Manage Learn to apply best practices and optimize your operations.

Upgrading Server 2008 R2 Active Directory forest functional levels

Some Active Directory deployments have been around for over a decade, so it's time for some streamlining. Find out how to best upgrade functional levels in Windows Server R2.

It's easy to forget that Active Directory has been around for 11 years. That's plenty of time for more than a few...

operating systems and controllers to have worked their way into enterprise domains, which means, in many cases, some streamlining is in order.

But when streamlining data centers, moving many existing services over to virtualized instances, and standardizing on Windows Server 2008 R2, it’s easy to overlook the more important benefits of operating at a high forest and domain functional level.

In Windows Server 2008 R2 at the domain level, interesting new features are enabled that improve the security of the network:

  • Authentication mechanism assurance. It’s a strange name but a secure process: With this feature enabled, Active Directory is able to keep track of how users authenticate to the network. This information is put into the user’s Kerberos authentication token. This is particularly useful in instances where a federated identity management product, such as Active Directory Federation Services, is in place.
    Administrators can set up authorization rules based on how a user logs on: for example, to only allow these users access to a resource when their smart cards are physically present in a machine, as opposed to allowing just a username and password combination to be sufficient authentication. This is a useful feature of sensitive applications and resources that still need to be accessed by external parties.
  • Automatic Service Principal Name (SPN) management. This feature makes it easier for services running on a machine-level account using a Managed Service Account to update their own credentials when the computer’s name or DNS information changes.

Users can upgrade to this functional level if all of the domain controllers in any given domain they want to upgrade, are all running Windows Server 2008 R2.

Don’t forget the forest for the trees, well okay, the domains, however. At the forest level in Windows Server 2008 R2, you get a pretty significant improvement: the Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD Domain Services is running. Also, once the functional level of the forest is raised, all subsequent domains you create in that forest will be at the same functional level. This makes sense when you think about it, given all levels have to be the same.

Raising the functional levels is a one-way street. Lower level functions can't be changed once they’ve been raised; there is no graceful way to degrade the additional features provided in each raised functional level.

To upgrade to Windows Server 2008 R2 domain functional level, follow these four steps:

  • Open Active Directory Domains and Trusts.
  • In the console tree, right-click the domain in question, and then click Raise Domain Functional Level from the pop-up context menu.
  • In Select an available domain functional level, choose the appropriate functional level.
  • Click Raise.

To upgrade to Windows Server 2008 R2 forest functional level, do the following:

  • Open Active Directory Domains and Trusts.
  • In the console tree, right-click the Active Directory Domains and Trusts node, and then click Raise Forest Functional Level from the pop-up context menu.
  • In Select an available forest functional level, choose the appropriate functional level.
  • Click Raise.

Jonathan Hassell is president of The Sun Valley Group Inc. He's an author, consultant and speaker in Charlotte, N.C. Hassell's books include RADIUS, Learning Windows Server 2003, Hardening Windows and, most recently, Windows Vista: Beyond the Manual. Contact him at [email protected].

Dig Deeper on Windows systems and network management