Win Server 2008 Directory Services, Functional Levels Overview

by Marcin Policht

The directory services infrastructure is a key component of Windows Server 2008. We kick off our newest series with an overview of its capabilities.

Following the recent release of Windows Vista, Microsoft is about to introduce its server counterpart. Built on the same code base as its predecessor, Windows Server 2008 incorporates a variety of features with which Vista users are already familiar, including its well-publicized security, networking and local manageability improvements. On the other hand, there are clearly areas where their commonality is minimal, simply due to their distinct purposes as the server and client operating systems. Besides obvious visual differences, one of more prominent examples in this category is the role in Windows-based directory services infrastructure. Exploring this subject is the main purpose of our new series of articles.

Discuss this article in the ServerWatch discussion forum

Unsure About an Acronym or Term?
Search the ServerWatch Glossary

However, before we start looking into the specific details of Windows Server 2008, we examine the major changes in functionality of Windows domains and forests since the introduction of Active Directory, analyzing them in the context of domain and forest functional levels.

Functional levels constitute an extension of the concept of mixed and native mode domains, which made their debut in Windows 2000 Server based Active Directory. Their goal was to set rules and boundaries governing transition from legacy domains (utilizing Windows NT 4.0 Servers) to the new operating system platform, which completion had direct impact on availability of new or improved directory services functionality. The mixed mode allowed for having a combination of Windows NT 4.0 and 2000 Server based domain controllers. It typically resulted from a direct upgrade of a PDC in an existing domain. Its main drawback (in addition to potential risk associated with an in-place upgrade) was a lack of features dependent on having all controllers in the domain running on Windows 2000 Server computers. To change it, you had to eliminate any existing legacy BDCs and switch to the native mode.

Alternatively, you could set up a brand new native mode domain by promoting Windows 2000 Server to its first domain controller and migrating all relevant user, computer, and group accounts from the old domain. In return, you were gaining full access to the following perks:

  • Enhanced security group model, allowing for the new group type (universal), group nesting, making it possible to add domain groups — both domain global and domain local types — to other groups of the same type, and extending visibility scope of domain local groups to all member servers in the same domain. Group types can be dynamically changed, as long as such conversion does not violate its inherent characteristics (e.g., resulting in a universal group containing domain local groups).
  • Availability of sIDHistory attribute for security principals (users, computers and groups), which preserves permissions to Access Control List secured resources following account migration from other domains. The attribute stores the primary SID of a migrated account in its source domain.
  • Full Remote Access Services capabilities, including remote access group policies with such features as assigning static IP addresses and routes to users. This is reflected by the fact that some of user dial-in options, such as "Control access through remote access policy", "Verify caller ID", "Assign a static IP Address", "Apply static routes", or "Static routes" do not appear in the account Properties dialog box in Active Directory Users and Computers console when operating in mixed mode. In addition, in native mode in a multi-domain environment, a RAS server could validate credentials of dial-in users using transitive Kerberos authentication.
  • Multi-master domain topology, instead of legacy, single master model, in which a Primary Domain Controller was the only one capable of making changes to domain objects and replicating them unidirectionally to Backup Domain Controllers. Note that multi-master replication is available in mixed-mode, but limited strictly to Windows 2000 Server based domain controllers.
  • Authentication via Kerberos, rather than the less-secure and -efficient NTLM. protocol across entire domain. This is contingent clients and servers being Kerberos-aware.

Following promotion of the first Windows 2000 Server to domain controller, the resulting domain mode was automatically set to mixed. The actual switch from mixed to native mode is deceivingly simple to implement with a couple of clicks in the domain Properties dialog box of Active Directory Users and Computers. Typically, however, it is preceded by lengthy, painstaking preparations, including consolidating domains and migration of their accounts, and it has significant and irreversible implications. At that point you can no longer install any legacy domain controllers or switch back to mixed mode.

