Hybrid Identity features per Active Directory Domain Services Domain Controller Operating System, Domain Functional Level, Forest Functional Level and Schema version

Reading Time: 13 minutes

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations.

These components have requirements of Active Directory Domain Services (AD DS) in terms of the schema, the Windows Server versions on the Domain Controllers an organization runs, the Domain Functional Level (DFL) and the Forest Functional Level (FFL).

The requirements and the information on the features you gain when you run certain Active Directory Domain Services constellations is scattered over the Internet, so I decided to create one blogpost with all this information in seven scenarios that may depict your organization’s specific Active Directory characteristics:

  1. Everything on Windows Server 2003
  2. Using Windows Server 2008 Domain Controllers, but 2003 functional levels
  3. Everything on Windows Server 2008
  4. Everything on Windows Server 2008 R2
  5. Running the Windows Server 2012 R2 schema, and a minimum Operating Systems of Windows Server 2008 R2 on your Domain Controller, for your Domain Functional Level and Forest Functional Level
  6. Running the Windows Server 2016 schema, and a minimum Operating Systems of Windows Server 2008 R2 on your Domain Controller, for your Domain Functional Level and Forest Functional Level
  7. Running the Windows Server 2016 schema, and at least one Windows Server 2016-based Domain Controller in your environment and functional levels defined as Windows Server 2008 R2, or up.

 

Legend

In the above tables, the colors represent the inability to deploy Domain Controllers with an Operating System (on the row labeled ‘Active Directory Domain Controllers’) in red, the possibility but not necessity to deploy Domain Controllers with an Operating System, raise the Domain Functional Level or raise the Forest Functional Level in orange, and the requirement to meet to unlock certain Hybrid Identity features in green.

 

Scenario 1: Everything Windows Server 2003

Although we all know Windows Server 2003 is no longer supported unless you have an extended support contract with Microsoft, there are still organizations out there, that have Windows Server 2003-based Domain Controllers.

In this scenario, you gain the following functionality:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2

AD FS functionality you cannot use:

  • You cannot add Windows Server 2016-based AD FS Servers to an AD FS Farm running Windows Server 2012 R2.
  • You cannot use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).
  • You cannot use a group Managed Service Account (gMSA) as the AD FS service account.
  • Although you can implement Windows Server 2012 R2-based AD FS servers, you cannot deploy Workplace Join through the Device Registration Service.
  • Since you cannot implement AD FS Servers running Windows Server 2016 you cannot have the built-in Azure MFA adapter, device compliance claims, Windows Hello for Business (also known as Passport for Work), per-Relying Party Trust (RPT) branding, and/or streamlined auditing.
  • Since you cannot implement AD FS Servers running Windows Server 2016 you cannot federate applications using Open ID Connect, SCIM or SAML 2.0 eGov.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation will need 2-way trusts with the Active Directory forest where the AD FS Farm is joined to.

Web Application Proxies

Device authentication will use TCP port 49443 for device authentication on Web Application Proxies running Windows Server 2012 R2.

Azure AD Connect

Azure AD Connect features you can use:

  • You can use Azure AD Connect with Federation and Password Hash Sync as sign-in method.

Azure AD Connect features you cannot use:

  • You cannot use the Device Write-back feature.
  • You cannot use the Password Write-back feature, unless:
    • You add at least one Windows Server 2008-based Active Directory Domain Controller to the environment and install hotfix KB2386717 to the intended server running Azure AD Connect
    • You add at least one Windows Server 2008 R2-based Active Directory Domain Controller (or up) to the environment.
  • You cannot use a group Managed Service Account (gMSA) as the service account.
  • You cannot use the Active Directory Recycle Bin feature. Azure AD Connect recommends this feature and will notify you when you run the Azure AD Connect wizard.

 

Scenario 2: Windows Server 2008 Mixed

Now, many organizations have upgraded their Active Directory Domain Controllers to Windows Server 2008 in the past years. Some organizations, though, may have forgotten to also raise the Active Directory Domain Functional Level (DFL) and Active Directory Forest Functional Level (FFL).

