Overview#In Microsoft Active Directory, Domain Controllers can run different versions of Windows Server operating systems versions. The Active Directory Functional Levels of a AD DOMAIN or AD Forest depends on which versions of Windows Server operating systems are running on the Domain Controllers in the AD DOMAIN or AD Forest. The Active Directory Functional Levels of a AD DOMAIN or AD Forest controls which advanced features are available in the AD DOMAIN or AD Forest.
Two Types of Functional Levels#
|Type of Functional Level||Description|
|Domain functional levels||Domain functional levels enable features that affect the entire domain and that domain only. |
It also controls which Windows Server operating systems can be run on domain controllers in the domain.
|Forest functional levels||Forest functional levels enable features across all domains within a forest. |
It also controls which Windows Server operating systems can be run on domain controllers in all domains in the forest.
Active Directory Functional Level Dependencies#Active Directory domain and forest-functionality has the following dependencies:
- After all domain controllers are running an appropriate version of Windows Server, the AD DOMAIN or AD Forest must be configured to support the appropriate domain or forest functional level. That is, to provide support in a domain or forest for advanced Active Directory features, an administrator must raise the domain functional level or forest functional level, which can only be done if the domain controllers are each running the appropriate version of Windows Server.
- After the domain functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the domain. After the forest functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the forest.
Internal Representation of Functional Levels#These values are displayed from LDAP at the RootDSE on a Domain Controller.
ldapsearch -h xxx.xxx.xxx.xxx -b "" -s base -D DC=MAD,DC=willeke,DC=com -W "(objectclass=*)" forestFunctionality domainFunctionality domainControllerFunctionality
|Domain Functional Levels (domainFunctionality)||Forest Functional Levels(forestFunctionality)|
|0 - Windows Server 2000 mixed||0 — Windows 2000|
|0 - Windows Server 2000 native||0 — Windows 2000|
|1 - Windows Server 2003 interim||1 — Windows Server 2003 interim|
|2 - Windows Server 2003||2 — Windows Server 2003|
|3 - Windows Server 2008||3 - Windows Server 2008|
|4 - Windows Server 2008 R2 domain level||4 - Windows Server 2008 R2 domain level|
|AD-Related Windows Server 2008 feature||Description||Requirements|
|RO DC||A DC that doesn’t replicate changes to other DCs, doesn’t store any passwords by default, and doesn’t allow changes to its local AD database.||Forest functional level (FFL) 2 (Windows Server 2003) and the domain PDC operations master running at least Windows 2003 SP2. (The primary DC Operations Master—FSMO--must run on either Server 2008 or Windows 2003 SP2 for the promotion of a new read-only DC.)|
|Administrator role separation||Allows granting users who aren’t domain administrators the local administrator role on a specific RODC.||DC’s OS must be Server 2008. Only works for RODCs, not for writable DCs.|
|Restartable AD DS||AD Domain Services can be stopped while the DC is running, without the need to boot the server into Directory Services (DS) Restore Mode. This allows performing an offline defragmentation of the AD database without rebooting the server, for example. It doesn’t allow you to restore the AD database.||DC’s OS must be Server 2008.|
|DNS enhancements||There are various small DNS enhancements:|
Read-only zone for RODC
Background zone loading (Instant On)
GlobalNames zone for single-label names (WINS replacement)
New find next closest site locator
Multi-cast DNS (Link-Local Multicast Name Resolution )
UI now allows storing conditional forwarders in AD
Client periodic renewal of its association with a DC.
Owner access restrictions
|DC’s OS must be Server 2008.|
|Owner access restrictions||Ability to configure the permissions granted to a user (the owner) at creation time of new objects. Allows various enhancements for delegating rights in AD.||DC’s OS must be Server 2008.|
|Auditing enhancements||Object auditing in AD now records last value and new value when auditing write activities on objects.||DC’s OS must be Server 2008.|
|Updates to Ntdsutil||Various updates, including allowing creation of Install from media files directly from an existing operational AD instance; creation of AD snapshots, and mounting the snapshots for offline access.||DC’s OS must be Server 2008.|
|AD data mining tool (DSAmain.exe)||Allows browsing offline AD versions (snapshots) via LDAP; very useful for recovery of data in AD.||DC’s OS must be Server 2008.|
|Fine-grained password policies||Option to allow applying different password policies for users in the same domain.||Domain functional level (DFL) 3 (Server 2008).|
|Support for DFS replication for SYSVOL||The new DFS Replication engine (aka FRS version 2) available for SYSVOL replication.||DFL3 (Server 2008).|
|Domain-based DFS scalability and security enhancements||Domain-based DFS roots will be able to host more than 5000 links (no hard upper limit) and are supported with Access-based Enumeration to hide DFS links that users don’t have access to.||DFL3 (Server 2008).|
|AES-256 support for Kerberos protocol||The key length for the Advanced Encryption Standard (AES) for data encryption in the Kerberos protocol is increased from 128 to 256 bits.||DFL3 (Server 2008).|
|Group Policy enhancements||The combination of Server 2008 and Windows Vista will allow various new Group Policy Object (GPO) settings such as lockdown of USB ports and other peripheral devices by inclusion of Policy Maker in Server 2008. Many new features in Server 2008 have added further settings that can be controlled via GPO.||Most GPO enhancements are applicable only to Server|
|Microsoft Management Console (MMC) snap-In for AD UI enhancements||Various little enhancements will make life easier for you, such as the ability to search for DCs in the MMC AD Sites and Services snap-in, the addition of an attribute editor in the MMC’s AD Users and Computers snap-in, or a check box to protect objects from accidental deletion.||No specific DC requirements (need to run Server 2008)|
LDAP Determination#Functional Levels are stored in the RootDSE of each server
- AD DOMAIN Functional Levels -- domainFunctionality
- AD Forest Functional Levels -- forestFunctionality
- Domain Controller Functionality -- domainControllerFunctionality
More Information#There might be more information for this subject on one of the following:
- Determine LDAP Server Vendor
- Microsoft Active Directory
- [#1] - Understanding Active Directory Domain Services (AD DS) Functional Levels - based on information obtained 2017-07-10-