This post is also available in: Italian
Reading Time: 3 minutesThe new release VMware vSphere 6.7U1 has a lot of improvements, but one has not been emphasized too much: VMware vSphere 6.7 Update 1 finally supports Microsoft Active Directory 2016 schema and relative functional level!
Lot of people forget that vCenter Server, vCenter Single Sign-On and the VMware Platform Services Controller have their own interoperability matrix with Active Directory versions based on the Active Directory Domain Services (AD DS) domain functional level, not only with the Windows Server operating system on which Active Directory is running.
Note: this support is only for AD authentication integration. Of course you can have AD 2016 domain controllers in VM, but for using them as authentication backend for vCenter, then you have to check this compatibility.
Forest and Domain Functional Levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest.
Note that functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
The VMware KB 2071592 (Versions of Active Directory supported in vCenter Server) describe the compatibility matrix with the Domain Functional Level:
| Domain Functional Level | ||||||||
| Windows 2000 native | Windows Server 2003 | Windows Server 2008 | Windows Server 2008 R2 | Windows Server 2012 | Windows Server 2012 R2 | Windows Server 2016 | ||
| vCenter Server Version | 1.x | Yes | Yes | Yes | Yes |
No
|
No
|
No |
| 2.x | Yes | Yes | Yes | Yes |
No
|
No
|
No | |
| 4.0 |
Yes
|
Yes | Yes | Yes | No |
No
|
No | |
| 4.1 |
Yes
|
Yes | Yes | Yes | No |
No
|
No | |
| 5.0 |
Yes
|
Yes | Yes | Yes | Yes | No | No | |
| 5.1 | No |
Yes
|
Yes | Yes | Yes |
Yes (starting with 5.1U3)
|
No | |
| 5.5 | No |
Yes
|
Yes | Yes |
Yes
|
Yes (starting with 5.5U1)
|
No | |
| 6.0 | No | Yes | Yes | Yes | Yes | Yes | No | |
| 6.5 | No | No | Yes | Yes | Yes | Yes | No | |
| 6.7 | No | No | Yes | Yes | Yes | Yes | Yes (starting with 6.7U1) | |
Forest Functional Level could not be higher then the lowest Domain Functional Level, so it’s not specified in the table.
Before upgrade the Active Directory environments and change the Active Directory functionality level, it’s very important check this table otherwise you have an unsupported environment or your have to upgrade the vSphere environment.
Note that with the end of life of Windows 2003, Microsoft suggest that Windows 2003 domain controllers (DCs) need to be updated to Windows Server 2008, 2012 or 2016. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.
Updated notes (November 2018): VMware has updated the KB, and added AD 2016 compatibility also for vCenter 6.0 and 6.5, as of vSphere 6.0 Update 3a and vSphere 6.5 Update 2d, this Active Directory Domain Functionality Level is now supported.
Andrea Mauro
Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.
