Field notes · 9 min read ·
ShareAD functional level on Windows Server 2019/2022: not stuck at 2016
Every few weeks an AD audit produces the same conversation. The customer opens
dsa.msc, shows the forest functional level reading "Windows Server 2016", and
asks why their forest is stuck — every DC is running Server 2019 or 2022, the level should have moved. They
start hunting for ghost DCs in metadata. Junior consultants quote forest-recovery projects.
The forest is not stuck. Microsoft did not ship a Windows Server 2019 or Windows Server 2022 functional
level. The msDS-Behavior-Version attribute jumped from 7 (Windows Server 2016)
directly to 10 (Windows Server 2025). Values 8 and 9 do not exist. The "Windows Server
2016" ceiling is the actual ceiling — and if every DC in your forest is Server 2019 or 2022, it's correct.
The behavior version chart
The functional level on every domain and forest in AD is stored as an integer in the
msDS-Behavior-Version attribute on the domain and partitions containers. The mapping has been
stable since Windows 2000 and is documented on Microsoft Learn.
| Operating system | msDS-Behavior-Version | Release year |
|---|---|---|
| Windows 2000 | 0 | 1999 |
| Windows Server 2003 interim | 1 | 2003 |
| Windows Server 2003 | 2 | 2003 |
| Windows Server 2008 | 3 | 2008 |
| Windows Server 2008 R2 | 4 | 2009 |
| Windows Server 2012 | 5 | 2012 |
| Windows Server 2012 R2 | 6 | 2013 |
| Windows Server 2016 | 7 | 2016 |
| (skipped — no Server 2019 functional level) | 8 | — |
| (skipped — no Server 2022 functional level) | 9 | — |
| Windows Server 2025 | 10 | 2024 |
Yes, Microsoft skipped two functional levels
The ActiveDirectory PowerShell module's own enum confirms it. Run this on any DC or jump host with RSAT installed:
[enum]::GetNames([Microsoft.ActiveDirectory.Management.ADForestMode])
You will see Windows2000Forest, Windows2003InterimForest,
Windows2003Forest, Windows2008Forest, Windows2008R2Forest,
Windows2012Forest, Windows2012R2Forest, Windows2016Forest, and
Windows2025Forest. No Windows2019Forest. No Windows2022Forest. The
module's own type system reflects the schema reality. The same gap applies to ADDomainMode.
Why Microsoft did this
Functional levels exist to gate AD DS features that require every DC in scope at a minimum OS version before the feature can safely activate. Once raised, no older DC can join, and the feature can rely on consistent behavior forest-wide.
Server 2019 and Server 2022 added AD-adjacent capabilities, but none required that contract:
- Windows LAPS in-box (Server 2022) — schema extension plus DC-side and client-side code; no forest-wide minimum needed.
- Group Managed Service Account improvements — incremental, configurable per-account.
- Kerberos hardening updates — security updates with per-DC and per-account tunables.
- TLS 1.3 and additional cipher support on member services — outside AD DS functional-level scope.
Server 2025 is different. The database engine page-size change requires every DC at the new floor before the forest can activate it. Textbook functional-level case — and the reason behavior version 10 exists.
What Server 2025 functional level unlocks
32K database page size for NTDS.dit
The headline change, and the biggest AD database engine update in roughly two decades. The Extensible
Storage Engine backing ntds.dit moves from 8K to 32K pages. For environments with large
object counts, heavy LDAP load, or large multi-valued attributes (nested groups, certificate stores,
large security descriptors), the practical effects include lower I/O per query, more headroom on
linked-value-replication limits, and meaningfully better performance on schema partitions.
Kerberos PKINIT cryptographic agility
Stronger smart-card and certificate-based authentication. PKINIT exchanges support modern crypto and become harder to capture and replay. Relevant for smart-card-required Tier-0 policies, certificate-based VPN, and cert-based MFA against AD-issued credentials.