In this scenario, the following functionality is available:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2
  • You can add AD FS Servers running Windows Server 2016 to Windows Server 2012 R2-based AD FS Farms, however, you cannot setup new AD FS Farms with Windows Server 2016 AD FS Servers only.

AD FS functionality you cannot use:

  • You cannot use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).
  • You cannot use a group Managed Service Account (gMSA) as the AD FS service account.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot use Workplace Join through the Device Registration Service, the built-in Azure MFA adapter, device compliance claims, Windows Hello for Business (also known as Passport for Work), per-Relying Party Trust (RPT) branding, and/or streamlined auditing. These features require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot federate applications using Open ID Connect, SCIM or SAML 2.0 eGov. These protocols require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation will need 2-way trusts with the Active Directory forest where the AD FS Farm is joined to.

Web Application Proxies

Device authentication will use TCP 49443 for device authentication on Web Application Proxies running Windows Server 2012 R2 and Windows Server 2016.

Azure AD Connect

Azure AD Connect features you can use:

  • You can use Azure AD Connect with Federation and Password Hash Sync as sign-in method.
  • You can use the Password Write-back feature, but you will need to install hotfix KB2386717 to the intended server running Azure AD Connect.

Azure AD Connect features you cannot use:

  • You cannot use the Device Write-back feature.
  • You cannot use a group Managed Service Account (gMSA) as the service account.
  • You cannot use the Active Directory Recycle Bin feature. Azure AD Connect recommends this feature and will notify you when you run the Azure AD Connect wizard.

When compared to the previous scenario, your organization effectively gains the ability to add Windows Server 2016-based AD FS Servers to existing Windows Server 2012 R2-based AD FS farms, but cannot take advantage of the Windows Server 2016 AD FS Farm Behavioral Level. In addition, you can now take advantage of Password Write-back through Azure AD Connect.

 

Scenario 3: Everything Windows Server 2008

When you’ve implemented Active Directory Domain Services using Windows Server 2008 as the Operating System for all Domain Controllers, the Active Directory Domain Functional Level (DFL), the Active Directory Forest Functional Level (FFL) and the Active Directory schema, you are part of this scenario.

In this scenario, the following functionality is available:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2
  • You can add AD FS Servers running Windows Server 2016, however, you cannot setup new AD FS Farms with Windows Server 2016 AD FS Servers only.
  • You can use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).

AD FS functionality you cannot use:

  • You cannot use a group Managed Service Account (gMSA) as the AD FS service account.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot use Workplace Join through the Device Registration Service, the built-in Azure MFA adapter, device compliance claims, Windows Hello for Business (also known as Passport for Work), per-Relying Party Trust (RPT) branding, and/or streamlined auditing. These features require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot federate applications using Open ID Connect, SCIM or SAML 2.0 eGov. These protocols require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation will need 2-way trusts with the Active Directory forest where the AD FS Farm is joined to.

Web Application Proxies

Device authentication will use TCP 49443 for device authentication on Web Application Proxies running Windows Server 2012 R2 and Windows Server 2016. This feature require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.

Azure AD Connect

Azure AD Connect features you can use:

  • You can use Azure AD Connect with Federation and Password Hash Sync as sign-in method.
  • You can use the Password Write-back feature, but you will need to install hotfix KB2386717 to the intended server running Azure AD Connect.

Azure AD Connect features you cannot use:

  • You cannot use the Device Write-back feature.
  • You cannot use a group Managed Service Account (gMSA) as the service account.
  • You cannot use the Active Directory Recycle Bin feature. Azure AD Connect recommends this feature and will notify you when you run the Azure AD Connect wizard.

Effectively, your organization gains the ability to perform client certificate authentication when certificates are explicitly mapped to users’ accounts in Active Directory Domain Services (AD DS).

 

Scenario 4: Everything Windows Server 2008 R2

When you’ve implemented Active Directory Domain Services using Windows Server 2008 as the Operating System for all Domain Controllers, the Active Directory Domain Functional Level (DFL), the Active Directory Forest Functional Level (FFL) and the Active Directory schema, you are part of this scenario.

