Domain Functional Levels
Windows 2000 native
All default Active Directory features and the following features:
- Universal groups are enabled for both distribution groups and security groups.
- Group nesting.
- Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
- Security identifier (SID) history.
Windows Server 2003
All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:
- The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
- Update of the logon time stamp. The lastLogonTimestampattribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
- The ability to set theuserPassword attribute as the effective password oninetOrgPerson and user objects.
- The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.
- Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
- Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
- Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2008
All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:
- Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
- Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
- Last Interactive Logon Information, which for a workstation that runs Windows Server 2008 or Windows Vista or later, displays the times of the last successful and failed logons, and the number of failed logon attempts since the last successful logon. For more information, see Active Directory Domain Services: Last Interactive Logon(http://go.microsoft.com/fwlink/?LinkId=180387).
- Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.
Windows Server 2008 R2
- Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon, and the total number of failed logon attempts.
- Automatic SPN management for services running on a particular machine under the context of a Managed Service Account when the name or DNS host name of the machine computer account changes.
Forest Functional Levels
All default Active Directory features.
Windows Server 2003
All default Active Directory features, and the following features:
- Forest trust.
- Domain rename.
- Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
- The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
- Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
- An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
- The ability to create instances of the dynamic auxiliary class calleddynamicObject in a domain directory partition.
- The ability to convert aninetOrgPerson object instance into a Userobject instance, and the reverse.
- The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
- Deactivation and redefinition of attributes and classes in the schema.
Windows Server 2008
All the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.
Windows Server 2008 R2
All the features that are available at the Windows Server 2003 forest functional level, plus the following feature:
- Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while Active Directory Domain Services (AD DS) is running.
If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.