21 out of 27 rated this helpful - Rate this topic

Understanding Domain and Forest Functional Levels

Updated: December 21, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Domain and forest functional levels

Domain and forest functional levels provide a way to enable domain-wide features or forest-wide features in your Active Directory Domain Services (AD DS) environment. Different levels of domain functionality and forest functionality are available, depending on your network environment.

If all the domain controllers in your domain or forest are running the latest version of Windows Server and the domain and forest functional level is set to highest value, all domain-wide features and forest-wide features are available. When your domain or forest contains domain controllers that run earlier versions of Windows Server, AD DS features are limited. For more information about how to enable domain-wide features or forest-wide features, see Raise the Domain Functional Level and Raise the Forest Functional Level.

Domain functional levels

Domain functionality enables features that affect the entire domain and that domain only. The following table lists the domain functional levels and their corresponding supported domain controllers:

Domain functional level	Domain controller operating systems supported
Windows Server 2003	Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003
Windows Server 2008	Windows Server 2012 Windows Server 2008 R2 Windows Server 2008
Windows Server 2008 R2	Windows Server 2012 Windows Server 2008 R2
Windows Server 2012	Windows Server 2012

The following table describes the domain-wide features that are enabled for the domain functional levels.

Domain functional level	Enabled features
Windows 2000 native	All default Active Directory features and the following features: Universal groups are enabled for both distribution groups and security groups. Group nesting. Group conversion is enabled, which makes conversion possible between security groups and distribution groups. Security identifier (SID) history.
Windows Server 2003	All default Active Directory features, all features from the Windows 2000 native domain functional level, plus the following features: The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename. Update of the logon time stamp. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain. The ability to set the userPassword attribute as the effective password on the inetOrgPerson object and user objects. The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes it possible to define a new well-known location for these accounts. Authorization Manager can store its authorization policies in AD DS. Constrained delegation is included, which makes it possible for applications to take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. You can configure delegation to be allowed only to specific destination services. Selective authentication is supported, which makes it possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2008	All default Active Directory features, all features from the Windows Server 2003 domain functional level, plus the following features: Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents. Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol. Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon. Fine-grained password policies, which make it possible for password policies and account lockout policies to be specified for users and global security groups in a domain.
Windows Server 2008 R2	All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features: Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
Windows Server 2012	The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings ( Always provide claims and Fail unarmored authentication requests ) that require Windows Server 2012 domain functional level. For more information, see What's New in Kerberos Authentication.

Forest functional levels

Forest functional levels enable features across all the domains in your forest. The following table lists the forest functional levels and their corresponding supported domain controllers.

Forest functional level	Domain controller operating systems supported
Windows Server 2003	Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows Server 2003
Windows Server 2008	Windows Server 2012 Windows Server 2008 R2 Windows Server 2008
Windows Server 2008 R2 (default)	Windows Server 2012 Windows Server 2008 R2
Windows Server 2012	Windows Server 2012

The following table describes the forest-wide features that are enabled for forest functional levels.

Forest functional level	Enabled features
Windows Server 2003	All default Active Directory features, plus the following features: Forest trust Domain rename Linked-value replication (Changes in group membership store and replicate values for individual members instead of replicating the entire membership as a single unit.) This results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers. The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008. Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition. The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse. The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization. Deactivation and redefinition of attributes and classes in the schema.
Windows Server 2008	This functional level provides all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.
Windows Server 2008 R2	All of the features that are available at the Windows Server 2003 forest functional level, plus the following features: Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default. If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.
Windows Server 2012	All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

Additional references

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Additions

ADD