Windows Server 2008 Active Directory uses a concept called domain and forest functionality. The functional level that you choose during the Active Directory installation determines which features your domain can use.
Windows Server 2003 and 2008 include additional
forest functionality compared to Windows 2000. Forest functionality
applies to all of the domains in a forest.
1. About the Domain Functional Level
Windows Server 2008 will support the following domain functional levels:
Windows 2000 Native
Windows 2003
Windows Server 2008
Which function level you use depends on the domain
controllers you have installed on your network. This is an important
fact to remember. You can use Windows NT 4, Windows 2000 Server, and
Windows 2003 member servers in the Windows Server 2008 function level,
as long as all domain controllers are running Windows Server 2008.
When you install the first domain controller in a
new Windows Server 2008 forest, the domain functional level is set by
default to Windows 2000 Native. Windows 2000 Native is the default
setting because once a domain function level is upgraded, it cannot be
downgraded.
Table 1 shows features available in Windows 2000 Native, Windows 2003, and Windows Server 2008 domain functional levels.
Table 1. Comparing Domain Functional Levels
| Domain Functional Feature | Windows 2000 Native | Windows Server 2003 | Windows Server 2008 |
|---|
| Fine-grained password policies. | Disabled | Disabled | Enabled |
| Read-only domain controller (RODC). | Disabled | Enabled | Enabled |
| Last interactive logon information. | Disabled | Disabled | Enabled |
| Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol. | Disabled | Disabled | Enabled |
| Distributed File System replication support for Sysvol. | Disabled | Disabled | Enabled |
| Ability to Redirect the Users and Computers containers. | Disabled | Enabled | Enabled |
| Ability to rename domain controllers. | Disabled | Enabled | Enabled |
| Logon Time stamp updates. | Disabled | Enabled | Enabled |
| Kerberos KDC key version numbers. | Disabled | Enabled | Enabled |
| InetOrgPerson objects can have passwords. | Disabled | Enabled | Enabled |
| Converts NT groups to domain local and global groups. | Enabled | Enabled | Enabled |
| SID history. | Enabled | Enabled | Enabled |
| Group nesting. | Enabled | Enabled | Enabled |
| Universal groups. | Enabled | Enabled | Enabled |
2. About Forest Functionality
Windows Server 2008 includes new forest
functionality features. Forest functionality applies to all of the
domains in a forest. All domains have to be upgraded to Windows Server
2008 before the forest can be upgraded to Windows Server 2008.
There are three levels of forest functionality:
Windows Server 2003 and 2008 have the same forest features. Some of the features are described in the following list:
Global Catalog replication enhancements
When an administrator adds a new attribute to
the Global Catalog, only those changes are replicated to other global
catalogs in the forest. This can significantly reduce the amount of
network traffic generated by replication.
Defunct schema classes and attributes
You can never permanently remove classes and
attributes from the Active Directory schema, but you can mark them as
defunct so that they cannot be used. With Windows Server 2003 and 2008
forest functionality, you can redefine the defunct schema attribute so
that it occupies a new role in the schema.
Forest trusts
Previously, system administrators had no easy
way of granting permission on resources in different forests. Windows
Server 2003 and 2008 resolve some of these difficulties by allowing
trust relationships between separate Active Directory forests. Forest
trusts act much like domain trusts, except that they extend to every
domain in two forests. Note that all forest trusts are intransitive.
Linked value replication
Windows Server 2003 and 2008 use a concept
called linked value replication. With linked value replication, only
the user record that has been changed is replicated (not the entire
group). This can significantly reduce network traffic associated with
replication.
Renaming domains
Although the Active Directory domain structure
was originally designed to be flexible, there were several limitations.
Due to mergers, acquisitions, corporate reorganizations, and other
business changes, you may need to rename domains. In Windows Server
2003 and 2008, you can change the DNS and NetBIOS names for any domain,
as well as reposition a domain within a forest. Note that this
operation is not as simple as just issuing a rename command.
Instead, there's a specific process you must follow to make sure that
the operation is successful. Fortunately, when you properly follow the
procedure, Microsoft supports domain renaming.
Other features
Windows Server 2003 and 2008 support the following features:
Improved replication algorithms and dynamic
auxiliary classes are designed to increase performance, scalability,
and reliability.
Active Directory
Federation Services (AD FS, also known as Trustbridge) handles
federated identity management. Federated identity management is a
standards-based information technology process that enables distributed
identification, authentication, and authorization across organizational
and platform boundaries. The AD FS solution in Windows Server 2003
(Release 2) and 2008 helps administrators address these challenges by
enabling organizations to securely share a user's identity information.
Active
Directory Application Mode (ADAM) was developed by Microsoft as part of
Windows Server 2008 Active Directory for organizations that require
flexible support for directory-enabled applications. ADAM, which uses
the Lightweight Directory Access Protocol (LDAP), is a directory
service that adds flexibility and helps organizations avoid increased
infrastructure costs.
