After a lot of work in upgrading our domain controllers, I have finally completed upgrading all of our DCs to Windows Server 2008 R2! Now that I have done so, I am ready to begin enjoying some of the benefits of having all 2008 R2 DCs. So, for me, the first step is to turn on Windows Server 2008 R2 Domain Functional Level. This is an easy process of going into Active Directory Domains and Trusts, selecting my domain and Raise Domain Functional Level.
What benefits do I get by upgrading my Domain Functional Level? Here are some of the highlights (note that I differentiate which benefit comes from the different Domain Functional Levels – DFL):
- DFS Replication for SYSVOL – Currently, my domain uses the older File Replication System (FRS) to replicate the SYSVOL between DCs. Microsoft has invested a lot of research in upgrading the Distributed File System starting in 2003 R2 and newer operating systems. Now, I can begin to take advantage of these new technologies to begin to do bit level replication of files and hopefully never see a journal wrap error again! In a later blog article, I will detail the steps that I go through to make this change (as it is about three major steps to complete this process). (DFL 2008)
- Access Based Enumeration on DFS File servers running Windows Server 2008 (DFL 2008)
- New encryption standards support for Kerberos (AES 128 and AES 256) (DFL 2008)
- Last Interactive Logon to display who last interactively logged on with your account and where. (DFL 2008)
- Fine-grained Password Policies – This is one of the things I have been looking forward to as part of this upgrade. We have, for a long time, required by policy that our administrative accounts must have passwords 15 characters in length. Unfortunately, there has been no way to enforce this. Now, I will be able to enforce this written policy with policy in AD by having a unique password policy for those specialized accounts. (DFL 2008)
- Personal Virtual Desktops – Not sure that we will be using this anytime soon. (DFL 2008)
- Authentication mechanism assurance – Allows you to know whether a user logged on with a smart card or user name/password. (DFL 2008 R2)
- Automatic SPN management for Managed Service Accounts (DFL 2008 R2)
Another thing that is not generally listed in any of this documentation is that you can now convert your DFS namespaces from Windows 2000 namespaces to 2008 namespaces. There are a number of enhancements that come with increasing the namespace to 2008 including better performance for a large number of targets (over 3,000 targets in a 2000 namespaces begins to see performance issues).
As I begin to implement some of these various features in our domain, I will continue to blog about these changes and some of my experiences to implement them.
Resources:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx – Domain and Forest Functional Levels
http://technet.microsoft.com/en-us/library/cc753479(WS.10).aspx – Information about DFS changes in 2008