is now on Server 2008

Ladies (if there are ladies reading my blog, let me know) and Gentlemen,

probably a rather uninteresting story for you, but I’d like to announce that my home testingĂ‚ forest I use to test drive and test configure almost on a daily basis for blog postings and writings is now officially in Server 2008 forest functional level:

This week I replaced the last Server 2003 Domain Controllers in the root domain as well as in the us domain. For those replacements, I moved the DCs into VMs to reduce the number of physical hosts and used a legacy laptop to serve as a DC (rather than a desktop machine – hence the Server 2008 domain mode in the root domain rather than R2 – the laptop isn’t x64 and R2 is 64bit-only!).

The forest and domain levels are as follows:

  • 0 – Windows 2000 (mixed and native)
  • 1 – Windows Server 2003 interim
  • 2 – Windows Server 2003
  • 3Ă‚ – Windows Server 2008
  • 4 – Windows Server 2008 R2

Note that Windows Server 2003 R2 does not own a DFL/FFL.

Having my forest on 2008 now, there isn’t actually new functionality I could enable or use. Technically, FFL2008 equals FFL2003. But since my domains are all at domain functional level 2008 now, there’s a couple of things I can use domain-wide now:

  • DFSR (DFS replication) for SYSVOL
  • Fine-Grained Password Policies – multiple password policies per domain!
  • More accurate last logon information through the “Last interactive logon” feature that stores time of last logon as well as bad logon attempts and _finally!_ replicates them among DCs.
  • Kerberos support for AES ticket encryption

Further reading:

“Understanding AD DS Functional Levels”,

“Appendix of Functional Level Features”,

No Comment