Every new Microsoft server operating system brings Active Directory related enhancements. It seems to me that Windows Sever 2008 introduces even more of such new features than its predecessors. I have already covered Fine-grained password policies, Read Only Domain Controllers (1) (2) (3), Active Directory Auditing, Active Directory Domain Services (AD DS), Active Directory snapshots in detail. Some of these new features work with lower DFLs, i.e. Windows 2000 and Windows Server 2003. The four new features discussed in this post require upgrading to DFL Windows Server 2008.
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
Only if you think that you need one of these features, does it makes sense to raise your DFL. It is no problem to run Server 2008 domain controllers at a lower DFL.
SYSVOL Distributed File System (DFS) replication support ^
You probably know that the SYSVOL directory stores Group Policy objects, classic system policies (Windows NT 4), and the Netlogon scripts. It is essential that the replication of the SYSVOL folder between domain controllers is fast and reliable. In Windows Server 2003, the File Replication Service (FRS) is used to replicate SYSVOL. If your DFL is Windows Server 2008, you can use the Distributed File System (DFS) replication service. DFS was already introduced as an add-on for Windows NT and is meanwhile quite reliable. There are quite a few advantages of using DFS instead of FRS to replicate SYSVOL. Thanks to differential replication, it is more efficient, especially over low-bandwidth connections. DFS is also more reliable and scalable than FRS. The filing cabinet has more details of its advantages and describes how to migrate SYSVOL replication from FRS to DFS.
Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol ^
Kerberos is the protocol used for authentication when you logon to a Windows domain. Microsoft’s implementation uses the RC4 encryption algorithm and the HMAC protocol to secure communication in Kerberos since Windows 2000. It also supports DES-CBC-CRC and DES-CBC-MD5 for compatibility reasons. Cryptographers usually recommend not using RC4 anymore in new applications because RC4 is vulnerable to attacks under certain conditions. As to my knowledge, Microsoft’s RC4-based Kerberos implementation is still secure, though. However, if your users logon to a Windows domain through insecure communication channels, you might sleep better if you know that AES is used as encryption algorithm for Kerberos authentication. The Advanced Encryption Standard (AES) algorithm is supposedly more secure than RC4. Note that Windows XP doesn’t support this new feature. You can find more information about this feature here.
Last Interactive Logon Information ^
It took me a while to figure out what this feature is. It seems that I am not the only one because I found lots of misleading information about it on the web. Some think it has something to do with new Active Directory attributes. However, these attributes are already available at the Windows Server 2003 functional level. You can access these user attributes in Windows Server 2003 with ADSIedit or by registering acctinfo.dll (REGSVR32 acctinfo.dll) from the Account Lockout and Management Tools. This will add a new tab to ADUC displaying information such as last logon time and last bad logon. The new feature that comes with Server 2008 DFL is that you can display this information on the desktop after you users logged on. They will see the last successful interactive logon, from what workstation, and the number of failed logon attempts since the last logon. This information is displayed immediately after the logon. However this only works on Vista and Server 2008 machines. You can enable this feature using Group Policy:
I think, this is a very useful feature. You probably also know those users who swear that they never mistyped their password before their account has been locked. Most important is that it will improve security because users will realize if really someone else tried to logon with their account.
Fine-Grained Password Policies ^
I already described the new fine-grained password policies feature in detail a while back. It allows you to work with multiple password policies. In Windows Server 2003, you can only configure one password policy for each domain. The password policies specify such things as password complexity and the maximum password age. It certainly makes sense to use different policies depending on the rights users have. Admins should change their passwords more often than standard users. The only thing I have to criticize about this new feature is that it is quite complicated to setup.
All four features are certainly quite useful. The DFS support for SYSVOL replication is only something for big organizations. You need AES encryption for Kerberos only if your users logon through insecure channels and you upgraded all your workstations to Vista already. Last Interactive Logon Information and Fine-Grained password Policies both improve security in every environment. They might be reason enough to upgrade your Domain Functional Level. Note that you can only raise your DFL if all domain controllers have been upgraded to Windows Server 2008. You can upgrade your DFL with the Active Directory Domains and Trusts snap-in. This KB article describes how. Information about the capabilities of the different functional levels can be found here.