These are my notes from watching Domain Function Level, Forest Functional Level for Server 2008 on CBTNuggets. I have paraphrased and added my own comments.
Domain Functional Level
Windows Server 2003 DFL
- DC Rename (moving a server to another site, etc)- you can use the netdom command in server 2008 to change name as well. Make sure everything replicates before you move on.
- Attributes: Last Log On Time Stamp, user password-Under Active Directory Users and Computers in Server 2008, you could create a custom query to find last log on for a number of users to get rid of old accounts.
- rediruser, redircmp command can be used to redirect new accounts to a different folder in ad.
- Selective authentication – restrict accounts across domains
- Constrained Delegation
- Authorization Manager – easier management of user access, mostly for applications
Windows Server 2008 DFL
- You can only have Server 2008 DC’s
- Uses DFS-R Sysvol replication ( as opposed to FRS), helping out with wan bandwidth etc.
- Last logon (more details on logon for better queries)
- Fine-grained passwords (you can have different password policies within a domain, using adsiedit) You can use specops password policy basic to do this as well….http://www.specopssoft.com/products/specopspasswordpolicy/
- Advanced Encryption Services (128 or 256 bit for Kerberos)
Forest Functional Level
Windows Server 2003 FFL
- Forest Trust – we can trust between different forests to allow access both ways (non-transitive).
- Domain Rename – you can do it, just follow the instructions on technet…
- Linked Value Replication – you dont have to replicate the entire group when you add a user, just the new object.
- RODC – Read Only Domain Controller -more secure for a branch
- Improved KCC algorithms — smarter replication over the wan.
- inetorgperson/user conversion — you can convert other accounts to ad accounts
- Schema objects can now be deactivated or disabled.
Windows Server 2008 FFL
- All the server 2003 stuff plus, all new domains will be promoted to 2008 DFL.