Domain and Forest Functionality

Domain and forest functionality allows domain- and forest-wide features to be enabled within your network. The set of available features depends on the domain and forest functional level. The maximal functional level is determined by the operating systems of domain controllers in this domain or forest.

When the domain or forest functional level is raised, additional features associated with this functional level become available in the network. For example, if a domain is set to Windows 2000 native functional level, you can use such features as universal groups, group nesting, group conversion and security identifier history. And when you raise the functional level of this domain to Windows Server 2003, you can use additional features: domain controller rename, update logon timestamp, user password on InetOrgPersons, etc.

Domain Functional Level

Seven domain functional levels are available: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

The following table shows domain functional levels, operating systems for domain controllers that are supported at each functional level, and additional features available for these functional levels.

Domain functional level	Supported operating systems for domain controllers	Additional features
Windows 2000 mixed	Windows NT 4.0 Windows 2000 Windows Server 2003 family	Universal group scope is enabled for distribution groups only Group nesting is enabled for distribution groups only
Windows 2000 native	Windows 2000 Windows Server 2003 family Windows Server 2008 family	Universal group scope is enabled for both distribution groups and security groups Group nesting is enabled for both distribution groups and security groups Group conversion (makes possible conversion between security groups and distribution groups) Security identifier (SID) history
Windows Server 2003 interim	Windows NT 4.0 Windows Server 2003 family Windows Server 2008 family	All features from the Windows 2000 native domain functional level, but no additional features.
Windows Server 2003	Windows Server 2003 family Windows Server 2008 family Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	All features from the Windows 2000 native domain functional level and the following features: Domain controller rename tool Different location option for user and computer accounts Update logon timestamp User password on InetOrgPerson object
Windows Server 2008	Windows Server 2008 family Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	All the features from the Windows Server 2003 domain functional level and the following features: Distributed File System Replication support for SYSVOL Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol Last Interactive Logon Information Fine-grained password policies
Windows Server 2008 R2	Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	All the features from the Windows Server 2008 domain functional level and the following feature: Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
Windows Server 2012	Windows Server 2012 family Windows Server 2012 R2 family	The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see What's New in Kerberos Authentication *.
Windows Server 2012 R2	Windows Server 2012 R2 family	DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer: Authenticate with NTLM authentication Use DES or RC4 cipher suites in Kerberos pre-authentication Be delegated with unconstrained or constrained delegation Renew user tickets (TGTs) beyond the initial 4 hour lifetime New features: Authentication Policies New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account. Authentication Policy Silos New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

When the domain functional level is raised, domain controllers running earlier operating systems cannot be introduced into this domain. For example, if the domain functional level is Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to this domain.

Forest Functional Level

The forest functional level enables features for all domains of the forest. Six forest functional levels are available: Windows 2000, Windows Server 2003 interim, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

The following table shows forest functional levels, operating systems for domain controllers that are supported at each functional level, and additional features available for these functional levels.

Forest functional level	Supported operating systems for domain controllers	Additional features
Windows 2000	Windows NT 4.0 Windows 2000 Windows Server 2003 family Windows Server 2008 family	All default Active Directory features.
Windows Server 2003 interim	Windows NT 4.0 Windows Server 2003 family Windows Server 2008 family	All the features from the Windows Server 2000 forest functional level and the following features: Linked-value replication Improved Active Directory replication algorithms
Windows Server 2003	Windows Server 2003 family Windows Server 2008 family Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	Forest trust Domain rename Global catalog replication improvements Defunct schema objects The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008 Dynamic auxiliary classes InetOrgPerson objectClass change
Windows Server 2008	Windows Server 2008 family Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	All the features from the Windows Server 2003 forest functional level, but no additional features.
Windows Server 2008 R2 (default)	Windows Server 2008 R2 family Windows Server 2012 family Windows Server 2012 R2 family	All the features from the Windows Server 2003 interim and the following feature: Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running
Windows Server 2012	Windows Server 2012 family Windows Server 2012 R2 family	All the features from the Windows Server 2008 R2 forest functional level, but no additional features.
Windows Server 2012 R2	Windows Server 2012 R2 family	All the features from the Windows Server 2012 forest functional level, but no additional features.

When the forest functional level is raised, domain controllers running earlier operating systems cannot be introduced into this forest. For example, if the forest functional level is Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to this forest.

Raising the domain or forest funtional level is an irreversible operation. Once the domain or forest functional level is raised, domain controllers running earlier operating systems cannot be added to the network. So, before raising functional levels, ensure that there is no need to add domain controllers running earlier operating systems to your network.