Server 2008 R2: Active Directory Functional Levels
MJP | Oct 06, 2009 | 8 comments
Windows Server 2008 R2 was released in August, and it introduced new functional levels for Active Directory. This article takes a look back at the different functional levels of the past and what is new in the latest release of the server operating system for Active Directory (yes, a recycle bin for AD objects!).
Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features.
Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.
What’s new in 2008 R2
Domain Functional Level
There are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management.
Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This mechanism adds information to the user’s kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.
Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:
- A class of domain accounts can be used to manage and maintain services on local computers.
- Passwords for these accounts will be reset automatically.
- Do not have to complete complex SPN management tasks to use managed service accounts.
- Administrative tasks for managed service accounts can be delegated to non-administrators.
Forest Functional Level
There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly.
Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’
Functional levels of previous version
The following are the previous functional levels and what features they added, as documented in Technet.
Domain Functional Levels:
Windows 2000 Native:
- Universal groups are enabled for both distribution groups and security groups.
- Group nesting.
- Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
- Security identifier (SID) history.
Windows Server 2003
- The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
- Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
- The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
- The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts.
- Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
- Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
- Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2008
- Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
- Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
- Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
- Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.
Forest Functional Levels:
Windows 2000:
There were no forest functional levels, just domain.
Windows Server 2003:
- Forest trust.
- Domain rename.
- Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
- The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
- Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The
improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level. - An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
- The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.
- The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
- The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
- Deactivation and redefinition of attributes and classes in the schema.
Windows Server 2008:
No forest functional level changes occurred from Windows 2003 to Windows 2008.
Source: Server 2008 R2: Active Directory Functional Levels : Praetorian Prefect