MCITP 70-640: Active Directory Domain Functional Levels

preview_player
Показать описание
Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. This video looks at which domain functional levels are available and how to raise the domain functional level to get access to these features. The next video in this free series looks at the forest functional levels.

Raising the domain function level demo 17:46

The different domain functional levels and the features you get from the functional level are listed below.

Windows 2000 native
* Gives basic Active Directory functionality

Windows Server 2003
* Allows the computer name of a domain controller to be changed.
* Adds last login time stamp to each user account
* Adds UserPassword to iNetOrgPerson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory.
* Constrained delegation. Delegation is when credentials are passed from one system to another; e.g., an administrator connects to a computer and then attempts to have that computer connect to a file share on another computer using the administrator's credentials. Delegation is disabled by default in Active Directory. Windows Server 2003 domain functional level allows you to determine which services are delegated and which are not and to which computers. You could, for example, trust delegation only for file sharing to only a particular server. Before this domain functional level delegation was to everything or nothing.
* Selected authentication for forests. When using multiple forests this feature allows the administrator to configure which users from the trusted forest can have access to which services in the forest that they would normally have access to by default. A user from another forest needs to have access to resources in the either forest like any other user through permissions like NTFS so selected authentication does not change that. The difference with selected authentication is that you can configure which services they can use which would normally be available to everyone. For example, a domain controller will by default authenticate any user from either forest. With selected authentication you can configure which domain controllers will be allowed to authenticate users from the other forest.
* Adds support to store authorization policies in Active Directory.

Windows Server 2008
* DFS for replication of SysVol share.
* Advanced Encryption System (AES) for Kerberos
* Additional last login details. Adds attributes like number of failed login attempts.
* Fine-grained password. Allows multiple password policies to be defined in the same domain.

Windows Server 2008 R2
* Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user.
* Automatic SPN (Service Principal Names) management. Allows services account password to be managed by Active Directory.

Mixed or Interim
domain functional levels that are mixed or interim have been upgraded from an NT4 domain and may have some domain controllers that are still NT4. Once you have removed all of the NT4 domain controllers, raise the domain functional level to one of the domain functional levels listed above.

Rasing the Domain Function Level
In order to raise the domain functional level, you need to ensure that all of the domain controllers in your domain are at that domain functional level or higher. For example, if you had 3 Windows Server 2008 DC's, 4 Windows Server 2003 DC's and 1 Windows 2000 DC the highest domain functional level that you could go to would be Windows 2000 native. If you upgrade the Windows Server 2000 domain controller to Windows Server 2003, you could raise the domain functional level to Windows Server 2003. Remember also that once you raise your domain functional level you will not be able to add any down level domain controllers to the domain. For example, if you raise the domain functional level to Windows Server 2008, you would not be able to add any domain controllers for Windows 2000 and Windows 2003. Regardless of the domain functional level you can add any Windows client operating system or server to the domain of any operating system level. Raising the domain functional level is a one way process and can't be reversed once complete.

Raising the domain functional level
To raise the functional level, open Active Directory User and Computer and right click on your domain and select raise domain functional level. Select the domain functional level that you want and select raise.

Keywords: "Domain Functional Levels" "Active Directory" 70-640 MCITP MCTS ITFreeTraining
  1. ITFreeTraining
  2. Domain Functional Levels
  3. Active Directory
  4. 70-640
  5. MCITP
  6. MCTS
Рекомендации по теме
MCITP 70-640: Active 0:18:56

