Domain functional levels


Domain functional levelAvailable featuresSupported domain controller operating systems
Windows 2000 nativeAll of the default AD DS features and the following directory features are available:
- Universal groups for both distribution and security groups.
- Group nesting
- Group conversion, which allows conversion between security and distribution groups
- Security identifier (SID) history
Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2003All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:
- The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
- Logon time stamp updates - The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
- The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
- The ability to redirect Users and Computers containersBy default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts.
- The ability for Authorization Manager to store its authorization policies in AD DS
- Constrained delegation - Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
\You can restrict delegation to specific destination services only.
Selective authentication- Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2003
Windows Server 2008
Windows Server 2008All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
- Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
-DFS replication support provides more robust and detailed replication of SYSVOL contents.
- Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol
- Last Interactive Logon Information - Last Interactive Logon Information displays the following information:
-- The time of the last successful interactive logon for a user
-- The name of the workstation that the used logged on from
-- The number of failed logon attempts since the last logon
- Fine-grained password policies -- Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477).
Windows Server 2008

More Information#

There might be more information for this subject on one of the following: