As Microsoft introduces new servers OS’s, there is usually the option to raise your Forst Functional Level as well as the Domain Functional Level once all server side domain controllers have been upgraded to the latest and greatest server OS. Raising the forest and domain functional level doesn’t take away any functionality, it adds functionality. The lastest domain and forest functionality is contained in the Windows 2008 Server R2 Server release. The order of events is the following with upgrading order:
- Domain functional level has to be upgraded first
- Once all domains in the forest have been upgraded to the Windows 2008 R2, the Forest Functional level can then be upgraded to the latest and greatest and not before then
So for instance, if you have 10 domains in your forest and 9 domains have been upgraded to Windows 2008 R2 domain functional level, you will not be able to upgrade the forest to the 2008 R2 until the final domain is upgraded as well.
There is a really nice technet article on understanding the capabilities and functional differences between the different server levels found here: https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx
Windows Server 2008 R2 Active Directory Features:
- New functional levels for the domain and forest
- A new interace for AD administration – Active Directory Administrative Center
- Active Directory module for Windows Powershell and Windows Powershell cmdlets
- Best Practices Analyzer for Active Directory
- Active Directory Recycle Bin
- Active Directory Web Services
- Managed Service Accounts
- Offline Domain Join
- Authentication Mechanism Assurance
- Active Directory Management Pack
Active Directory Recycle Bin
One disappointment for system admins and active directory admins will have is that one of the most anticipated features to come with Windows Server 2008 R2, the Active Directory recycle bin, will not be available until the forest level is at Windows Server 2008 R2. That may be a long road for some corporate environments and large Active Directory structures out there with many domains that will have to be upgraded to the Windows Server 2008 R2 domain functional level first before the entire forest will be upgraded.
Admins have always been able to retrieve deleted items via an authoritative restore as long as you have a backup of active directory. Tombstone reanimation was available in some regards in 2003 and then in 2008. When an object is deleted, it is actually simply marked for deletion but is still in the active directory database. You can essentially go in and use a tool such as ADSIEDIT to go in and reanimate that user. There was a problem with this process was that what active director does is takes all the attributes and strips them from the user. So even when a user is reanimated, all of the attributes are gone from that user. An admin would have to know all the attributes and repopulate the attributes. The SID would carry over but nothing else.
The active directory recyle bin builds on the tombstone reanimation, without the downside. When it is turned on, it can restore not only the object but also the attributes that go along with that user. There are a couple of disadvantages with the recycle bin:
- Cannot recover anything deleted before the active directory recycle bin is turned on. You will see deleted objects in the recycle bin but it will not be able to recover them.
- It is built on powershell so everything has to be done from powershell, however, there are some great GUI tools out there for the AD recycle bin feature. One of which is the Active Dirctory Recycle Bin powerpack for Powergui: https://www.powergui.org/entry.jspa?externalID=2461&categoryID=46
Also, one thing to note about the Active Directory Recycle Bin is that once it is turned on, it cannot be turned off.
Authentication Mechanism Assurance
This is a new features that allows Windows SErver 2008 R2 to track how a user logs on. When a user logs on via one method such as a smart card, they may be granted access to different resources than when they log into a machine via another means.
The New Active Director Administration Center
The new interface for AD administration is built on the powershell platform. It could be considered to be a light version or a more user friendly version of the long standing AD tool Active Directory Users and Computers. It does offer some benefits like being able to see all the details on one screen besides having to filter through tabs of information in ADUC.
Best Practices Analyzer for Active Directory
Microsoft has provided a lot of best practices analyzer utilities in the past, but they have now provided this same utility for Active Directory which makes parsing through potential problems with Active Directory much easier. The wizard driven interface is to be found within the server manager utility
Active Directory Web Services
Known as ADWS this is a web service that connects to Active Directory domains running on the same Windows SErver 2008 R2 box
Domain Joining Offline
Using a set of command line tools, an admin can now prestage a computer account, create a djoin file, copy this to the client which must be a Windows 2008 R2 client or Windows 7 client, run the djoin command on the client using the file created by the prestage process and successfully join to a domain offline. One connectivity is established to the domain, all policies, etc will be applied to the computer at that point.