardware-specific optimizations (such as NVMe IOPS improvements)
across all DCs globally.
- Hotpatching
Support: Enables
the forest to support hotpatching for security updates without reboots
across the entire fleet of domain controllers.
