Domain and Forest functional level

Windows Server 2008 tutorial

When planning an upgrade to your domain functional level you will need to take into consideration several factors. The operation of upgrading a functional level is pretty simple and fast but, the implications are a bit higher because many aspects of your network may be affected. Note that which each functional level, features and options are added so you will need to take into consideration all these factors. Another important idea to remember is that the upgrade is done easily and fast but, you cannot downgrade your domain or forest functional level (only using backups, systems restore, uninstall/install). You will need to know all relationships between each domain and forest and what will be the result once you’ve upgraded to a higher functional level. All these questions will need to be answered before the actual upgrade process this is why, in this article, I will try to cover most of these aspects.

   Windows Server 2008 offers several domain functional levels and each one has different features enabled by default:
Windows 2000 native
   – Allows all group nesting and conversion
   – Distribution and Security groups
   – Active Directory features
   – Lets you keep a history of the allocated SIDS (Security Identifiers)
Windows Server 2003
   – All features available in Windows 2000 native
   – Constrained delegation
   – Redirect Users and Computers containers to other containers
   – Selective authentication
   – Last logon timestamp
   – You can set the userPassword attribute as the effective password on inetOrgPerson and user objects
   – netdom tool used to manage domains
   – Active Directory features
Windows Server 2008
   – Active Directory features
   – All features available in Windows 2003
  – The Kerberos authentication protocol has been upgraded to support AES 128 and 256 (Advanced Encryption Services)
   – SYSVOL can be replicated using DFS (Distributed File System)
   – Selective authentication meaning that the last failed logon, last successful logon, total number of failed logo are monitored
   – Fine-grained password policies
For each of these functional levels you will need to know what kind of Domain Controllers (DC) they support. The following table includes the functional levels and the supported DCs:
Domain Functional Level Supported Domain Controllers
Windows 2000 native Windows Server 2000
Windows Server 2003
Windows Server 2008
Windows Server 2003 Windows Server 2003
Windows Server 2008
Windows Server 2008 Windows Server 2008
   Forest functional levels are similar in terms of supported Domain Controllers only Windows 2000 native forest also supports Windows NT 4.0. Increasing your forest functional level for your organization offers different features from which you can benefit. This is why you should study the features carefully before planning an upgrade to your forest functional level.
Windows 2000 – support for all default Active Directory features. Within this forest your Domain Controllers can run any version from: Windows NT, 2000, 2003 and 2008:
Windows 2003 and 2008 offer the same features. Remember that you cannot upgrade your domain functional level to Windows Server 2008 until all Domain Controllers within your network run this version. Some of the features added in Windows Server 2008 are:
   – Support for all default Active Directory features
   – Support for Read Only Domain Controllers (RODC)
   – Forest trusts
   – Linked-value replication
   – You can rename domains
   – You can create application basic groups and LDAP query groups
   – Conversion between inetOrgPerson object and User objects can be made
   – Improved KCC (Knowledge Consistency Checker ) and scalability
   -You can redefine and deactivate attributes and classes in the schemaAbility to create instances of the dynamic auxiliary class named dynamicObject
   For a list with all features supported by each forest level, take a look on this article from Microsoft’s website.
   In conclusion, you will need to take in consideration all factors that are part of the upgrading process of both domain and forest functional levels. Remember that each functional level adds features that can improve your network performance and security so, plan your upgrade wisely. Another important aspect that you’ll need to remember is that you cannot downgrade from a domain or forest functional level so, an upgrade can also impact your network negatively. For any questions regarding this topic post a comment in our dedicated section. Wish you all the best and enjoy your day!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s