Note:
Although Windows Server 2008 R2 allows you to revert the Active Directory functional levels, when you enable the Active Directory Recycle Bin feature, it cannot be reverted back to a lower functional level.

In this scenario, the following functionality is available:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2
  • You can add AD FS Servers running Windows Server 2016, however, you cannot setup new AD FS Farms with Windows Server 2016 AD FS Servers only.
  • You can use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).
  • You can use a group Managed Service Account (gMSA) as the AD FS service account on Windows Server 2012 R2-based AD FS Servers and Windows Server 2016-based AD FS Servers.

AD FS functionality you cannot use:

  • Although you can implement AD FS Servers running Windows Server 2016, you cannot use Workplace Join through the Device Registration Service, the built-in Azure MFA adapter, device compliance claims, Windows Hello for Business (also known as Passport for Work), per-Relying Party Trust (RPT) branding, and/or streamlined auditing. These features require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot federate applications using Open ID Connect, SCIM or SAML 2.0 eGov. These protocols require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation will need 2-way trusts with the Active Directory forest where the AD FS Farm is joined to.

Web Application Proxies

Device authentication will use TCP 49443 for device authentication on Web Application Proxies running Windows Server 2012 R2 and Windows Server 2016. This feature require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.

Azure AD Connect

Azure AD Connect features you can use:

  • You can use Azure AD Connect with Federation and Password Hash Sync as sign-in method.
  • You can use the Password Write-back feature, but you will need to install hotfix KB2386717 to the intended server running Azure AD Connect.
  • You can use a group Managed Service Account (gMSA) as the service account.
  • You can use the Active Directory Recycle Bin feature.

Azure AD Connect features you cannot use:

  • You cannot use the Device Write-back feature.

Effectively, your organization gains the ability to use group Managed Service Accounts (gMSAs) for Active Directory Federation Services and Azure AD Connect, and benefit from the Active Directory Recycle Bin.

 

Scenario 5: The Magic of the Windows Server 2012 R2 Schema

When you’ve implemented Active Directory Domain Services using Windows Server 2008 as the Operating System for all Domain Controllers, the Active Directory Domain Functional Level (DFL), the Active Directory Forest Functional Level (FFL) and the Active Directory schema, you can optionally upgrade the Active Directory schema to Windows Server 2012 R2.

Note:
Although Windows Server 2008 R2 allows you to revert the Active Directory functional levels, when you enable the Active Directory Recycle Bin feature, it cannot be reverted back to a lower functional level.

In this scenario, the following functionality is available:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2
  • You can add AD FS Servers running Windows Server 2016, however, you cannot setup new AD FS Farms with Windows Server 2016 AD FS Servers only.
  • You can use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).
  • You can use a group Managed Service Account (gMSA) as the AD FS service account on Windows Server 2012 R2-based AD FS Servers and Windows Server 2016-based AD FS Servers.
  • You can deploy the Device Registration Service on AD FS servers running Windows Server 2012 R2.

AD FS functionality you cannot use:

  • Although you can implement AD FS Servers running Windows Server 2016, you cannot use its Workplace Join through the Device Registration Service, the built-in Azure MFA adapter, device compliance claims, Windows Hello for Business (also known as Passport for Work), per-Relying Party Trust (RPT) branding, and/or streamlined auditing. These features require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • Although you can implement AD FS Servers running Windows Server 2016, you cannot federate applications using Open ID Connect, SCIM or SAML 2.0 eGov. These protocols require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation will need 2-way trusts with the Active Directory forest where the AD FS Farm is joined to.

Web Application Proxies

Device authentication will use TCP 49443 for device authentication on Web Application Proxies running Windows Server 2012 R2 and Windows Server 2016, by default. This feature require you to upgrade the AD FS Farm Behavioral Level (FBL) to Windows Server 2016.

