Forest and Domain Functional Levels in Server in 2K16, 2K12, and Server 2K8
When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. You can set the domain functional level to a value that is higher than the forest functional level, but you cannot set the domain functional level to a value that is lower than the forest functional level.
With the end of life of Windows 2003, Windows 2003 domain controllers (DCs) need to be updated to Windows Server 2008, 2008R2, 2012, 2012R2, 2016, or 2019. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain.
Windows Server 2019
There are no new forest or domain functional levels added in this release.The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL.
Windows Server 2016
Supported Domain Controller Operating System:- Windows Server 2019
- Windows Server 2016
Windows Server 2016 domain functional level features
All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:
- DCs can support automatic rolling of the NTLM and other password-based secrets on a user account configured to require PKI authentication. This configuration is also known as "Smart card required for interactive logon"
- DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
- Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.
Windows Server 2012R2
Supported Domain Controller Operating System:- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
Windows Server 2012R2 forest functional level features
- All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.
Windows Server 2012R2 domain functional level features
- All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:
- DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
- Authenticate with NTLM authentication
- Use DES or RC4 cipher suites in Kerberos pre-authentication
- Be delegated with unconstrained or constrained delegation
- Renew user tickets (TGTs) beyond the initial 4 hour lifetime
- Authentication Policies
- New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
Authentication Policy Silos- New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.
- DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
Windows Server 2012
Supported Domain Controller Operating System:- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
Windows Server 2012 forest functional level features
- All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
Windows Server 2012 domain functional level features
- All default Active Directory features, all features from the Windows Server 2008R2 domain functional level, plus the following features:
- The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.
Windows Server 2008R2
Supported Domain Controller Operating System:- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
Windows Server 2008R2 forest functional level features
- All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
- Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
Windows Server 2008R2 forest functional level features
- All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
- Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
Windows Server 2008R2 domain functional level features
- All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
- Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user's Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user's logon method.
0 comments:
Post a Comment
Please do not enter any spam link in the comment box.