Server 2008 R2: Active Directory Functional Levels

Windows Server 2008 R2 was released in August, and it introduced new functional levels for Active Directory. This article takes a look back at the different functional levels of the past and what is new in the latest release of the server operating system for Active Directory (yes, a recycle bin for AD objects!).

Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They allowed you to run different versions of domain controllers in your environment, and when all the domain controllers were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that point you can raise the functional level to 2008 R2 to take advantage of the new features.

Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.

What’s new in 2008 R2

Domain Functional Level

There are two features added when raising the domain functional level to 2008 R2. They are Authentication Mechanism Assurance and Automatic SPN Management.

Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This mechanism adds information to the user’s kerberos token on the type of authentication used. This allows administrators to modify group membership based on how the user authenticates. For example, a user can have access to different resources if they log in with a certificate versus when they log in with just their username and password.

Automatic SPN management provides a method for managing service accounts for applications such as Exchange, SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in terms of password management and service principle names (SPNs). This new feature provides the following benefits:

  • A class of domain accounts can be used to manage and maintain services on local computers.
  • Passwords for these accounts will be reset automatically.
  • Do not have to complete complex SPN management tasks to use managed service accounts.
  • Administrative tasks for managed service accounts can be delegated to non-administrators.

Forest Functional Level

There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU filled with user or computer objects (this has happened more times than you would think), there would be a scramble to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a powershell cmd-let will undo this instantly.

Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the following command in the Active Directory Module for Powershell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’

Functional levels of previous version

The following are the previous functional levels and what features they added, as documented in Technet.


Domain Functional Levels:

Windows 2000 Native:

  • Universal groups are enabled for both distribution groups and security groups.
  • Group nesting.
  • Group conversion is enabled, which makes conversion between security groups and distribution groups possible.
  • Security identifier (SID) history.

Windows Server 2003

  • The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
  • Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
  • The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature makes possible the definition of a new well-known location for these accounts.
  • Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).
  • Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
  • Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

  • Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.
  • Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
  • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.
  • Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

Forest Functional Levels:

Windows 2000:

There were no forest functional levels, just domain.

Windows Server 2003:

  • Forest trust.
  • Domain rename.
  • Linked-value replication (changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.
  • The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
  • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
  • An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).
  • The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.
  • The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
  • The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.
  • Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008:

No forest functional level changes occurred from Windows 2003 to Windows 2008.

Filed Under: AdministrationNetwork SecuritySecurityWindows

Tags: , , , , , , , ,

Comments (8)

Trackback URL | Comments RSS Feed

  1. Polprav says:

    Hello from Russia! Can I quote a post in your blog with the link to you?

  2. Prefect says:

    Sure, that’s fine.

  3. al all says:

    Question: in our environment we have PDC 2088 R2 & BDC 2008 R2, both are operating on default level (Server 2003), and two Exchange 2003 Servers. Can I raise the PDC & BDC to Server 2008 R2 Domain and Forest Functional Levels, without losing connection or effecting the regular functionality of the tow Exchange 2003 Servers? any extra info or precaution should I put in mind.

    • Simon Price says:

      Going to R2 2008 functional level will maintain all features of a 2003 level domain/forest and add the new 2008 R2 features. This said, your existing environment (Exchange 2003) should not be affected. Keep in mind this change is not reversible. So if you have a test environment, use it prior to making production changes, and in production make a backup on a DC before executing the change.

    • Pete says:

      You might want to add that this command should be run on the Domain Naming Master. (Mine was also the Schema Master so try that if the DNM trick does not work.)

      or else you may receive Enable-ADOptionalFeature : A referral was returned from the server At line:1 char:25

  4. Thank’s for sharing this This is really interesting

  5. Hi Simon,

    Thanks for sharing your insightful thoughts and suggestions – very helpful, and appreciated indeed.

    On a related note, we needed a quick and efficient way to enumerate nested security groups for security audits in AD R2 (i.e. find out which groups were nested in other groups.) So we asked our on-site MS consultant and he recommended using the Gold Finger from Paramount Defenses Inc.

    Gold Finger pleasantly surprised us because not only was it endorsed by Microsoft but also 100% FREE and loaded with almost 250 useful Active Directory security, Exchange and ACL management reports. BTW, you can download it for free from http://goldfinger.paramountdefenses.com

    Thought I’d share this with you incase it could help you too, especially if you’re into AD security reporting.

    Thanks again, and looking forward to your next post.

    Best wishes, Jonathan

  6. jack says:

    There is no more such BDC term used by Windows 2003 and above.

    However, to increase functional leevl should not impact your current infrastructure, but to provide more features.

    Refer to the following KB, http://technet.microsoft.com/en-us/library/cc771132(WS.10,printer).aspx