What Is Active Directory Domain Mode?
Domain Mode (also known as Domain Functional Level) defines which Windows Server features and directory behaviors are available within an Active Directory domain. It is determined by the oldest domain controller OS still present in the domain.
Key characteristics of Domain Mode:
It gates modern LDAP, replication, and directory APIs
It controls feature availability such as AD Recycle Bin, advanced group policies, and schema behaviors
It cannot exceed the OS version of the oldest domain controller
Supported and Observed Domain Modes
❌ Legacy / Limited Support
The following domain modes are considered legacy and may cause partial or inconsistent Active Directory Inspector results:
Windows 2008 R2 Domain Mode
Any domain mode tied to Windows Server 2012 or older domain controllers
Common symptoms in these environments include:
Incomplete or missing directory data
LDAP query failures
Group Policy or object resolution issues
Inspectors appearing to run successfully but returning limited results
⚠️ While some inspections may succeed at these levels, Liongard does not guarantee full or consistent functionality.
✅ Recommended / Reliable Support
Based on partner outcomes and internal testing, the recommended minimum domain mode is:
Windows Server 2012 Domain Mode or newer
Environments running at or above this level consistently show:
Reliable directory object enumeration
Proper resolution of users, groups, and computers
Stable inspection behavior across recurring runs
Relationship to Windows Server OS Support
As of June 1, 2024, Liongard ended support for Windows Server 2012 on agent versions 4.2.4 and newer, aligning with Microsoft’s OS deprecation lifecycle.
This means:
Domain controllers running Windows Server 2012 or earlier may no longer be compatible
Even if the Domain Mode is set higher, underlying unsupported OS versions can still cause failures
📌 Important: Domain Mode and Domain Controller OS versions must both meet modern support standards.
Why Upgrading Domain Mode Resolves Issues
Partners have repeatedly observed that upgrading Domain Mode resolves Active Directory Inspector issues because it:
Enables newer directory APIs expected by modern tooling
Removes legacy behaviors and deprecated attributes
Aligns directory services with current Microsoft support models
This explains why some environments begin functioning normally immediately after upgrading to 2012 or newer Domain Mode.
How to Check Domain Mode
You can verify Domain Mode in Liongard directly:
Navigate to Active Directory → System Details
Review the Domain Mode field under the Active Directory overview
Example:
Windows 2008 R2 Domain→ Legacy / Limited SupportWindows 2012 Domainor newer → Recommended
Recommended Actions for Partners
If you are experiencing Active Directory Inspector issues:
Verify Domain Mode in Liongard
Confirm domain controller OS versions
If running 2008 R2 or older:
Plan to upgrade domain controllers
Raise Domain Mode to Windows Server 2012 or newer
Re-run the Active Directory Inspector after upgrades
If upgrades are not currently possible, be aware that:
Inspector results may be incomplete
Certain failures may be expected behavior
Summary
Liongard does not support a strict legacy compatibility matrix for Active Directory Domain Modes
Windows Server 2012 Domain Mode or newer is the recommended minimum
Legacy domain modes (e.g., 2008 R2) are a known contributor to AD Inspector issues
Upgrading Domain Mode frequently resolves inspection failures
This aligns with Microsoft OS deprecation timelines and Liongard agent support policies
For environment-specific guidance, contact Liongard Support.