Among the many updates to Windows Server 2025, there’s a new Forest Functional Level (FFL) for Active Directory. This first new FFL since Windows Server 2016 underscores Microsoft’s long-term commitment to AD.
The importance of Microsoft Forest Functional Levels
FFLs allow IT leaders to make use of directory services and features in the related Windows Server version. Compared to domain functional levels, which are limited to specific AD domains, increasing the FFL allows consistent, scalable and global upgrades.
The FFL also defines the minimum Windows Server version for domain controllers (DC). That means if you want to raise the current FFL to 2025, every DC must be running Windows Server 2025.
Upgrading the FFL does not dictate the operating systems used by your workstations, ensuring that client-side compatibility remains intact. Instead, raising the FFL is a strategic move focused on Domain Controller (DC) modernization. Viewed through the lens of historical upgrades, each new functional level is designed to provide the robust, scalable infrastructure necessary for modern enterprise environments.
Microsoft Forest Functional Levels: A brief history
Windows Server 2008 was notable for introducing fine-grained password policy objects, supplemented in Windows Server 2012 by a graphical management interface. Windows Server 2016 featured Privileged Access Management support, with Microsoft Identity Manager used for management workflows.
While these changes reflected a global infrastructure trend towards cloud-first architecture, the value of on-premises applications and resources remains undiminished. The new 2025 FFL contains all the features available in earlier versions with new security and protection features to enhance AD management and deployments.
What Forest Functional Level 2025 provides
When deploying AD Domain Services (DS), Microsoft’s recommendation is to ‘set the domain and forest functional levels to the highest value that your environment can support.’ This is to unlock the maximum number of AD DS features. Below are some of the key improvements that can support enterprise security and identity management.
Increased database page size to 32k
New AD Forest and domains now come installed with a 32k database format. This overcomes constraints associated with the previous 8k limit for attribute values, which struggled to keep up with growing numbers of certificates and tokens.
With the 32k increase, environments can better accommodate the rise in cloud-based Entra ID identities, and the increasing complexity from managing access in modern dynamic enterprises where governance and compliance continually evolve.
Activation is optional and involves running a command in an elevated PowerShell prompt. Just remember that, as with all FFL raises, activating this feature can’t be reverted.
Improved performance from 64-bit Long Value IDs
Any modern enterprise environment faces rising demands for unique long value identifiers. These may come from user provisioning, whether from human or the increasing number of non-human entities. In addition, large instances of password changes, authentication and security certificate renewals.
Larger values from Kerberos ticket data were also recognized as an issue. Described by Microsoft as ‘the Kerberos authentication problem,’ this means issues for users belonging to multiple groups requiring more advanced identity-based access. When trying to authenticate, a user that belongs to 120+ security groups may be met with a HTTP 400 - Bad Request (Request Header too long) message.
The shift to 64-bit tackles the threat of bottlenecks within existing forests. A 64-bit integer means there would now be over 18 quintillion possible values, enough even for the lifetime of a resource-heavy and highly intensive AD environment.
Improvements in AD security: Stronger Kerberos authentication with AES and SHA-384
Microsoft is sunsetting RC4, with Windows DCs defaulting to only allow AES-SHA1 by mid-2026, and leaving RC4 disabled by default. Further cryptography-led hardening in FFL 2025 comes from support for SHA-384. This cryptographic function produces a 384-bit value, making it a more secure alternative to SHA-1, which NIST advises phasing out completely by 2030.
SHA-384 is also part of the SHA-2 family hash functions, which are recommended as suitable for PCI compliance and computationally infeasible to reverse. Kerberos uses these to sign and encrypt service tickets, leading to stronger encryption that helps stop attackers who may be attempting to breach or intercept authentication traffic.
New performance counters for LDAP clients
With Windows Server 2025, it’s now possible to monitor LDAP client performance, including bind, connection and operation processes. Close AD integration makes it possible to manage the ever-growing list of network resources stored in the directory.
There’s also greater visibility of DC usage and degradation, with granular data gathered for connections, request volumes and sources.
A new domain controller locator
Before Windows Server 2025, locating a DC often involved searching the local network and directories. However, this lacks the authentication or authorization credentials needed for end-to-end security. Malicious actors could intercept this traffic and launch man-in-the-middle attacks.
The new DC locator uses DNSSEC resource records to validate and secure DNS responses. This method protects against DNS spoofing attacks whether or not DNS clients are DNSSEC-aware. As part of the upgrade, the legacy NetBIOS DC discovery is deactivated by default. This is to enforce a secure-by-default posture for DC location.
