Posts Tagged ‘Group Policy’

Forest Functional Levels

As Microsoft Windows Server has progressed over the years additional functionality has been incorporated into its domain controllers. The level at which a forest operates is its functional level. This means that if a Microsoft Windows Server 2008 is at a Server 2000 native functional level, it can only utilize the features that were available to Microsoft Windows Server 2000 forests. Microsoft Windows Server 2008 only supports 4 functional levels. Server 2008 supports Windows 2000 native, Windows Server 2003, and Windows Server 2008. Windows Server 2008 R2 also has the added benefit of supporting Windows Server 2008 R2 level. The default functional level is Windows 2000 native. All domains must be in the domain functional level of forest or higher. This means that if you have a forest operating at Windows Server 2003 functional level, all domains in the forest must operate at a Windows Server 2003 functional level at minimum.

A domain that uses NT 4.0 domain controllers and Windows 2000 Server domain controllers is referred to as a Windows 2000 Server mixed mode domain. After all Windows NT Servers have been removed or demoted into becoming only members of their domains, the forest functional level may be raised to a Windows 2000 Server native functional level. The added functionality in a 2000 Server native forest includes…

• Universal Groups: Universal groups are groups that may be referenced anywhere in the forest.
• Raising both levels at once: You may raise the domains functional level by raising the forest’s functional level.

After all Windows 2000 Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2003 functional level after all the domains have been raised to Windows Server 2003 functional level. The added functionality in a Server 2003 domain includes…

• Forest Trusts: Allows authentication between domains for sharing of resources.
• Domain Rename: Allows the renaming of a domain within the forest.
• Linked-value replication: In Windows 2000, when changes were made to a group, it would mean replication of the all properties of the group. The downside to this was that if the group was being modified on two domain controllers at the same time. One of the changes might not occur due to bandwidth issues. This is why there is a recommended cap of 5,000 users in a group for Server 2003.Linked-value replication modifies the individual membership change instead of the entire member attribute.
• Support for Read Only Domain Controllers: Read Only Domain Controllers (RODC) are a new feature of Server 2008 that may be used in a Server 2003 forest. A RODC will allow the caching of credentials in a remote location to prevent WAN traffic being consumed by authentication requests. Also it is required to run “adprep /rodcprep” on the Windows Server 2003 domain controllers.
• Improved Knowledge Consistency Checker algorithms and scalability: The intersite topology generator (ISTG) enables replication within forests through links. In a Windows 2000 forest, sites links must be manually created. There are also improvements in the algorithms in a Windows 2003 forest.
• Conversion of inetOrgPerson objects to user objects: inetOrgPerson objects are used for non-Microsoft directory services. With a Server 2003 forest, it is possible to convert an inetOrgPerson into a user object and vice versa.
• Support for dynamicObject auxiliary class: Used by certain applications and developers, dynamicObject is new to Server 2003.
• Support for application basic groups and LDAP query groups: These two new group types can be used to support role-base authorization in applications that use Authorization Manager.
• Deactivation and redefinition of attributes and object class: Attributes and object classes may not be deleted. With Server 2003 forests, they can be redefined or deactivated.

After all Windows 2003 Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2008 functional level after all the domains have been raised to Windows Server 2008 functional level. A Server 2008 functional level does not add any functionality to the Forest.

After all Windows 2008 (Non-R2) Servers have been removed or demoted into becoming only members of the domains, the forest functional level may be raised to a Windows Server 2008 R2 functional level after all the domains have been raised to Windows Server 2008 functional level. The only new feature is a very nice one. Microsoft has introduced a recycle bin into Active Directory. This requires a command in powershell.

“Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’ –Scope ForestOrConfigurationSet –Target ‘mydomain.com’”