MCITP 70-640: Active Directory Domain Functional Levels

MCITP 70-640: Introduction 0:08:48

MCITP 70-640: Introduction To Active Directory

MCITP 70-640: Active 0:26:14

MCITP 70-640: Active Directory Replication

MCITP 70-640: Active 0:14:24

MCITP 70-640: Active Directory Computer Accounts

MCITP 70-640: Active 0:08:09

MCITP 70-640: Active Directory forest and trees

MCITP 70-640: Active 0:20:45

MCITP 70-640: Active Directory Trusts

MCITP 70-640: Active 0:17:24

MCITP 70-640: Active Directory Forest Functional Levels

MCITP 70-640: Active 0:13:43

MCITP 70-640: Active Directory Windows Auditing

MCITP 70-640: Installing 0:17:57

MCITP 70-640: Installing Active Directory

MCITP 70-640: Active 0:05:55

MCITP 70-640: Active Directory System Requirments

MCITP 70-640: Active 0:18:41

MCITP 70-640: Active Directory different group types available

MCITP 70-640: Active 0:08:04

MCITP 70-640: Active Directory Under The Hood

MCITP 70-640: Active 0:10:03

MCITP 70-640: Active Directory Accounts

MCITP 70-640: Active 0:08:30

MCITP 70-640: Active Directory adding a child domain

MCITP 70-640: Service 0:14:12

MCITP 70-640: Service Accounts

MCITP 70-640: Domain 0:13:41

MCITP 70-640: Domain Groups

MCITP 70-640: Active 0:18:55

MCITP 70-640: Active Directory Migration Tool (ADMT)

MCITP 70-640: Sites 0:09:53

MCITP 70-640: Sites and Subnets

MCITP 70-640: Uninstalling 0:07:32

MCITP 70-640: Uninstalling Active Directory

MCITP 70 640 0:20:45

MCITP 70 640 Active Directory Trusts

MCITP 70-640: Active 0:09:38

MCITP 70-640: Active Directory Groups

MCITP 70-640: Installing 0:15:07

MCITP 70-640: Installing Active Directory on Server Core

MCITP 70 640 0:08:30

MCITP 70 640 Active Directory adding a child domain

MCITP 70-640: Active 0:08:43

MCITP 70-640: Active Directory Command Line Tools

Комментарии
Автор

Thanks for pointing that out. I have updated the description. Good to hear that you like the training.

itfreetraining
Автор

we need an updated version of this course.. for Windows Server 2016
you can't imagine how helpful are these videos!
THANK YOU! :)

ahmedelhramy
Автор

Thanks for the comment. We are working hard on the Active Directory course. Good luck with your exam and it is good to hear you passed the 70-640 exam.

itfreetraining
Автор

Excellent training material!
Please note that the the information under Show more for this video is not for Domain Functional Levels, it is the same as the one for the Forest Functional Levels (Vid.15).
Thank you.

MMTheWGA
Автор

@brunobliss We will. Thanks for your comment.

itfreetraining
Автор

@44TONTO Thanks for the comment. Good luck in your test.

itfreetraining
Автор

@onenonlyheart Thanks for the comment. I will pass your comment on.

itfreetraining
Автор

I'm getting ready for my test next week & have found your videos to be extremely helpful. Please keep them coming!!!

TONTO
Автор

You made everything so ez thank you good content :D

offensivebias
Автор

If you have a look at the video "MCITP 70-640: Active Directory adding a child domain Active Directory adding a child domain" this goes through the process. You need to run DCPromo on the server you want to add promote to a domain controller. If you run DCPromo on a server that has already been prompted to a domain controller than the wizard will ask you to demote the Domain Controller.

itfreetraining
Автор

Seriously very very helpful. Thank you

casper
Автор

this video is very helpful! keep it up!

sugaranderson
Автор

Thanks :) Very nice and clear explanation!

natr
Автор

In Active Directory you have the option to store the password in decrypted format. Does the 3rd party system have that option? You could expire all the passwords in the 3rd party system so the users would need to change them. This way the changed password would be stored in the 3rd party system in a format that could be imported into Active Directory.

itfreetraining
Автор

Very helpful content....If you could make another videos for PKI in depth it would be

DeepakKumarpark
Автор

I have a question. On time 6:02, the administrator first send his or her credentials and then sends a command to the user asking him to install the application. What is the time difference between these two sends or deliveries ?  :)

aamonbasnt
Автор

The password would need to decrypted first. Since sha1 is a hash function this would be difficult. Maybe the 3rd party directory has an option to store the password in decrypted format.

itfreetraining
Автор

We didn't store the password in clear text format on our LDAP server. I guess we would need to reset all our 10k+ users password once we migrate to AD :-(

Thank you for the video tutorials on AD. Very helpful!

mjavierk
Автор

Raising the Domain functional level. Will that affect my Exchange server, barracuda, or other device that uses my active directory? I will raise from 2003 to 2012. thanks in advance

OsvaldoRoman
Автор

Is it possible to import the UserPassword from an 3rd party ldap directory to Active Directory if it was stored in SHA1 encryption?

Thank you very much.

mjavierk