From win NT to Win2000, Win2003, win2008 provide Active Directory functions, however, different operating systems run the domain provides different functions of the service, in the domain by the different types of operating systems combined into the domain, supporting different functions, services, which is called the functional level of the domain. In the same vein, the concept of forest function exists in the forest.
A higher level of functionality than Windows2000 Active Directory is available in Active Directory in Windwos2003, known as windows2003 temporary mode and windows2003 mode. Only by upgrading all the controls to the WINDOWS2003 mode can the entire forest be promoted to the Windwos2003 mode. Upgrading of forest functional levels requires manual completion.
Two: Domain functional level
Domain feature activation affects only the entire domain and the functionality of that domain. The Windows Server 20008 functional level supports the five functional level, which describes the domain controllers supported by five functional levels and their functional levels, respectively
1:windows 2000 mixed Mode (default) its network configuration uses any combination system of Windows 2000 and Windows NT. Windows 2000 domain controllers and Windows NT 4.0 backup domain controllers can coexist seamlessly in the same domain without any problems. Of course WINDWOS 2003 domain controllers also support this mode. Features that are activated include local and global groups and support global catalogs
2:windows 2000 native mode. All domain controllers in the domain can run Windows2000 or Windwos2003. Active features include group nesting, universal groups, Sidhistory, conversion between security groups and distribution groups,
3:windows Server 2003 temporary mode. Allows mixed use of Windows 2003 domain controllers and Windows NT 4 domain controller. However, it cannot be mixed with the Windows2000 domain controller. The prima facie supported domain control is Windows 2003 and Windows NT4. There is no domain-wide activation capability within this level. This mode is only used when the NT4 domain control is upgraded to a Windows2003 domain control
4:windows Server 2003 mode. All domain controllers in the domain can be Windows 2003 and Windows2008 only. The features supported include:
Netdom.exe the domain controller rename feature provided by the
Updates the logon timestamp. The lastLogonTimestamp property is updated using the last logon time of the user or computer. You can copy this property within a domain.
The ability to set the UserPassword property to a valid password on InetOrgPerson and user objects.
The ability to redirect user and computer containers. By default, two known containers are available to hold computer and user/group accounts: cn=computers,< domain root > and cn=users,< domain root >. This feature can be used to define new known locations for these accounts.
Authorization Manager is able to store its authorization policy in Active Directory Domain Services (AD DS).
Contains restricted delegation so that applications can take full advantage of security delegation of user credentials through the Kerberos authentication protocol. Delegates can be configured to allow only specific target services.
Supports selective authentication, which enables you to specify users and groups that allow authentication of resource services in the Trust forest from the trusted forest.
5:windows Server 2008 mode. The highest level of all domain functional levels currently in place, supports all Windows 2003 domain functional levels, and supports functionality
The SYSVOL's Distributed File System replication support provides a more robust and detailed replication of the SYSVOL content.
Advanced Cryptographic Services for the Kerberos Protocol (AES 128 and 256) support.
The last interactive logon information displays the time the user last successfully interactive logon, what workstation from, and the number of logon attempts that failed since the last logon.
Strict password policy, which allows you to specify a password and account lockout policy for users and global security groups in the domain.
Note: Windows Server 2008 supports the functional levels of all 5 domains currently available
Third: Domain functional level Assessment
1:windows 2000 Mixing level
It is most appropriate for businesses that do not completely eliminate Windows NT domain controllers, but I think NT should be hard to find now.
2:windows 2000 native domain level
If you have deployed AD migrations from Windows NT to Windows 2000, this level of functionality is clearly the most appropriate and is only suitable for upgrading from NT domain environment to Windows2000
3:windows Server 2003 over level
Prepare for users who are upgraded directly from Windows NT domain control to Windows2003. However, this mode does not support Windows 2000.
4:windows Server 2003 domain level
This is the best option if you want to promote the domain level to the Windows 2003 functional level before you convert the forest. Require all domains in the domain to be controlled by Windows 2003 or windows2008
5:windows Server 2008 Domain level
The current highest level requires all domain controls to be Windows Server 2008.
Four: The functional level of the forest
Mainly divided into three kinds of
1:windows 2000
All default Active Directory features are supported.