Information Technology Reference
In-Depth Information
(meaning “SID history”) attribute to determine the user's group memberships in the
original domain and maintain the user's access to resources in the original domain.
This level supports running Windows 2000 Server and later on domain controllers.
Windows Server 2003
This level supports all the features in the Windows 2000 native
functional level. All domain controllers must be running Windows Server 2003 or later. Added
features for this functional level include the following:
•
Domain controller renaming
—The Netdom.exe command-line tool makes renaming a
domain controller possible without undue latency. Using the System Properties dialog box
to rename a domain controller doesn't update DNS and Active Directory replication
parameters completely, which could cause client authentication problems. Netdom does
perform these updates.
•
Logon timestamp replication
—The lastLogonTimestamp user account attribute is updated
with the time and date of a user's last logon. This attribute is replicated to all domain con-
trollers in the domain.
•
Selective authentication
—With this feature, an administrator can specify users and groups
from a trusted forest who can authenticate to servers in a trusting forest.
•
Users and Computers container redirection
—When creating users, groups, and computers
with command-line tools that don't allow specifying a target OU (or if the location is
omitted), these accounts are placed in the Users or Computers container. You can use the
Redirusr (for users and groups) and Redircmp (for computers) commands to specify an
alternate default location.
•
Additional features
—This level includes constrained delegation, Authorization Manager policy
support, and the userPassword attribute set as the effective password on inetOrgPerson and
user objects. These features are beyond the scope of this topic, however.
Windows Server 2008
This functional level supports all features in the Windows Server
2003 functional level with several additions, described in the following list. All domain con-
trollers must be running Windows Server 2008 or later.
•
Distributed File System (DFS) replication
—DFS is used to replicate the contents of the
Sysvol share, which provides a more robust replication process.
•
Fine-grained password policies
—Discussed in Chapter 7, fine-grained password policies
enable administrators to assign different password and account lockout policies for users
and groups.
•
Interactive logon information
—Enabled through group policies, this option displays infor-
mation about a user's most recent successful and unsuccessful logon attempts each time
the user logs on. If you enable this policy in a domain with a functional level lower than
Windows Server 2008, users who attempt to log on receive a warning message explaining
that the information couldn't be retrieved, and the user will be unable to log on.
•
Advanced Encryption Standard (AES) support
—AES 128 and AES 256 are supported
encryption standards that can be used for Kerberos authentication to increase user logon
security.
Activity 10-1: Verifying Current Functional Levels and Enabling
Last Interactive Logon Information
If you aren't running at the Windows Server 2008 functional level, you must
not proceed with this activity. In Step 2, you determine the forest and
domain functional levels. If the domain isn't at the Windows Server 2008
functional level, you must raise it. You can't log on after you complete this
activity if the domain functional level is not Windows Server 2008.
Search WWH ::
Custom Search