TheaterFire

Is anyone at a 2025 ADDS functional level?

Posted by donyewumpppp@reddit | sysadmin | View on Reddit | 32 comments

Curious if anyone has been brave enough to go for it

Reply to Post

32 Comments

Mitchell_90@reddit

Have 2025 DCs running in a couple of lab environments. One with all 2025 DCs and 2025 FL since May last year, not had any issues. The environment also had RC4 disabled previously. I also have another lab environment running mixed 2022 and 2025 DCs for testing which also has RC4 disabled and it seems to be working fine. It’s just had the November CUs applied so maybe MS finally fixed the interoperability issues? So far I haven’t been able to reproduce the issues others have been facing. The environment with all 2025 DCs and FL has a forest/domain which is over 15 years old and the other is one which was stood up clean on 2022 DCs a few years back.
View on Reddit #72089946

raip@reddit

Our dev environment is 2025 and it's a fucking nightmare. We're constantly reaching out to our CSM/TAM for new bugs that we've encountered to the point where we actually have a shared OneNote that we're just updating for them when we find failures in our platform. We're talking duplicate schema attributes (something that should be impossible), Kerberos pre-auth issues, crazy interoperability issues in mixed environments, and most recently some pretty impactful issues with gMSAs that required forced password changes to fix. My environment is somewhat complicated (we have over 150k users and even our AD Infrastructure team is over 10 people) so YMMV - but my recommendation is unless you're very small or have a full blown dev/test/prod setup, stick w/ 2022 DCs w/ a 2016 DFL. 2025 for member servers work fine.
View on Reddit #72038157

unccvince@reddit

If you want to change for something really new and awesome, go Samba-AD, it's full FL2016 compatible. If you want 2022 ldap schema, you can have them too with latest 4.23. There is no joking, even though this post will be fired at unpitifully. Samba-AD works for 150k users, true and tested.
View on Reddit #72081459

raip@reddit

Sadly wouldn't be appropriate in my environment. Hiring engineers that have meaningful Samba-AD experience would be tricky and getting the level of support required with a BAA signed + dedicated US based Engineer isn't on the table from SerNet. I like Samba as a project overall and if I were starting my own company I'd likely leverage it but I'm not currently paid to choose products, only support them to the best of my ability.
View on Reddit #72082713

unccvince@reddit

Cool, you've identified SerNet in DE as a corporate source of support for Samba. Catalyst in NZ, AUS and Asia is another one. Tranquil IT takes care of the French speaking market in EU and the rest of the French speaking world, so real alternatives to MSAD are developing fast. Things are simmering in the US though, well ... because ... . According to what I've observed, a Samba-AD engineer is someone with AD experience having basic Linux experience, this is a similar profile to someone who has MSAD experience with basic Windows OS experience. My writing to you is to tell you it's possible today. Your choice. Trolls and lobbyists, please destroy me.
View on Reddit #72088517

xxdcmast@reddit

I keep thinking 2025 dcs may be ready for my environment. But then I continually see new insanity level posts about how bad ms screwed them up. So looks like 2022 for me still.
View on Reddit #72053696

BoringLime@reddit

Same. It's been out for awhile, I'm sure all the issues are gone. Nope....
View on Reddit #72087752

jstuart-tech@reddit

I have a brand new production environment (consolidation from multiple domains into 1) with 9 DCs and ~220 users so far. No AD issues encountered. All DCs are 2025, same with all servers, all endpoints are W11 24H2 If you have mixed DCs I'm pretty sure it's a bad idea, if you have the luxury of being all new then I'm happy with it. If you have to upgrade from a mixer environment.... Then it's a challenge
View on Reddit #72045577

LA33R@reddit

Kinda same. All brand new, 2 DCs 2025 from the outset and has been okay thus far.
View on Reddit #72079212

Send_Them_Noobs@reddit

May I ask why do you have 9 DCs for 220 users? I had 6,000 endpoints and 40,000 mailboxes on 3 DCs in my previous company.
View on Reddit #72050498

Hunter_Holding@reddit

That mailbox amount makes me nervous with that few DCs, if that was on-premise exchange. That's a performance chokepoint. Though, 2025's enhancements make it better, but still. I'd have had a DC or two local to the exchange servers and had them in their own AD site that users aren't hitting, just Exchange.
View on Reddit #72053127

Stonewalled9999@reddit

Laughs in memory of 4000 mailboxes Ex5.5 PDC on 486DX2-66 and 2 BDCs on P133s
View on Reddit #72063027

Send_Them_Noobs@reddit

It was on-prem 2012 exch & dc Rebuilding exchange was a weekly activity lol but dc was solid, but it was because ~25k mialboxes were for people to see announcements and had 20mb storage limit
View on Reddit #72054648

Hunter_Holding@reddit

rebuilding exchange weekly? What kinda crap build was that?! Every exchange deployment I've had ran itself, essentially, with only CUs and hardware failures taking up any time. From 100 users to 40k users (current environment before moving the majority to O365) Then again, even for 100 users I was running a textbook preferred architecture single site setup.. 2x edge, 2x load balancer, 4x exch box (3 active, 1 lag). For the 40k users we had \~16 nodes per datacenter with similar setups. each node had a lot of mailbox drives, though.....
View on Reddit #72057771

jstuart-tech@reddit

Another 300 users to go, multplie remote minesites and offices with flakey internet
View on Reddit #72050639

Send_Them_Noobs@reddit

Makes sense I guess. The previous company had their own private mpls that covers ~80 locations which made us not worry about flakey internet or bandwidth (for the most part)
View on Reddit #72050935

Fit_Indication_2529@reddit

Sometimes it better to pay for extra bandwidth. Sometimes it isn't available so you build out your physical site.
View on Reddit #72059720

BoringLime@reddit

Seems risky with all the people having various major issues. Once you upgrade you are basically stuck with the issues until they are fixed. I am assuming the people that will upgrade first are the ones that needs a new feature. You can use a 2025 DC and leave the functional level at 2016.
View on Reddit #72033648

bbqwatermelon@reddit

To be expected when the beta testers are now the general release channel
View on Reddit #72077401

FatBook-Air@reddit

I'm starting to wonder if Microsoft intends on fixing them. This has been stewing in Windows Server 2025 for just over 12 months, and not a lot of progress has been made. It kind of feels like they're just going to wait until the next major release.
View on Reddit #72052950

Stonewalled9999@reddit

They aren’t going to fix they are just going to spend that time on copilot copilot copilot 
View on Reddit #72053966

snklznet@reddit

Copilot will fix it right? Right?
View on Reddit #72062692

raip@reddit

I'd personally recommend 2022 DC and leaving the DFL at 2016 in the current state.
View on Reddit #72037956

Ironic_Jedi@reddit

Agree. That's what we did at my org. Stable configuration with the modern features we need like cloud kerberos.
View on Reddit #72049063

Prudent-Tree-7101@reddit

As other have mentioned, running a mixed DC environment is not something I would recommend. If you for instance have RC4 disabled through GPOs, and introduce promoted 2025 DCs to an older environment, you may have start having bad kerberos issues. We have faced these problems ourselves. [https://windowsforum.com/threads/kerberos-breakage-in-mixed-ad-after-adding-windows-server-2025-dcs.382361/](https://windowsforum.com/threads/kerberos-breakage-in-mixed-ad-after-adding-windows-server-2025-dcs.382361/)
View on Reddit #72075080

snklznet@reddit

Am MSP. We won't deploy 2025 DCs because it's been breaking shit severely. Namely Kerberos, had a customer update all their DCs by themselves and they call the next morning with Kerberos tokens failing to renew. Had to log off and logon fully to regenerate tickets. After 5 hours of login or so all mapped shares break and users would get a no permission error.
View on Reddit #72062638

xfilesvault@reddit

We just added a 2025 DC alongside our 2029 current ones, and kept the functional level the same, and had hell rain down on us with problems with NTLM, Kerberos, gMSA accounts not working, and supported encryption levels. We had to go through and recreate every gMSA account and reset permissions on them.
View on Reddit #72061954

Fit_Indication_2529@reddit

Right now the only thing I at that functional levels are Greenfields and labs.
View on Reddit #72059585

Hunter_Holding@reddit

I've had it running for over a year without issues, Exchange, Sharepoint, SCCM, Hyper-V clusters, ADFS, yadda yadda, all the goodies in that environment, six DCs between three locations on that deployment. DCs were upgraded about a month and a half after 2025 release. It's the environment I do a lot of work/hosting of out of for my side consulting customers, so while not a scale environment, there's a good amount of active user accounts and services. $day\_job's DCs are still on 2019 though moving to 2022.... but they're an F100 org and that's part of our 2019 decommissioning project, since 2025 isn't fully config/fleshed out yet, or that's where we'd be moving straight to (when we wipe a server platform out of the environment, we always go directly to the latest we have ready). Some 2019s will definitely, DCs included, go to 2025 though as it's almost ready to roll, but not enough to raise the DFL. A migratory environment being prepared is starting fresh off all 2025 on 2025 DFL.
View on Reddit #72052971

TheJesusGuy@reddit

I'm at 2012R2 with Server 2019 fam
View on Reddit #72046368

zzxxzzxxzzxxzz@reddit

This is a great article that was published almost 15 years ago and I would say it still stands, to even greater extent as there have been very little major changes to AD functional level since 2012 (?!). "Imagine that Active Directory is just a big room. You don't actually know what is in the room, but you do know that if you pass something into the room through a slot in the locked door you will get something returned to you that you could use. When you change the Domain or Forest Functional Level, what you can pass in through that slot does not change, and what is returned to you will continue to be what you expect to see. Perhaps some new slots added to the door through which you pass in different things, and get back different things, but that is the extent of any change. " I wouldn't be vary of going to 2025 AD DS functional level per say, but from recent issues we and other have faced, I would be more worried about running production workloads on 2025 in general. I am sure they will figure it out eventually, I just hope eventually is sooner than later :) [https://techcommunity.microsoft.com/blog/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/399348](https://techcommunity.microsoft.com/blog/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/399348)
View on Reddit #72034529

raip@reddit

There's some pretty big changes for the 2025 DFL.
View on Reddit #72037912