Azure AD Connect

Azure AD Connect features you can use:

  • You can use Azure AD Connect with Federation and Password Hash Sync as sign-in method.
  • You can use the Password Write-back feature, but you will need to install hotfix KB2386717 to the intended server running Azure AD Connect.
  • You can use a group Managed Service Account (gMSA) as the service account.
  • You can use the Active Directory Recycle Bin feature.
  • You can use the Device Write-back feature.

You can use all of Azure AD Connect features.

Effectively, your organization gains the ability to use the Device Registration Service on Windows Server 2012 R2-based AD FS Servers. Azure AD Connect offers the ability to perform Device Write-back, too.

 

Scenario 6: Unlock most features with the Windows Server 2016 Schema

When you’ve implemented Active Directory Domain Services using Windows Server 2008 as the Operating System for all Domain Controllers, the Active Directory Domain Functional Level (DFL), the Active Directory Forest Functional Level (FFL) and the Active Directory schema, you can optionally upgrade the Active Directory schema to Windows Server 2016.

Note:
Although Windows Server 2008 R2 allows you to revert the Active Directory functional levels, when you enable the Active Directory Recycle Bin feature, it cannot be reverted back to a lower functional level.

In this scenario, the following functionality is available:

Active Directory Federation Services

AD FS functionality you can use:

  • You can add AD FS Servers running AD FS 2.0 and AD FS 2.1
  • You can add AD FS Servers running Windows Server 2012 R2
  • You can add AD FS Servers running Windows Server 2016, and even setup new AD FS Farms with Windows Server 2016 AD FS Servers only.
  • You can use client certificate authentication if the certificate is explicitly mapped to a user's account in Active Directory Domain Services (AD DS).
  • You can use a group Managed Service Account (gMSA) as the AD FS service account on Windows Server 2012 R2-based AD FS Servers and Windows Server 2016-based AD FS Servers.
  • You can deploy the Device Registration Service and use Workplace Join.
  • When your organization runs the Windows Server 2016 AD FS Farm Behavioral Level (FBL) (by either adding Windows Server 2016-based AD FS Servers to a Windows Server 2012 R2-based AD FS Farm, removing the Windows Server 2012 R2-based AD FS servers and raising the FBL, or by starting a new AD FS Farm using Windows Server 2016-based AD FS Servers, only), your organization can use the built-in Azure MFA adapter, device compliance claims, per-Relying Party Trust (RPT) branding, streamlined auditing, and/or federate applications using Open ID Connect, SCIM or SAML 2.0 eGov.
  • In multi-forest environments, Active Directory forests with user accounts in scope for federation no longer need 2-way trusts.

AD FS functionality you cannot use:

  • Although you can implement AD FS Servers running Windows Server 2016, you cannot use Windows Hello for Business (also known as Passport for Work).

Web Application Proxies

Device authentication will use TCP 443 for device authentication for AD FS Farms running the Windows Server 2016 Farm Behavioral Level (FBL) when you add the certauth.sts.domain.tld Subject Alternative Name (SAN) to the AD FS Service Communications Certificate.

Azure AD Connect

You can use all of Azure AD Connect features.

Effectively, your organization gains the ability to deploy new AD FS Farms using Windows Server 2016 with all its great features and upgrade existing Windows Server 2012 R2-based AD FS Farms to do the same. Azure AD Connect offers all its functionality.

 

Scenario 7: Unlock Windows Hello for Business with a Windows Server 2016 Domain Controller

Regardless of the Active Directory Domain Functional Level (DFL), the Active Directory Forest Functional Level (FFL), you can unlock all current Hybrid Identity features when you run the Windows Server 2016 Active Directory schema and deploy at least one Domain Controller running Windows Server 2016.

Note:
Although Windows Server 2008 R2 allows you to revert the Active Directory functional levels, when you enable the Active Directory Recycle Bin feature, it cannot be reverted back to a lower functional level.

In this scenario, the following functionality is available:

Active Directory Federation Services

You can use all of the features of Active Directory Federation Services.

