Overview#
| Domain functional level | Available features | Supported domain controller operating systems |
|---|---|---|
| Windows 2000 native | All of the default AD DS features and the following directory features are available: - Universal groups for both distribution and security groups. - Group nesting - Group conversion, which allows conversion between security and distribution groups - Security identifier (SID) history | Windows 2000 Windows Server 2003 Windows Server 2008 |
| Windows Server 2003 | All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available: - The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers - Logon time stamp updates - The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain. - The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects - The ability to redirect Users and Computers containersBy default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts. - The ability for Authorization Manager to store its authorization policies in AD DS - Constrained delegation - Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication. \You can restrict delegation to specific destination services only. Selective authentication- Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. | Windows Server 2003 Windows Server 2008 |
| Windows Server 2008 | All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available: - Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL) -DFS replication support provides more robust and detailed replication of SYSVOL contents. - Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol - Last Interactive Logon Information - Last Interactive Logon Information displays the following information: -- The time of the last successful interactive logon for a user -- The name of the workstation that the used logged on from -- The number of failed logon attempts since the last logon - Fine-grained password policies -- Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477). | Windows Server 2008 |
