>

Active Directory Evolution

Comprehensive analysis of Active Directory changes across Windows Server 2019, 2022, and 2025

Active Directory Overview by Version

Server 2019

Schema Version: 88

Release: October 2018

Status: Mainstream support ended January 2024

  • Still-current security features
  • Good for mixed environments
  • Limited cloud integration

Server 2022

Schema Version: 88 (with 2022 enhancements)

Release: August 2021

Status: Current mainstream support until Oct 2026

  • Azure AD integration
  • Enhanced security defaults
  • Improved management tools

Server 2025

Schema Version: 89

Release: September 2024

Status: Latest version, support until Oct 2034

  • New schema version
  • Zero Trust support
  • AI-powered features
📌 Important: Schema version 88 is used for both 2019 and 2022. Windows Server 2025 introduces Schema version 89. You can have mixed 2019/2022 forests at schema 88, but upgrading to 2025 requires schema extension.

Schema Changes & Extensions

Schema Version Timeline

Schema Version First Introduced Included in Versions Key Changes Backwards Compatible
Schema 88 Server 2019 2019, 2022 Azure AD Hybrid Identity, TPM attributes Yes (from 87)
Schema 89 Server 2025 2025 Zero Trust attributes, device compliance Yes (from 88)

Major Schema Additions in Server 2025 (Schema 89)

Device Identity Attributes

  • Enhanced device compliance attributes
  • Zero Trust device posture storage
  • Device health status attributes
  • Compliance policy tracking

Certificate & PKI Enhancements

  • Extended certificate attribute support
  • Certificate template versioning
  • Enhanced ECC support
  • Post-quantum cryptography preparation

Enhanced User Attributes

  • Extended authentication policy attributes
  • FIDO2 credential storage
  • Multi-factor authentication flags
  • Passwordless sign-in support

Forest/Domain Attributes

  • Enhanced security baseline tracking
  • Forest policy versioning
  • Audit policy attributes
  • Configuration tracking

Schema Changes in Server 2022 (Schema 88)

⚠️ Schema Extension Warning: Schema extensions are irreversible. Test thoroughly in lab environments. Ensure all DC hardware supports the new schema version. Have rollback plans (though practical rollback from 89 to 88 is very difficult).

Security Features Evolution

Security Feature Comparison Matrix

Security Feature Server 2019 Server 2022 Server 2025
Kerberos Armoring Limited
Flexible Authentication Secure Tunneling (FAST) Partial
PKINIT Support
Authentication Policies
FIDO2/Passwordless Limited
Zero Trust Integration Partial
Azure AD Conditional Access
Advanced Audit Policies
Account Security Monitoring Basic
Tier Model Enforcement

Kerberos Enhancements

Server 2022 Kerberos Improvements

  • Kerberos Armoring (FAST): Protection against brute-force attacks on Kerberos
  • RC4-HMAC Deprecation: Encouraging migration to AES encryption
  • Delegated Credential: Support for s4u2proxy scenarios
  • Enhanced Logging: Detailed Kerberos event tracking

Server 2025 Zero Trust Features

  • Device Posture Evaluation: Real-time device compliance checking
  • Conditional Access Integration: Risk-based authentication decisions
  • Passwordless Authentication: Default-enable FIDO2
  • Implicit Trust Disable: Never trust, always verify enforced

Password Policy Evolution

Policy Area Server 2019 Server 2022 Server 2025
Min Password Length Default 7 characters (legacy) 8 characters (recommended) 12 characters (recommended)
Password Expiration 42 days (default) 90 days (recommended) Never (encourage MFA instead)
Account Lockout 5 attempts / 30 min 5 attempts / 30 min 3 attempts / 15 min (recommended)
MFA Requirement Optional Recommended Required for privileged access
Password History 24 passwords remembered 24 passwords remembered N/A (passwordless preferred)
✓ Security Recommendation: Implement passwordless sign-in with Server 2025. Use FIDO2 tokens or Windows Hello for Business with certificate-based authentication. This eliminates password-based attacks entirely.

Forest & Domain Functional Levels

Functional Level Reference

Functional Level First Introduced Forest Capable Domain Capable Key Features
2016 Server 2016 PAM (Privileged Access Management)
2019 Server 2019 AES encryption for Kerberos
2022 Server 2022 Windows Server 2022 features (FAST, etc.)
2025 Server 2025 Schema 89, Zero Trust features

Supported Domain Controller Combinations by Functional Level

2022 Functional Level

  • ✓ Windows Server 2022 DCs
  • ✓ Windows Server 2019 DCs
  • ✓ Windows Server 2016 DCs
  • ✗ Windows Server 2012 R2 or earlier

Action Required: All DCs must run 2016 or higher. Cannot have 2012 R2 DCs at 2022 functional level.

2025 Functional Level

  • ✓ Windows Server 2025 DCs
  • ✓ Windows Server 2022 DCs
  • ✗ Windows Server 2019 DCs or earlier

Action Required: All DCs must run 2022 or higher (schema 88 minimum). Immediate upgrade of 2019 DCs required.

⚠️ Critical: Raising functional level is irreversible. You cannot lower it afterward. Ensure all DCs support the target functional level before raising.

Management & Administration Tools

Active Directory Administration Tools Evolution

Management Tool 2019 2022 2025
Active Directory Users & Computers
Active Directory Administrative Center
Windows Admin Center AD Features Limited
PowerShell AD Module
Graph PowerShell Module (AD) Preview
Azure AD/Entra ID Integration Basic
Cloud-based Management

PowerShell Enhancements

Server 2022 Improvements

  • PowerShell 7.x support
  • Cross-platform AD module compatibility (Windows Admin Center)
  • Graph API integration in preview
  • Enhanced error handling

Server 2025 Enhancements

  • Microsoft Graph PowerShell module (GA)
  • Cloud-native management patterns
  • AI-powered diagnostics in Windows Admin Center
  • Automated remediation suggestions

Windows Admin Center AD Features

2022 Features

  • Domain join management
  • DNS server management
  • DHCP server management
  • Certificate services

2025 New Features

  • AI-powered optimization
  • Predictive diagnostics
  • Compliance checking
  • Zero Trust configuration

Compatibility & Coexistence

Mixed Forest Scenarios

Scenario Supported Notes
Server 2022 + 2019 DCs (same forest) ✓ Yes Schema 88 compatible. Max functional level 2022.
Server 2022 + 2016 DCs (same forest) ✓ Yes Schema 88 compatible. Max functional level 2016.
Server 2025 + 2022 DCs (same forest) ✓ Yes Schema 89 compatible. Max functional level 2022 (until all 2025).
Server 2025 + 2019 DCs (same forest) ✗ No Schema mismatch. Must upgrade all 2019 DCs to 2022 first.
Cross-forest trust 2019↔2022 ✓ Yes Full trust/external trust supported.
Cross-forest trust 2022↔2025 ✓ Yes Full trust/external trust supported.
Replica sets 2019↔2022 ✓ Yes Replication fully compatible.

Backwards Compatibility Matrix

Feature 2025 DCs with 2022 Functional Level 2022 DCs with 2019 Functional Level
Replication ✓ Full compatibility ✓ Full compatibility
Authentication ✓ Full compatibility ✓ Full compatibility
Schema Extensions ✓ Limited (89→88 subset) ✓ Full compatibility
New Features ✗ Not available ✗ Not available
📌 Coexistence Strategy: You can have mixed version forests during migration. Upgrade gradually: 2019→2022→2025. Each step takes 2-4 weeks to complete for a full forest. Only after all DCs are upgraded can you raise the functional level to the new version.

Migration Strategy & Planning

Recommended Upgrade Path

Multi-Hop Migration Path

Starting from: Windows Server 2012 R2 or 2016

2012 R2 → 2016 → 2019 → 2022 → 2025

Each step: 2-4 weeks per DC (staggered to maintain HA)

Step-by-Step Migration Plan

Phase 1: Prepare (Weeks 1-2)

  • ☐ Inventory all DCs and roles
  • ☐ Document forest structure
  • ☐ Check hardware compatibility
  • ☐ Backup AD database
  • ☐ Test in lab environment

Phase 2: Schema Extension (Week 2)

  • ☐ Prepare schema extensions
  • ☐ Test schema changes in dev forest
  • ☐ Document all schema additions
  • ☐ Get change approval
  • ☐ Prepare rollback procedure

Phase 3: DC Upgrade (Weeks 3-8)

  • ☐ Upgrade RODCs first
  • ☐ Verify replication
  • ☐ Upgrade regional DCs
  • ☐ Test authentication
  • ☐ Upgrade bridgehead DCs

Phase 4: Raise Functional Level (Week 9)

  • ☐ Verify all DCs upgraded
  • ☐ Test applications compatibility
  • ☐ Raise domain functional level
  • ☐ Raise forest functional level
  • ☐ Monitor for issues

Pre-Migration Checklist

⚠️ Critical Steps:
  • Always upgrade RODCs and non-critical DCs first
  • Keep at least 2 DCs of previous version during initial upgrade
  • Test replication thoroughly after each DC upgrade
  • Wait 24-48 hours before upgrading next DC for stability observation

Frequently Asked Questions

Q: What's the schema version for each Windows Server version?
A: Server 2019 and 2022 both use Schema 88. Server 2025 uses Schema 89. Schema version is separate from the Windows Server version and determines which DC versions can coexist in a forest.
Q: Can I have Server 2019 and 2025 DCs in the same forest?
A: No. 2025 DCs use Schema 89, while 2019 DCs use Schema 88. You must first upgrade 2019 DCs to 2022 (still Schema 88), then to 2025. Mixed Schema forests are not supported.
Q: How long does a DC upgrade take?
A: A single DC upgrade takes 30-60 minutes, including reboots. However, you should allow 24-48 hours between upgrades for monitoring and stability verification. A full forest with 10 DCs could take 2-3 months with proper staggering.
Q: Is schema extension required when upgrading from 2022 to 2025?
A: Yes, schema must be extended from 88 to 89. This is a one-time operation that must be performed by a member of the Schema Admins group. After extension, you can gradually upgrade DCs and then raise the functional level.
Q: What happens if I raise functional level too early?
A: Raising functional level before all DCs are upgraded causes that DC to stop operating properly in replication and authentication. Always verify all DCs are upgraded before raising the functional level. Functional level raises are irreversible.
Q: Should we upgrade to 2025 immediately?
A: No. Plan to be on 2022 for 1-2 years to establish stability. Upgrade to 2025 when you want to use new features (Zero Trust, passwordless auth, AI diagnostics). 2022 support runs until October 2031, so there's no rush.
Q: What security improvements should we prioritize?
A: Priority 1: Upgrade to 2022 for Kerberos Armoring and SMB 3.1.1. Priority 2: Enable Azure AD Hybrid Identity. Priority 3: Upgrade to 2025 for Zero Trust and passwordless authentication. These provide the best security ROI.
Q: Can we skip 2022 and go directly from 2019 to 2025?
A: Technically no - there's no direct in-place upgrade. You must upgrade 2019→2022 first. However, you can upgrade to 2022, immediately plan 2022→2025, and do that quickly if desired. Many organizations do this to minimize extended support costs.