Web Application Proxies

Device authentication will use TCP 443 for device authentication for AD FS Farms running the Windows Server 2016 Farm Behavioral Level (FBL) when you add the certauth.sts.domain.tld Subject Alternative Name (SAN) to the AD FS Service Communications Certificate.

Azure AD Connect

You can use all of Azure AD Connect features.

Effectively, your organization gains the ability to use Windows Hello for Business (also known as Passport for Work).

 

Concluding

While Hybrid Identity doesn’t require the most recent Active Directory functional levels, it does depend on the latest Active Directory schema.

My advice will always be to upgrade the schema to the latest version of Windows Server, whenever you extend the schema for anything else, like Exchange Server, Skype for Business or the Local Administrator Password Solution (LAPS).

When you’re running the Windows Server 2008 R2 Active Directory Functional Levels you’ll be fine, with the exception of the Windows Hello for Business feature, that requires at least one Windows Server 2016-based Domain Controller.

Resources

I’ve used these official Microsoft Documentation resources to create the lists above:

AD FS Requirements for Windows Server 2012 R2
AD FS Requirements for Windows Server 2016
Prerequisites for Azure AD Connect
Azure AD Connect: Enabling device Write-back
What's New in AD DS: Active Directory Recycle Bin

Posted on February 12, 2018 by Sander Berkouwer in Active Directory, Active Directory Federation Services, Best Practices, Entra ID, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

5 Responses to Hybrid Identity features per Active Directory Domain Services Domain Controller Operating System, Domain Functional Level, Forest Functional Level and Schema version

  1.  

    Wow, truly one of the best and very well described blogs from the last months I have read. This will help certainly in the every day consultant day. /faved, and saved.

    from RKast February 12, 2018 at 10:13 PM
  2.  

    Silly question, if we have ADFS3.0 and put ADFS4.0 servers in the farm and remove the ADFS3.0 servers from the farm. We coould upgrade the farm to ADFS4.0 but is this required can we let the farm run in ADFS3.0 mode?

    from RKast March 27, 2018 at 4:20 PM

    • Yes, you can.

      The 2012 R2 Farm Behavioral Level (FBL) for AD FS offers the following functionality:

      • Admins can add Windows Server 2012 R2 AD FS Servers and Web Application Proxies
      • Windows Server 2016 schema not required
      • Windows Server 2008 DFL is required for client certificate authentication to operate successfully if the certificate is explicitly mapped to a user's account in AD DS.
      • Windows Server 2012 R2 Schema is required to use Workplace Join functionality.
      • Port 49443 for Device Authentication
      • Ability to upgrade FBL

      The 2016 Farm Behavioral Level (FBL) for AD FS offers the following functionality:

      • Port 443 for Device Authentication
      • Built-in Azure Multi-Factor Authentication AD FS Adapter and Azure MFA as primary authentication method
      • Device compliance status for AD FS claims issuance rules and Azure AD Connect device write-back for Azure AD-joined devices
      • Sign-in with Windows Hello for Business
      • Open ID Connect and SCIM support
      • SAML 2.0 inCommon and eGov support
      • Access Control Policies manageability
      • Sign-in with accounts from non-Active Directory LDAPv3 directories
      • Sign-in with accounts from Active Directory forests to which an Active Directory two-way trust is not configured
      • Sign-in with accounts from Active Directory Lightweight Directory Services (AD LDS)
      • Per-Relying Party Trust branding
      • Improved auditing (more streamlined, less verbose)
      • Send password expiry claims to RPTs to notify users when using Office 365

      It makes sense to upgrade. However, once you upgrade the Farm Behavioral Level from 2012 R2 to 2016, you cannot downgrade it.

      from Sander Berkouwer March 28, 2018 at 3:03 PM
       
  3.  

    Thanks, prepping forest and domain to 2016 is not something not all customers want to do without proper testing. So idea would be to make a 2016 farm but let it run in 2012r2 mode & upgrade later.

    from Rkast March 28, 2018 at 9:40 PM
  4.  

    Woaw, great job !!! Amazing.
    Thank you !

    from Sébastien P May 29, 2018 at 11:16 AM

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.