The same one-way conversion principle has been incorporated into subsequent Windows server releases, with each bringing further improvements to Active Directory capabilities. The functionality present in earlier versions is then automatically included in their successors. However, since the scope of changes in some cases extends beyond individual domains to an entire forest, which, in turn, requires all domain controllers in the forest be running specific versions of the operating system, Microsoft decided to alter its original convention and came up with the new categorization of "functional levels" containing the designation of either "domain" or "forest."

Depending on business and infrastructure requirements, risk tolerance and other environmental specifics, the process of reaching the next functional level can be implemented using a per-domain or per-forest approach (or a combination). In case of the former, functional levels of individual domains are increased first and followed by the forest level switch, while the latter reverses this order, while guaranteeing any new domain added to the forest automatically gets assigned matching functional level.

Regardless of which path you take, you must ensure all of their respective prerequisites, such as permitted operating system of domain controller versions or domain functional levels, are met. For example, it is not possible to raise forest functional level to Windows Server 2003 as long as you have any Windows Server 2003 interim level domains. These prerequisites include extending Active Directory schema to introduce new classes and attributes associated with the new operating system platform. At the same rate, it is important to realize that increasing forest and domain functional levels does not have a direct impact on OS version requirements of domain members, although it might require configuration or software updates to accommodate new functionality or address potential compatibility issues.

Next: Functional Levels

Functional levels were introduced to organize all possible scenarios that could be implemented using Active Directory domains with Windows NT 4.0, 2000, and 2003 Server computers operating as their domain controllers. These scenarios have been arranged into the following categories:

Domain Functional Levels

  • Windows 2000 Mixed — Resulting from either adding a Windows Server 2003 domain controller to an existing mixed-mode domain or promoting a Windows Server 2003 based computer to the first domain controller in a new domain. Since, in this case, it is possible to have all three versions of the OS serve as domain controllers, its domain-wide benefits are limited (equivalent to those in Windows 2000 mixed mode). On the other hand, the mere presence of Windows Server 2003 domain controllers provides variety of efficiency improvements, which are independent of the functional level, such as, new and enhanced Active Directory management utilities (including multi-select edit, drag and drop, or saved queries capabilities in Active Directory Users and Computers). There is also new functionality, although its availability is limited to Windows Server 2003 based domain controller.

  • Windows 2000 Native — Resulting from either adding a Windows Server 2003 domain controller to an existing native-mode domain or raising Windows 2000 mixed functional level up one notch. This arrangement gives you extra benefits of the native mode described earlier (in the context of Windows 2000 Server), with both Windows Server 2003 and 2000 based domain controllers allowed to coexist in the same domain.

  • Windows Server 2003 Interim — Closely tied to the Windows Server 2003 Interim forest functional level, since most often both of them are introduced together into Active Directory by upgrading of a Windows NT 4.0 PDC to Windows Server 2003.

  • Windows Server 2003 — provides access to domain-level features introduced in Windows Server 2003 based Active Directory that are not available with earlier versions of the operating system, which automatically eliminates possibility of having Windows 2000 Server-based domain controllers present in the same domain. These features include support for application partitions, which are intended for custom directory-aware application, but sharing a number of characteristics with standard Configuration, Schema or Domain naming context partitions (e.g., replication capabilities, DNS interaction, or schema extensibility); redirection of newly created users and computers to an arbitrary AD container (with redirusr and redircmp utilities); constrained delegation, mitigating risks associated with granting full delegation implemented in Windows 2000-based Active Directory, restricting it to specific services on target servers; automatic replication lastLogonTimestamp attribute, for which older equivalent had to be queried separately on each domain controller; password support for inetOrgPerson class objects facilitating integration with other LDAP directory services; selective authentication limiting ability of users in others trusted forests to access local domain resources; and the ability to rename domain controllers (by using NETDOM utility, without the need for their demotion), or to store Authorization Manager policies (controlling role access for Web Applications) in Active Directory.

    For more information about this feature, refer to our earlier article.

