Learn how to use Functional Level In Windows Server

0
No votes yet

A functional level is a set of operation constraints that determine the functions that can be performed by an Active Directory domain or forest. A functional level defines:

  • Which Active Directory Domain Services (AD DS) capabilities are available to the domain or forest.
  • Which Windows Server operating systems can be run on domain controllers in the domain or forest. Functional levels do not affect which operating systems you can run on workstations and servers that are joined to the domain or forest.

The following table shows the features that are available at each domain functional level:

Domain Functional Level Supported Domain Controller Operating Systems Features
2000 Native

2000
2003
2008
2008 R2

The following features are available in 2000 Native:
  • Universal groups are available for security and distribution groups.
  • Group nesting.
  • Group converting (allows conversion between security and distribution groups).
  • Security Identifier (SID) history, allowing security principals to be migrated among domains while maintaining permissions and group memberships.
2003 2003
2008
2008 R2
Windows Server 2003 includes all of the features available in 2000 Native mode, and adds the following features:
  • Domain controller rename.
  • Update logon time stamp.
  • User password on InetOrgPerson object.
  • User and computer container redirect. The redirect feature allows the definition of a new, well-known location for the two default containers (cn=Computers <domain root> and cn=Users <domain root>) which are provided for housing computer and user accounts.
  • Authorization Manager can store its authorization policies in AD DS.
  • Constrained delegation allows applications to take advantage of the secure delegation of user credentials using Kerberos-based authentication.
  • Selective authentication allows you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
2008 2008
2008 R2
Windows Server 2008 includes all of the features available in 2003 mode, and adds the following features:
  • Distributed File System (DFS) replication for the Windows Server 2003 System Volume (SYSVOL).
  • Advanced Encryption Standard (AES 128 and AES 256).
  • Last Interactive Logon Information, which includes:
    • The time of the last successful interactive logon for a user.
    • The name of the workstation from which the user logged on.
    • The number of failed logon attempts since the last logon.
  • Fine-grained password policies that allow you to specify password and account lockout policies for users and global security groups in a domain.

 

2008 R2 2008 R2 Windows Server 2008 R2 includes all previous features and adds:
  • Authentication mechanism assurance (AMA), allowing you to control access to network resources based on the type of certificate used during logon. For example, you can allow more access when users log on using a smart card.
  • Automatic service principal name (SPN) management when using managed service and virtual accounts.

 The following table shows the features that are available at each forest functional level:

Forest Functional Level Supported Domain Controller Operating Systems Features
2000 Native 2000
2003
2008
2008 R2
Global catalog replication improvements are available if both replication partners are running Windows Server 2003.
2003 2003
2008
2008 R2
The following features are available in 2003:
  • Global catalog replication improvements
  • Defunct schema objects
  • Forest trusts
  • Linked value replication which allows you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Linked value replication:
    • Uses less network bandwidth and fewer processor cycles during replication.
    • Prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
  • RODC deployment capability
  • Domain rename
  • Improved Knowledge Consistency Checker (KCC)
  • Improved AD replication algorithms
  • Dynamic auxiliary classes
  • InetOrgPerson objectClass change
  • The ability to create instances of new group types to support role-based authorization
  • Deactivation and redefinition of classes and attributes in the schema
2008 2008
2008 R2
No additional features have been added to 2008, but it does include all of the features that are available at the 2003 level.
2008 R2 2008 R2 Windows Server 2008 R2 forest functional level adds support for the Active Directory Recycle Bin to all of the features that are available at the 2003 level. The Recycle Bin allows for easy recovery of deleted Active Directory objects (without the Recycle Bin, you must restore deleted objects from a backup).

Note: Windows Server 2003 and Windows 2000 Server domain controllers support additional domain and forest functional levels. These levels are provided mainly for backwards compatibility with NT 4.0 domains and to prepare for migration from NT 4.0 domains. The domain and forest functional level must be at a minimum Windows Server 2000 to install a Windows Server 2008 or Windows Server 2008 R2 domain controller.

Functional Level Managerment

You should know the following about functional level management:

  • To allow you to use as many Active Directory Domain Services (AD DS) features as possible, you should set the domain and forest functional levels to the highest value that your environment can support when you deploy AD DS. For example:
    • Select the Windows Server 2008 R2 functional level to use all the features that are available in AD DS, including Active Directory Recycle Bin, Authentication mechanism assurance (AMA), and Automatic service principal name (SPN) management.
    • Select the Windows Server 2008 functional level if you might retain or add domain controllers that run Windows Server 2008.
    • Select the Windows Server 2003 functional level if you might retain or add domain controllers that run Windows Server 2003.
    • Select the Windows Server 2000 functional level if you might retain or add domain controllers that run Windows Server 2000.

    Note: AD DS sets the functional levels by default when you deploy the first Windows Server 2008 R2 domain controller in your forest root domain.

  • In most cases, you cannot reverse the operation of raising the functional level. If you have to revert to a lower functional level, you must rebuild the domain or forest, or restore it from a backup. There are two exceptions:
    • If you raise the domain functional level to Windows Server 2008 R2, and if the forest level is at Windows Server 2008 (or lower), you can roll back the domain functional level to Windows Server 2008 (but not to any lower functional level).
    • If you raise the forest functional level to Windows Server 2008 R2, and if you have not yet enabled the Active Directory Recycle Bin, you can roll back the forest functional level to Windows Server 2008 (but not lower). Once you enable the Active Directory Recycle Bin, you can no longer roll back the forest functional level.

    Note: You should use the Set-ADDomainMode PowerShell cmdlet to roll back the domain functional level from Windows Server 2008 R2.

The following guidelines apply to raising the domain or forest functional levels:

Type Details
Domain Use Active Directory Users and Computers or Active Directory Domains and Trusts to raise the domain functional level.
  • You must be a member of the Domain Admins group to raise the domain functional level.
  • The domain functional level can only be raised on the Primary Domain Controller (PDC) emulator operations master. The AD DS administrative tools which are used to raise the domain functional level, such as the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in, will automatically target the PDC emulator when the domain functional level is raised.
  • The functional level of a domain can only be raised if all domain controllers in the domain run the version or versions of Windows Server operating system that is supported by the new functional level. For example, before you raise the domain functional level to 2008, you must upgrade all domain controllers in that domain to Windows Server 2008.
  • To use the Windows Server 2008 or Windows Server 2008 R2 domain-level features without upgrading your entire Windows 2000 forest to Windows Server 2008, raise only the domain functional level to Windows Server 2008 or Windows Server 2008 R2.
  • It is not possible to set the domain functional level to a value that is lower than the forest functional level.
  • The Windows 2000 native and Windows Server 2003 domain functional level values are not available on the Set domain functional level page of the 2008 Active Directory Domain Services Installation Wizard.
Forest Use Active Directory Domains and Trusts to raise the forest functional level.
  • You must be a member of the Enterprise Admins group to raise the forest functional level.
  • The forest functional level can only be raised on the schema operations master. The schema operations master is targeted by the Active Directory Domains and Trusts when the forest functional level is raised.
  • The functional level of a forest can only be raised if all domain controllers in the forest run the version or versions of Windows Server operating system that is supported by the new functional level.

The following circumstances might prevent you from raising the functional level to Windows Server 2008 or Windows Server 2008 R2:

  • Domain controllers that don't run the necessary operating system version
  • Insufficient hardware
  • A domain controller running an antivirus program that is incompatible with Windows Server 2008 or Windows Server 2008 R2
  • Use of a version-specific program that does not run on Windows Server 2008 or Windows Server 2008 R2
  • The need to upgrade a program with the latest service pack