Forest Functional Levels

Forest Functional Levels

Like domain functional levels, the forest functional level determines which additional features in Active Directory will be available. In order to raise your forest functional level, all domains in the forest domain functional level must be at that corresponding forest functional level or higher. This video looks at the features that are available at each forest level and how to raise the forest level.

Raise forest functional demo 17:45

When looking at an existing network with multiple domains, you need to consider the possibility that these domains were put in place originally due to limitations in Active Directory.  Previously, Active Directory was not able to support more than one password policy per domain and even though the number was quite high, there were some limits on how many users could be put into certain groups. Because of these limits, more domains may have been created than would be required nowadays. When raising your domain and forest functional level, consider if any domains can be combined. Doing so will reduce the complexity of your network and make it easier to support.

Forest Level
Listed below are all the different forest levels and the features that each forest level adds. Remember that to raise the functional level of your forest all domains in that forest must be at that functional level or higher. In other words, the level to which you can raise the forest level will be determined by the domain in the forest with the lowest domain functional level.

Windows 2000 native
Basic Active Directory features

Windows Server 2003
Forest Trust: Allows a trust relationship between two forests. A forest trust allows resources to be shared between the forests.
Rename Domains: This allows you to change a domain name.
Link Value Replication: This means that only changes in group membership are replicated. Without link value replication, if a group is changed in two locations at once, the record with the newest time stamp is used replacing all the other records and thus all changes in those records are lost. Using link value replication also reduces the amount of data that is sent over the network during replication.
Improved Knowledge Consistency Checker (KCC): The KCC is responsible for creating replication links between sites. With this forest functional level the KCC has been improved, particularly working with large deployments.
Dynamic Auxiliary Class: Allows Active Directory objects to be created with an expiration time.
Convert INetOrgPerson to user: Allows an INetOrgPerson object to be converted to a user object and vice versa. The INetOrgPerson object is used when importing or exporting users from Active Directory to a 3rd party directory system. Being able to convert a user object in Active Directory to an INetOrgPerson object makes the process of exporting and importing users with Active Directory a lot easier.
Window Server 2008 RODC: This forest level is required if you want to start using Windows Server 2008 Read Only Domain Controllers in Active Directory.
Deactivation of attributes: Once you make a change to the schema of Active Directory it can’t be deleted. Deactivation allows you to deactivate attributes in the Schema that are no longer required.

Window Server 2008
No new features are added to Active Directory with this forest functional level.

Window Server 2008 R2
Active Directory Recycle bin: Allows deleted objects in Active Directory to be restored.

Raising the Forest Functional Level
To raise a forest functional level, run Active Directory Domains and Trusts from administrative tools from the start menu. Right click the root of the tree and select raise forest functional level. From the dialog box select the forest functional level that you want and press raise. Remember that the process can’t be reversed once done and there may be a delay while replication occurs before the changes take effect.

Comments

comments