Forest Functional Levels

  • Windows 2000 — Assigned when the first Windows Server 2003 is promoted to a domain controller in a new or existing Active Directory forest. While this step introduces a number of new features, a majority of them are limited strictly to domain controllers running this version of Windows. Among the more relevant ones are universal group caching (facilitating logons in cases where the GC server is in a remote site or temporarily unavailable), incremental synchronization of Global Catalog (following changes to its partial attribute set), installation from media (using System State backup of another Windows Sever 2003 based domain controller in the same domain), the ability to reset Directory Services Restore Mode Password while online (without the need for shutting down the operating system), reduced Active Directory database storage requirements (due to applying Single Instance Store mechanism to its Security Descriptors), and account creation quotas (restricting number of objects that an arbitrary security principal can create in a designated directory partition, which helps mitigate denial-of-service attacks). Since the role of intersite topology generator is transferred to Windows Server 2003 based domain controllers, its efficiency and event logging are improved as well. Concurrent LDAP binds can be leveraged to minimize the performance impact of multiple Active Directory connections. Rapid Global Catalog demotion process significantly reduces the amount of time necessary to accomplish this task in Windows 2000 Server based domains.

  • Windows Server 2003 Interim — As mentioned earlier, the most common way of reaching it is by upgrading Windows NT 4.0 Server PDC to Windows Server 2003 (this unique option is presented during Active Directory Installation Wizard) when creating the root domain in a new forest. Alternatively, when dealing with existing Windows 2000 forest that includes a mix of Windows NT 4.0 BDCs and 2003 based domain controllers, you can produce the same outcome by setting to 1 (using, for example, LDP or ADSI Edit utility) the value of the msDS-Behavior-Version attribute of the CN=Partitions,CN=Configuration,DC=forestname,DC=com Active Directory object.With the forest level set, each new domain added will automatically gets assigned matching domain functional level. Keep in mind that this operation precludes the existence of any current or future Windows 2000 Server based domain controllers in each of the domains of the forest and forces you to maintain this status as long as you have any remaining Windows NT 4.0 BDCs. You will need to upgrade all of the individual domains operating at Windows 2000 mixed or Server 2003 Interim level to Windows Server 2003 domain functional level before you can switch to Windows Server 2003 forest functional level.

    On the other hand, your environment will benefit from improved handling (via the Linked Value Replication mechanism) of groups with more than 5,000 members. Due to the way group membership changes are applied in Windows 2000 Server-based domains, it is not recommended to exceed this limit when operating in Windows 2000 mixed or native domain functional levels. This, in turn, eliminates the need for identifying and breaking such groups into smaller ones (with less than 5000 users) and repermissioning resources to which access is impacted by this process. Another reason for choosing this level is the improved algorithm employed by Intersite Topology Generator to define replication topology in complex, multi-site environments. Several new attributes have also been added to global catalog, making them readily available forest-wide), which play the role in management of forest trust, Microsoft Message Queueing, printing or Digital Rights Management certificates.

  • Windows Server 2003 — Requires all domains in the forest operate at least on the Windows 2000 native functional level (or higher), and all of its domain controllers run on the Windows Server 2003 platform. It also ensures any new domain added to the forest gets assigned a matching functional level. Among its main benefits are such features as cross-forest, transitive trusts (encompassing all domains in both forests), domain rename capability (allowing forest restructuring), dynamic auxiliary AD schema classes (which can be dynamically linked to individual, arbitrarily selected objects of another class), deactivating and reactivating schema extensions (which encourages their reuse), conversion between user and inetOrgPerson objects as well as the ability to associate SID with the latter (further integrating AD with other LDAP-based directory services), significant reduction in the intrasite replication interval (down to 15 seconds, which translates into full site synchronization within one minute), or support for query-based Authorization Manager groups (with dynamically evaluated membership).

Since the improvements described above are cumulative, they also appear in the same (or further enhanced) form in Windows Server 2008-based domains. Keep in mind, however, that functional level options have changed once Windows Server 2008 was introduced. One of the significant modifications was eliminating Windows NT 4.0 Server BDCs from the list of acceptable participants, which effectively rendered Windows 2000 mixed domain functional level obsolete. The next article will look into all possible scenarios in greater detail.

This article was originally published on Thursday Feb 14th 2008
Mobile Site | Full Site