Modernized AES-only Kerberos defaults
The Server 2025 functional level shifts more of the Kerberos default-cipher behavior away from RC4 and toward AES-only — aligned with the broader RC4 retirement work. See our Kerberos RC4 April 2026 enforcement post for the operational triage. Raising the functional level is not the same control, but it cleans up the same surface.
Confidential-attribute access now requires encrypted LDAP
DCs and AD LDS instances only allow LDAP add, search, and modify operations involving confidential attributes when the connection is encrypted. Reduces in-flight credential-material exposure for any attribute flagged as confidential (per the searchFlags bitmask).
Replication priority ordering
Server 2025 introduces replication priority controls — DCs can order outbound replication by partition or by partner to favor urgent traffic (e.g., password changes, group membership updates) over routine object replication. Useful for forests with WAN-constrained sites.
Full Server 2025 AD DS feature list: What's new in AD DS for Windows Server 2025 on Microsoft Learn. Read it before scoping the upgrade.
Prerequisites for raising the level to Server 2025
Raising a forest functional level is a one-way operation in practice (rollback is supported only in narrow scenarios and almost never used in production). The prerequisites are not a list to skim — they're a list to check off.
| # | Prerequisite | Why it matters |
|---|---|---|
| 1 | Every DC in every domain runs Windows Server 2025 | No exceptions. Read-only DCs and child-domain DCs count. A single legacy DC blocks the level raise — and silent functional-level activation if you somehow forced it would create exactly the replication and compatibility problems the gating exists to prevent. |
| 2 | No DCs at Server 2012 R2 or earlier remain | Server 2012 R2 reached extended-support end of life in October 2023. Decommission or upgrade them first; don't carry them into a 2025 forest as "we'll get to it." Server 2019 hit extended support in January 2024 — recommended-default is to skip Server 2022 entirely and refresh to Server 2025 on the same cycle. |
| 3 | Forest health validated | Replication current, FSMO roles correctly placed, schema consistent. Minimum check:
dcdiag /e /test:replications /test:FSMO on a DC with Enterprise Admin rights.
repadmin /replsummary and repadmin /showrepl for finer detail. Any
replication failure older than the tombstone lifetime is a hard stop. |
| 4 | Schema extension complete | Run adprep /forestprep from Server 2025 media against the Schema Master; then
adprep /domainprep in each domain against the Infrastructure Master. Schema version
should advance to the Server 2025 schema version before the level can be raised. |
| 5 | Application compatibility verified | Any vendor product reading AD against older attribute formats (older Citrix, older Exchange on-premises, older identity-governance tools, older backup agents that pin a specific schema version) gets a compatibility check. Don't raise the level on Friday and find out Monday morning that a line-of-business app reads the wrong attribute. |
How to confirm your current state
Before you scope any upgrade work, get the facts. These four PowerShell commands, run on any DC or jump host with the ActiveDirectory module installed, produce the discovery snapshot:
Forest mode and key roles
Get-ADForest | Select-Object ForestMode,SchemaMaster,DomainNamingMaster ForestMode will read Windows2016Forest for any forest where the highest
available level has not yet been raised. SchemaMaster and DomainNamingMaster
name the FSMO holders you'll target for adprep.
Domain mode and PDC emulator
Get-ADDomain | Select-Object DomainMode,PDCEmulatorRun per domain in multi-domain forests. The domain mode and forest mode rise independently — but in practice mid-market forests raise them together.
DC inventory and OS versions
Get-ADDomainController -Filter * | Select-Object Name,OperatingSystem,OperatingSystemVersionThis is the most common moment of truth. Customers swear every DC is Server 2022; the inventory shows a Server 2012 R2 DC nobody remembered, or a 2008 R2 RODC at a remote site that's been offline-replicating for six years. Find it before you start the upgrade plan, not during.
Schema version
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
The objectVersion integer maps to the schema version. The Microsoft Learn
Upgrade domain controllers to a newer version
page documents the current mapping, including the Server 2025 schema version. Compare what you have
against what 2025 expects.
