Skip to main content

Minimum Forest Functional Level for AD Recycle Bin

By
In class, I discovered the hard way, that we not only need our Domain functional at Windows 2008 R2, but also the forest functional level to use the AD Recycle Bin.  In raising our 2003 forest function level to 2008, we gain no new functionality.  We do however gain the AD Recycle bin when raising our forest from 2008 to 2008 R2.  Below is a list of the features that are enable with each domain and forest level from Microsoft.

Domain Functional Levels

Windows 2000 native
All default Active Directory features and the following features:
  • Universal groups are enabled for both distribution groups and security groups.
  • Group nesting.
  • Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
  • Security identifier (SID) history.

Windows Server 2003
All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:
  • The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
  • Update of the logon time stamp. The lastLogonTimestampattribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set theuserPassword attribute as the effective password oninetOrgPerson and user objects.
  • The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.
  • Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
  • Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
  • Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008
All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:
  • Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
  • Last Interactive Logon Information, which for a workstation that runs Windows Server 2008 or Windows Vista or later, displays the times of the last successful and failed logons, and the number of failed logon attempts since the last successful logon. For more information, see Active Directory Domain Services: Last Interactive Logon(http://go.microsoft.com/fwlink/?LinkId=180387).
  • Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Windows Server 2008 R2
          All default Active Directory features, all features from the Windows 2000 native, Windows Server 2003, and Windows Server 2008 functional levels, plus the following features:
          • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon, and the total number of failed logon attempts.
          • Automatic SPN management for services running on a particular machine under the context of a Managed Service Account when the name or DNS host name of the machine computer account changes.

          Forest Functional Levels
          Windows 2000
          All default Active Directory features.

          Windows Server 2003
          All default Active Directory features, and the following features:
          • Forest trust.
          • Domain rename.
          • Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
          • The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
          • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
          • An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
          • The ability to create instances of the dynamic auxiliary class calleddynamicObject in a domain directory partition.
          • The ability to convert aninetOrgPerson object instance into a Userobject instance, and the reverse.
          • The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
          • Deactivation and redefinition of attributes and classes in the schema.

          Windows Server 2008
          All the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

          Windows Server 2008 R2
          All the features that are available at the Windows Server 2003 forest functional level, plus the following feature:
          • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while Active Directory Domain Services (AD DS) is running.
          All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.
          If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.




                    Labels:

                    Comments

                    Post a Comment

                    Popular posts from this blog

                    How to list all the AD LDS instances on a server

                    By
                    AD LDS allows you to provide directory services to applications that are free of the confines of Active Directory.  To list all the AD LDS instances on a server, follow this procedure: Log into the server in question Open a command prompt. Type dsdbutil and press Enter Type List Instances and press Enter . You will receive a list of the instance name, both the LDAP and SSL port numbers, the location of the database, and its status.
                    Post a Comment
                    Read more

                    How to run GPResult on a remote client with PowerShell

                    By
                    In the past, to run the GPResult command, you would need to either physically visit this client, have the user do it, or use and RDP connection.  In all cases, this will disrupt the user.  First, you need PowerShell remoting enabled on the target machine.  You can do this via Group Policy . Open PowerShell and type this command. Invoke-Command –ScriptBlock {GPResult /r} –ComputerName <ComputerName> Replace <ComputerName> with the name of the target.  Remember, the target needs to be online and accessible to you.
                    Post a Comment
                    Read more

                    Error icon when creating a GPO Preference drive map

                    By
                    You may not have an error at all.  Take a look at the drive mapping below. The red triangle is what threw us off.  It is not an error.  It is simply a color representation of the Replace option of the Action field in the properties of the drive mappings. Create action This give you a green triangle. The Create action creates a new mapped drive for users. Replace Action The Replace action gives you a red triangle.  This action will delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping. Update Action The Update action will have a yellow triangle. Update will modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the mapped drive. If the
                    1 comment
                    Read more