Security ID lookup to help identify performance bottlenecks
In another shift away from legacy systems, there are also improved algorithms for Name/SID Lookups. Kerberos authentication is used instead. Lookups no longer use the Netlogon secure channel. Netlogon uses machine-based identities and credentials, instead of a more secure and dynamic user-focused methodology.
For example, through a privilege escalation exploit (CVE-2020-1472) for DC connections, an attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
New security enhancements
Other device-related hardening comes from channel binding audit support. Admins can enable events 3074 and 3075 for LDAP channel binding. By shifting to a more secure setting, an administrator can identify devices in the environment that don't support or fail channel binding.
LDAP signing (sealing) is also the default setting for all new AD deployments, after a Simple Authentication and Security Layer (SASL) bind. This is to verify data authenticity and integrity in AD DS. Channel Binding Tokens are used to bind application-layer security with the underlying SSL/TLS session, preventing session hijacking and man-in-the-middle attacks.
Better support for delegated managed accounts
For businesses wanting to secure machine identities, the delegated Managed Service Account (dMSA) offers a solution. This is a new account type in Windows Server 2025. Authentication for dMSA is linked to the device identity, only allowing account access to specified machine identities mapped in AD.
For local accounts on domain member computers, and members of the Protected Users global security group for AD, password change protocols have also been hardened. All legacy Security Account Manager methods are blocked by default when called remotely.
What the new Microsoft Functional Level means
Moving to the new FFL opens the door to the security enhancements available in Windows Server 2025.
The 32k database increase makes it easier to manage cloud-based identities. The shift to 64-bit Long Value IDs allows token creation without bottleneck concerns. Businesses can take advantage of hash functions and cryptographic functions to tighten up security and authentication.
LDAP clients can be monitored with greater granularity, while DC locators have increased security to mitigate MitM attacks. The shift away from Netlogon secure channel for Name/SID Lookups means businesses can instead harness the advantages of Kerberos authentication and the DC locator algorithm. The newly introduced dMSA helps tackle kerberoasting, by linking to device identities.
How Active Roles gets you the most from the new Forest Functional Level
AD is the backbone of corporate networks everywhere, but it was launched back in 2000, long before AI-assisted forms of cyber-attacks and cloud-first strategies. When a business has domains in AD plus Entra ID and M365 tenants, hybrid identities can leave the environment exposed to cyberattack.
Active Roles solves these challenges by consolidating these complex and evolving environments into one console. You can implement capabilities across the entire forest, viewed through a single pane.
For example, a business may want stronger cryptography and modernized DC locators in FFL 2025. But there may still be legacy accounts and systems reducing overall visibility. Active Roles works well with FFL 2025 and features change tracking (Management History) to log who, what, and when changes were made to Active Directory objects.
Raising a forest level allows the business to take advantage of up-to-date features and security in AD. Active Roles ensures that visibility and control are maintained on a forest-wide basis. Administrators can then reduce the attack surface, streamline configurations, and better manage identity posture.
Specific benefits to Active Roles customers using FFL 2025:
Windows Server 2025 increases the AD database page size to 32 KB and adds NUMA‑aware performance improvements.
Benefit to Active Roles customers:
- Faster LDAP queries and updates
- Better performance for workflows, policies, and provisioning
- Improved responsiveness when managing large directories
- More efficient handling of bulk operations (e.g., provisioning, deprovisioning)
Windows Server 2025 introduces multiple security enhancements:
- Improved Kerberos hardening
- Better LDAP signing and channel binding
- Updated password change methods
Benefit to Active Roles customers:
- More secure communication between Active Roles and domain controllers
- Reduced risk of downgrade attacks or insecure bindings
- Compliance with modern security baselines without custom configuration
Windows Server 2025 updates the algorithm for locating domain controllers and adds replication partner prioritization.
Benefit to Active Roles:
- More predictable replication behavior after ARS makes changes
- Faster convergence of updates across sites
- Reduced latency for provisioning workflows that depend on replication
Windows Server 2025 introduces a new forest functional level (FFL 10) with schema updates.
Benefit to Active Roles:
- Access to new AD attributes and object capabilities
- Better alignment with Entra ID hybrid scenarios
- Future‑proofing for new Microsoft identity feature
Improved Reliability & Database Integrity.
The new AD DS engine includes:
- Better database integrity checks
- More resilient replication
- Updated JET database format
Benefit to Active Roles:
- Fewer AD‑level issues that ARS must work around
- More stable provisioning and policy enforcement
- Reduced risk of directory corruption impacting ARS workflow