Why this comes up every quarter on mid-market AD audits
The pattern is consistent enough to be a diagnostic shortcut. An audit kicks off. The customer mentions in the first call that the forest "looks stuck at 2016." A junior consultant treats it as a defect symptom and starts hunting causes — ghost DCs, metadata fragments from old DC demotions, FRS-to-DFSR migration leftovers, lingering objects.
A senior engineer recognizes the pattern in thirty seconds. The customer is reading the version-7 ceiling as a defect because they expected a continuous progression of levels matched to OS releases — and that intuition is wrong, because Microsoft broke the pattern between 2016 and 2025.
The expensive mistake is what happens when nobody catches the assumption: a forest-recovery scope gets quoted, lingering-object cleanup gets billed, metadata-cleanup procedures get run against DCs that don't need them. The customer pays for a project to fix a symptom that isn't a defect — while the underlying AD posture, which may have real issues, gets neither audited nor improved.
Should you raise to Server 2025 right now?
Short take: for most mid-market forests under ~50,000 objects, raising the level is low-priority. Schedule it with your next DC refresh. The Server 2025 feature set is real, but the operational urgency is not the same as an end-of-life deadline or a security enforcement date.
The exceptions are environments where the 32K page size matters. If your forest is meaningfully over 50K objects, has heavy linked-value replication load, or runs latency-sensitive LDAP apps, the database change is worth a closer look — and worth the application-compatibility check as a near-term project. For Tier-0 hardening more generally, see our AD Tier-0 in 90 days post; functional-level raise is rarely the highest-leverage move on that list.
What raising the level is not: a security fix. Customers occasionally ask for a functional-level raise as if it would harden the directory by itself. It doesn't — it activates capabilities. The hardening comes from configuring those capabilities and from the broader Tier-0, Kerberos, and admin-MFA work. Treat the functional level as enabling infrastructure, not as the control.
Related reading
- AD Tier-0 in 90 days: mid-market edition — the higher-leverage AD work for most mid-market shops, sequenced ahead of functional-level upgrades.
- Kerberos RC4 April 2026 enforcement: mid-market triage — the AES-only direction the Server 2025 functional level lines up with, and what to do about it before the next enforcement date.
- Active Directory Audit — fixed-fee discovery, read-only by design. Includes the functional-level and schema-version snapshot described above.
- Identity, Security & Compliance — service hub for the broader pillar.
Sources and further reading
- Microsoft Learn — Active Directory functional levels
- Microsoft Learn — Get-ADForest cmdlet reference
- Microsoft Learn — What's new in AD DS for Windows Server 2025
- Microsoft Learn — Upgrade domain controllers to a newer version of Windows Server
- Microsoft Learn — Raise domain and forest functional levels
The 30-second version
Microsoft did not ship a Windows Server 2019 or Server 2022 forest or domain functional level. The
msDS-Behavior-Version attribute jumped from 7 (Server 2016) to 10 (Server 2025), with 8 and
9 deliberately skipped because nothing in 2019 or 2022 required forest-wide gating. If your forest reads
"Windows Server 2016 forest functional level" and every DC is Server 2019 or 2022, that's the correct
ceiling — not a defect, not a ghost DC, not a metadata problem. The next available jump is Server 2025
(behavior version 10), which requires every DC at Server 2025 and unlocks the 32K NTDS.dit page size,
Kerberos PKINIT cryptographic agility, AES-only defaults, and confidential-attribute encrypted-LDAP
improvements. For most mid-market forests under 50K objects, the upgrade is low-priority — schedule it
with the next DC refresh.
If you'd like a senior engineer to confirm your forest's state or run the full AD audit, the project intake form takes three minutes. Two-business-day response with scope and a fixed-fee range.
Pro IT NW does senior-led identity work for mid-market and regulated organizations. Vendor-neutral. Labor-only. We don't resell Microsoft licensing or third-party identity tooling — we recommend the right configuration for your environment and you procure directly.
Related service
Active Directory Audit serviceWritten by the team at Pro IT NW · Senior-led Microsoft project consultancy · Seattle / USA-wide.