AD域级别和林级别提升的好处-阿里云开发者社区

开发者社区> 像教授> 正文

AD域级别和林级别提升的好处

简介:
+关注继续查看

有问,我将域级别和林级别提升了后,可以有什么好处呢?

功能级别决定可用的 Active Directory 域服务 (AD DS) 的域或林功能。它们还决定哪些 Windows Server 操作系统可以在域或林中的域控制器上运行。但是,功能级别不会影响哪些操作系统可以在加入到域或林的工作站和成员服务器上运行。

 

image 
 

以下列出了每个域功能级别可用的功能。

 

域功能级别

可用的功能

支持的域控制器操作系统

Windows 2000 native

All of the default AD DS features and the following directory features are available:

  • Universal groups for both distribution and security groups.
  • Group nesting
  • Group conversion, which allows conversion between security and distribution groups
  • Security identifier (SID) history

clip_image001Note

In Windows Server 2008 R2, the Personal Virtual Desktop feature was introduced. It requires the Windows 2000 native domain functional level.

  • Windows 2000
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2

Windows Server 2003

All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:

  • The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
  • Logon time stamp updates 
    The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
  • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
  • The ability to redirect Users and Computers containers 
    By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature allows the definition of a new, well-known location for these accounts.
  • The ability for Authorization Manager to store its authorization policies in AD DS
  • Constrained delegation 
    Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication. 
    You can restrict delegation to specific destination services only.
  • Selective authentication 
    Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2

Windows Server 2008

All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

  • Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)
    DFS replication support provides more robust and detailed replication of SYSVOL contents.
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level. For more information, seeChoose a Namespace Type (http://go.microsoft.com/fwlink/?LinkId=180400).
  • Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol
  • Last Interactive Logon Information 
    Last Interactive Logon Information displays the following information:
    • The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
    • The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
    • The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
    • The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation

For more information, see Active Directory Domain Services: Last Interactive Logon (http://go.microsoft.com/fwlink/?LinkId=180387).

  • Fine-grained password policies 
    Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (
    http://go.microsoft.com/fwlink/?LinkID=91477).
  • Personal Virtual Desktops 
    To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, your AD DS schema must be extended for Windows Server 2008 R2 (schema object version = 47). For more information, see 
    Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=183552).
  • Windows Server 2008
  • Windows Server 2008 R2

Windows Server 2008 R2

All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

  • Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
  • Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=180401).
  • Windows Server 2008 R2

 

 

林功能级别

可用的功能

支持的域控制器操作系统

Windows 2000 native

All of the default AD DS features are available.

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000

Windows Server 2003

All of the default AD DS features, and the following features, are available:

  • Forest trust
  • Domain rename
  • Linked-value replication 
    Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
  • The ability to deploy a read-only domain controller (RODC)
  • Improved Knowledge Consistency Checker (KCC) algorithms and scalability 
    The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
  • The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
  • The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
  • The ability to create instances of new group types to support role-based authorization. 
    These types are called application basic groups and LDAP query groups.
  • Deactivation and redefinition of attributes and classes in the schema. The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
  • Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. For more information, see Choose a Namespace Type (http://go.microsoft.com/fwlink/?LinkId=180400).
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2008 R2

Windows Server 2008

All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. All domains that are subsequently added to the forest, however, operate at the Windows Server 2008 domain functional level by default.

  • Windows Server 2008
  • Windows Server 2008 R2

Windows Server 2008 R2

All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

  • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

  • Windows Server 2008 R2

 

 




本文转自 VirtualTom 51CTO博客,原文链接:http://blog.51cto.com/virtualtom/1092666,如需转载请自行联系原作者

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
阿里云服务器怎么设置密码?怎么停机?怎么重启服务器?
如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
10092 0
阿里云服务器ECS远程登录用户名密码查询方法
阿里云服务器ECS远程连接登录输入用户名和密码,阿里云没有默认密码,如果购买时没设置需要先重置实例密码,Windows用户名是administrator,Linux账号是root,阿小云来详细说下阿里云服务器远程登录连接用户名和密码查询方法
11633 0
windows server 2008阿里云ECS服务器安全设置
最近我们Sinesafe安全公司在为客户使用阿里云ecs服务器做安全的过程中,发现服务器基础安全性都没有做。为了为站长们提供更加有效的安全基础解决方案,我们Sinesafe将对阿里云服务器win2008 系统进行基础安全部署实战过程! 比较重要的几部分 1.
9161 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
13893 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
4660 0
如何设置阿里云服务器安全组?阿里云安全组规则详细解说
阿里云安全组设置详细图文教程(收藏起来) 阿里云服务器安全组设置规则分享,阿里云服务器安全组如何放行端口设置教程。阿里云会要求客户设置安全组,如果不设置,阿里云会指定默认的安全组。那么,这个安全组是什么呢?顾名思义,就是为了服务器安全设置的。安全组其实就是一个虚拟的防火墙,可以让用户从端口、IP的维度来筛选对应服务器的访问者,从而形成一个云上的安全域。
7503 0
阿里云服务器如何登录?阿里云服务器的三种登录方法
购买阿里云ECS云服务器后如何登录?场景不同,云吞铺子总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系统盘、创建快照、配置安全组等操作如何登录ECS云服务器控制台? 1、先登录到阿里云ECS服务器控制台 2、点击顶部的“控制台” 3、通过左侧栏,切换到“云服务器ECS”即可,如下图所示 通过ECS控制台的远程连接来登录到云服务器 阿里云ECS云服务器自带远程连接功能,使用该功能可以登录到云服务器,简单且方便,如下图:点击“远程连接”,第一次连接会自动生成6位数字密码,输入密码即可登录到云服务器上。
22409 0
+关注
1338
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
《2021云上架构与运维峰会演讲合集》
立即下载
《零基础CSS入门教程》
立即下载
《零基础HTML入门教程》
立即下载