Domain and Forest Functional Level

20 04 2009

These are my notes from watching Domain Function Level, Forest Functional Level for Server 2008 on CBTNuggets. I have paraphrased and added my own comments.

Domain Functional Level

Windows Server 2003 DFL

  • DC Rename (moving a server to another site, etc)- you can use the netdom command in server 2008 to change name as well. Make sure everything replicates before you move on.
  • Attributes: Last Log On Time Stamp, user password-Under Active Directory Users and Computers in Server 2008, you could create a custom query to find last log on for a number of users to get rid of old accounts.
  • rediruser, redircmp command can be used to redirect new accounts to a different folder in ad.
  • Selective authentication – restrict accounts across domains
  • Constrained Delegation
  • Authorization Manager – easier management of user access, mostly for applications

Windows Server 2008 DFL

  • You can only have Server 2008 DC’s
  • Uses DFS-R Sysvol replication ( as opposed to FRS), helping out with wan bandwidth etc.
  • Last logon (more details on logon for better queries)
  • Fine-grained passwords (you can have different password policies within a domain, using adsiedit) You can use specops password policy basic to do this as well….http://www.specopssoft.com/products/specopspasswordpolicy/
  • Advanced Encryption Services (128 or 256 bit for Kerberos)

Forest Functional Level

Windows Server 2003 FFL

  • Forest Trust – we can trust between different forests to allow access both ways (non-transitive).
  • Domain Rename – you can do it, just follow the instructions on technet…
  • Linked Value Replication – you dont have to replicate the entire group when you add a user, just the new object.
  • RODC – Read Only Domain Controller -more secure for a branch
  • Improved KCC algorithms — smarter replication over the wan.
  • inetorgperson/user conversion — you can convert other accounts to ad accounts
  • Schema objects can now be deactivated or disabled.

Windows Server 2008 FFL

  • All the server 2003 stuff plus, all new domains will be promoted to 2008 DFL.

Comments : 1 Comment »
Tags: , , , , , , ,
Categories : Servers