Tip

Upgrading Server 2008 R2 Active Directory forest functional levels

It's easy to forget that Active Directory has been around for 11 years. That's plenty of time for more than a few operating systems and controllers to have worked their way into enterprise domains, which means, in many cases, some streamlining is in order.

But when streamlining data centers, moving many existing services over to virtualized instances, and standardizing on Windows Server 2008 R2, it’s easy to overlook the more important benefits of operating at a high forest and domain functional level.

In Windows Server 2008 R2 at the domain level, interesting new features are enabled that improve the security of the network:

  • Authentication mechanism assurance. It’s a strange name but a secure process: With this feature enabled, Active Directory is able to keep track of how users authenticate to the network. This information is put into the user’s

Requires Free Membership to View

  • Kerberos authentication token. This is particularly useful in instances where a federated identity management product, such as Active Directory Federation Services, is in place.
    Administrators can set up authorization rules based on how a user logs on: for example, to only allow these users access to a resource when their smart cards are physically present in a machine, as opposed to allowing just a username and password combination to be sufficient authentication. This is a useful feature of sensitive applications and resources that still need to be accessed by external parties.
  • Automatic Service Principal Name (SPN) management. This feature makes it easier for services running on a machine-level account using a Managed Service Account to update their own credentials when the computer’s name or DNS information changes.

Users can upgrade to this functional level if all of the domain controllers in any given domain they want to upgrade, are all running Windows Server 2008 R2.

Don’t forget the forest for the trees, well okay, the domains, however. At the forest level in Windows Server 2008 R2, you get a pretty significant improvement: the Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD Domain Services is running. Also, once the functional level of the forest is raised, all subsequent domains you create in that forest will be at the same functional level. This makes sense when you think about it, given all levels have to be the same.

Raising the functional levels is a one-way street. Lower level functions can't be changed once they’ve been raised; there is no graceful way to degrade the additional features provided in each raised functional level.

To upgrade to Windows Server 2008 R2 domain functional level, follow these four steps:

  • Open Active Directory Domains and Trusts.
  • In the console tree, right-click the domain in question, and then click Raise Domain Functional Level from the pop-up context menu.
  • In Select an available domain functional level, choose the appropriate functional level.
  • Click Raise.

To upgrade to Windows Server 2008 R2 forest functional level, do the following:

  • Open Active Directory Domains and Trusts.
  • In the console tree, right-click the Active Directory Domains and Trusts node, and then click Raise Forest Functional Level from the pop-up context menu.
  • In Select an available forest functional level, choose the appropriate functional level.
  • Click Raise.

ABOUT THE AUTHOR
Jonathan Hassell is president of The Sun Valley Group Inc. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at editor@searchcio-midmarket.com.

This was first published in July 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.