Raising Domain Functional Level

 

Introduction

This article describes how to raise Domain Functional Level and how to do that. But at the first stage, we will focus on prerequisites for this action.

Domain Functional Level determines which features are available in a domain and which operating systems may act as Domain Controllers. This is really important to understand it appropriately before you start raising DFL.

Important! The most important thing is that, raising DFL into higher level is one time action and cannot be reverted using the same console to previous state or lower mode. You need to restore your forest from backup. So, before doing that, please consider it wisely.

You can raise Domain Functional Level using these tools:

  • Active Directory Users and Computers
  • Active Directory Domains and Trusts

both consoles allow for DFL change and they show the current Domain Functional Level.

To be able to raise DFL, user account on which you want to do the action, must be a member of “Domain Admins” or “Enterprise Administrators” group.

We have currently 6 Doman Functional Levels available(7 including Windows Server 8 Beta 🙂 but this article doesn’t count this OS as this is beta version):

  • Windows 2000 Mixed mode
  • Windows 2000 Native mode
  • Windows Server 2003 Interim mode
  • Windows Server 2003 mode
  • Windows Server 2008 mode
  • Windows Server 2008R2 mode

and mentioned beta DFL Windows Server 8 Beta (which probably would be changed to Windows Server 2012 in final release)

Each Domain Functional Level introduces new features in a domain. So, that’s why it is worth raising. This short brief shows what kind of features we have in each DFL:

Windows 2000 Mixed mode [1]

  • Domain Name change
  • Universal Distribution Groups
  • Group Nesting for Distribution Groups
  • Group Nesting for Domain Local Security Groups which can contain Global Security Groups as members

In this mode, you can use these Operating Systems as Domain Controllers:

  • Windows NT4
  • Windows 2000 Server
  • Windows Server 2003
  • Windows Server 2003R2

higher OSes are unavailable because Windows Server 2008 and above doesn’t support Windows NT DCs. If you want to use Windows Server 2008 then you need to migrate all of your NT4 DCs at least to Windows 2000 Server and raise Domain Functional Level to Windows 2000 native mode.

Windows 2000 Native mode [1]

  • Universal Groups for all types (Security, Distribution)
  • Group Nesting allowed for all groups (Global, Universal, Domain Local)
  • Group type conversion
  • SID History enabled

In this mode, you can use these Operating Systems as Domain Controllers:

  • Windows 2000 Server
  • Windows Server 2003
  • Windows Server 2003R2
  • Windows Server 2008
  • Windows Server 2008R2

Look, this is no possibility to run Windows NT4 Domain Controllers in this mode. So, if you have not any Win NT DCs in a domain and yo do not plan use any of them in the future, you can simply raise Domain Functional Level into Windows 2000 Native mode.

Windows Server 2003 mode [1]
All Windows 2000 Native mode features plus:

  • Domain Controller name change
  • Domain name change
  • Possibility to change default location of newly created user/computer objects
  • logonTimestamp and lastLogonTimestamp attributes update
  • InetOrgPerson password set up on userPassword attribute
  • Selective authentication for users/groups/computers from trusted domains

In this mode, you can use these Operating Systems as Domain Controllers:

  • Windows Server 2003
  • Windows Server 2003R2
  • Windows Server 2008
  • Windows Server 2008R2

Look, this is no possibility to run Windows NT4 and Windows 2000 Server Domain Controllers in this mode. So, if you have not any Win NT and 2000 DCs in a domain and you do not plan to use any of them in the future, you can simply raise Domain Functional Level into Windows Server 2003 mode.

Important!
When you raise your Domain Functional Level into Windows Server 2003 Interim mode then you can only use Windows NT4, Windows Server 2003 and Windows Server 2003R2 Domain Controllers! This DFL mode cannot be directly set up using the same consoles as for other modes. For that you need to use ADSIEdit tool and raise Forest Functional Level to Windows Server 2003 Interim mode.

For more information about that, please visit Microsoft Technet and read this article

Windows Server 2008 mode [1]
All Windows Server 2003 mode features plus:

  • DFS replication support for Windows 2003 SYSVOL
  • Domain-based DFS namespaces running in Windows Server 2008 Mode
  • AES 128 and AES 256 support for the Kerberos protocol
  • Last Interactive Logon information
  • Fine-grained password policies
  • Personal Virtual Desktops

In this mode, you can use these Operating Systems as Domain Controllers:

  • Windows Server 2008
  • Windows Server 2008R2

Look, this is no possibility to run Windows NT4, Windows 2000 Server, Windows Server 2003 and Windows Server 2003R2 Domain Controllers in this mode. So, if you have not any of these DCs in a domain and you do not plan to use them in the future, you can simply raise Domain Functional Level into Windows Server 2008 mode.

Windows Server 2008R2 mode [1]
All Windows Server 2008 mode features plus:

  • Authentication mechanism assurance
  • Automatic SPN management

In this mode, you can only use Windows Server 2008R2 as Domain Controllers. There is no possibility to run the older operating systems as Domain Controllers in this mode. So, if you have not any of them and you do not plan to use them in the future, you can simply raise Domain Functional Level into Windows Server 2008R2 mode.

Windows Server 2012 mode [1]
All Windows Server 2008R2 mode features plus:

The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.

Windows Server 2012R2 mode [1]
All Windows Server 2012 mode features plus:

  • DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

– Authenticate with NTLM authentication
– Use DES or RC4 cipher suites in Kerberos pre-authentication
– Be delegated with unconstrained or constrained delegation
– Renew user tickets (TGTs) beyond the initial 4 hour lifetime

  • Authentication Policies

New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.

  • Authentication Policy Silos

New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

That’s all about theory, now we will see, how to do that.

We know everything what we should know about DFLs and we can start raising it.

Scenario

This is a single forest, multiple domain environment where testenv.local is forest root domain. There were Windows 2000 Server Domain Controllers which were replaced by the new ones with Windows Server 2008R2 OS. All the old DCs are decommissioned but the Domain Functional Level is set up as Windows 2000 Native mode. Now, I know that I have no any 2000,2003 and 2008 DCs and I do not plan to use them in the future, I can raise DFL to Windows Server 2008R2 mode.

Raising Domain Functional Level using Active Directory Users and Computers console

Open ADUC console from “Administrative Tools”

ADUC console

Select DNS domain name at the top of console and click on it right mouse button. Choose “Raise domain functional level…” option from the list.

Choosing option to raise DFL

DFL available options

From the drop down list, select appropriate Domain Functional Level. In my case, it is Windows Server 2008R2

Choosing DFL mode

and click on “Raise” button. Confirm that you are sure to do that

Confirmation

Congratulations! Your Domain Functional Level has been raised!

Information about raised DFL

Information about current DFL

Raising Domain Functional Level using Active Directory Domains and Trusts console

Open Active Directory Domains and Trusts console from “Administraive Tools”

Active Directory Domains and Trusts console

From available domains list select that one on which you want to raise DFL. Click on it right mouse button and choose “Raise domain functional level…” option from the list.

Option to raise DFL

From the drop down list, select appropriate Domain Functional Level. In my case, it is Windows Server 2008R2

Available DFLs

and click on “Raise” button

Raising DFL

Congratulations! Your Domain Functional Level has been raised

DFL has been raised

Current DFL mode

That’s all!

Next part >>>

Author: Krzysztof Pytko

[1] http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28WS.10%29.aspx

Facebooktwittergoogle_plusredditpinterestlinkedinmail