Win Server 2008 Directory Services, Windows Server 2008 Functional Levels Overview

In the first part of our new series providing overview of Windows Server 2008-based Directory Services, we have concentrated on earlier implementations of Active Directory and their functionality. We have decided to use this approach to give you better understanding of benefits associated with new and improved features incorporated into the latest operating system platform. Our presentation was structured around Windows 2000 domain modes as well as Windows Server 2003 domain and forest functional levels, which organize functionality available across various combinations of the three major consecutive server versions (Windows NT 4.0 Server, Windows 2000 Server and Windows Server 2003).

In this article, we will focus on impact of introducing Windows Server 2008 into these arrangements and its consequences in terms of resulting functional levels.

There are two important factors to consider when evaluating most appropriate transition methodology. The first one is the restriction, which precludes a direct upgrade from Windows NT 4.0 or 2000 Server. For such operation, you need to run at least Windows Server 2003 SP1. In the context of Active Directory, this implies there is no Windows Server 2008 equivalent of Windows Server 2003 Interim level, which resulted from upgrading Windows NT 4.0 Server Primary Domain Controller to Windows Server 2003 operating system. The second consideration involves the inability of Windows Server 2008 domain controllers and Windows NT 4.0 BDCs to coexist in the same domain — which eliminates possibility of promoting Windows Server 2008 to a domain controller in a Windows 2000 mixed-mode or Windows Server 2003 Interim functional level domains. It can, however, operate in a Windows Server 2003 Interim functional level forest, as long as it is part of a Windows Server 2003 functional level domain.

Collectively, these two restrictions mean that you will need to either decommission or upgrade all Windows NT 4.0 Server domain controllers (which should not surprise you, since this version of the server operating system reached its end of life over two years ago) to Windows 2000 or 2003 Server platform before you attempt to run the DCPromo on any of your newly installed Windows Server 2008 systems. The exception, of course, being if you are planning on setting up a new domain. In other words, Windows 2000 mixed mode domain and Windows Server 2003 Interim domain functional level are not permitted if Windows Server 2008 is to be introduced into Active Directory domain as one of its domain controllers. It is important to remember that these limitations do not apply in any way to running Windows Server 2008 computers as domain members in any of legacy environments.

Effectively, with the advent of the latest server operating system platform the total number of possible domain and forest functional levels in which Windows Server 2008 domain controllers can participate remains the same (when compared with equivalent Windows Server 2003 listing). Two entries have been removed from it (Windows 2000 Server mixed-mode domain and Windows Server 2003 Interim domain functional levels) and two were added (Windows Server 2008 domain and forest functional levels), yielding the following. Although, in essence, each corresponding feature set does not change, you can take advantage of variety of improvements introduced in Windows Server 2008-based domain controllers:

• Domain modes and domain functional levels:
  • Windows 2000 Native — this is the default setting assigned during installation of a Windows Server 2008 as a domain controller in a new domain, or preserved when adding one to an existing domain operating on this functional level. While operating in such environment, it is still possible to promote additional Windows 2000 Server or Windows Server 2003 systems to serve as domain controllers in the same domain. For the overview of its domain-wide characteristics, refer to our previous article, which we presented in the context of Windows Server 2003 functional levels.
  • Windows Server 2003 — retained when promoting a Windows Server 2008 to the role of domain controller in a Windows Server 2003 functional level domain. You also have an option to raise Windows 2000 Native mode domain to this functional level, providing you have decommissioned or upgraded all of your Windows 2000 Server domain controllers, and you are certain you will not be installing more of them.
  • Windows Server 2008 — available once all domain controllers in a domain are running Windows Server 2008 operating system. The most straightforward way of implementing it is by using Raise domain functional level… context-sensitive menu option of the domain node in Active Directory Users and Computers console (appearing also in Active Directory Domains and Trusts utility) on a Windows Server 2008 domain controller. You can also accomplish the same result through direct modification to schema by adjusting value of the ms-DS-Behavior-Version attribute of the domain naming context of the target domain via scripting or programming methods, or graphical tools, such as Ldp.exe or ADSIEdit.msc.

    This level offers several important benefits, including new, more robust and efficient replication model of SYSVOL content (based on Distributed File System Replication), fine-grained password policies (allowing for assigning separate password and account lockout settings to members of arbitrary domain global security groups or individual users), replication of Active Directory attributes containing last interactive logon data (providing such information as the most recent logon date and time, number of failed logon attempts since the latest successful logon, or the time of a last failed logon), and implementation of Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

• Forest functional levels:
  • Windows 2000 — set by default when promoting Windows Server 2008 to the first domain controller in the root domain in a new forest, and maintained when adding Windows Server 2008-based domain controller into an existing Windows 2000 forest. It exhibits the same properties as the functional level described earlier in the context of our Windows Server 2003-based discussion.
  • Windows 2003 Interim — involves scenarios where a Windows Server 2008 domain controller is installed into a Windows Server 2003 functional level domain, which is part of Windows 2003 Interim level forest. To switch to Windows 2003 forest functional level, must first decommission any remaining Windows NT 4.0 BDCs or upgrade them to Windows Server 2003 and raise the functional level of respective domains to Windows Server 2003.
  • Windows 2003 — allows for a mix of Windows Server 2003 and Windows Server 2008 functional level domains. You can reach it by raising functional level of Windows 2000 forest once you decommission or upgrade all of its Windows 2000 domain controllers, or by switching from Windows 2003 Interim level forest in the manner described above. Windows Server 2008 systems are allowed to participate as domain controllers in new or existing domains. Note that this is the minimum required functional level if you are planning on implementing Windows Server 2008 Read-Only domain controllers. This is due to their dependency on linked value replication and Kerberos constrained delegation features.
  • Windows 2008 — while there are no new features associated with this functional level, it ensures all domain controllers in the forest are running Windows Server 2008 OS and all domains operate on the Windows Server 2008 domain functional level.

Note that it is possible to set up Windows Server 2008 functional level domains in a forest operating on any of the levels listed above. This brings the question about significance of assigning Windows 2008 forest functional level. While the consistency is likely its biggest strength (and, paradoxically also the weakness, since, as you might recall, this is non-reversible operation, preventing you from incorporating earlier versions of the operating system into Directory Services infrastructure), some caveats make its implementation worth considering. For example, to increase confidentiality of data stored in Active Directory, starting with Windows Server 2008, it is possible to limit set of attributes that will replicate to Read Only domain controllers. However, this restrictions can be circumvented by forcing replication with a Windows Server 2003 domain controller, which is not aware of this functionality. By enforcing the version of the operating system on domain controllers across entire forest you can eliminate this potential vulnerability. We will be pointing out other, similarly less obvious benefits throughout the course of our series.

On the other hand, note that having Windows Server 2008 based domain controllers offers a number of advantages even when operating in a mixed environment. Restartable Active Directory Domain Services (which allows you to place Active Directory in “offline” state on a particular domain controller without shutting down the operating system, increasing this way uptime and simplifying operations such as offline defragmentation), Read Only Domain Controllers (intended for deployment of Active Directory infrastructure to branch offices, which commonly lack properly secured data centers), improved auditing (providing you with useful, previously unavailable details regarding changes to AD objects and attributes), optimized Installation from Media process (further streamlining and securing the process of installing additional domain controllers in a domain with minimum impact on bandwidth during initial replication) are just some of the features, which become available following the first installation of a Windows Server 2008 domain controller in a domain, without the need for switching to Windows Server 2008 functional level (even though, their scope might be limited).

Our next article will present more detailed review of each of these features, including the steps involved in their implementation.