When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible.
[00:03] We are going to…
[00:12] Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest features.
They also determine which Windows Server OS you can run on domain controllers in the domain or forest.
However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Remember that, the higher the functional level the more features are available.
[00:26] There 2 types of Active Directory functional level – FL:
Domain FL determines the functional level of the current domain.
Forest FL is in a higher class, it requires all its domains must have the same level at least; it determines the lowest version of Windows Server – WS that any Domain Controller in this forest can run.
This ensures every DCs must run a newer version of WS to operate in this forest if not, compatibility issues due to new features as well as OS architecture can happen.
[00:33] Let explore why need to raise the functional level of the domain/forest, and how to raise it!
[00:59] Current Domain/Forest functional level: Windows 200 (native).
Let's assume that we need to install the ESET Smart Security software and dozen of Group Policy Objects – GPOs in any new computer that joins into this domain to meet security and corp environment requirements.
The manual process is: we join a computer to the domain, go to this machine then login with an administrative account, copy the software into this machine, start the installation process and then configure GPOs.
Although we can deploy software and Group Policy Objects automatically by using Group Policy Management in DC, we still need manually create OU for this specific computer object.
[01:23] Because by default, when a computer joins to the domain, it's computer account will be placed at the Computers container – it is a default CN, not an OU to bind GPOs into it, thus it can't be easy deploy these tasks.
[01:31] Luckily, to accomplish this, we may use the redircmp tool to redirect computer's account locations to a pre-defined OU called: Deploy Security when they join into the domain automatically.
[02:21] With an OU, we can place objects into it then deploy GPOs easily in a selective manner.
As mentioned, we can deploy software here, and other settings in this GPO.
However, we are considering the need to have a default OU for newly computers, which join to the domain for deploying GPOs, not actually how to configure that GPOs, thus stop here.
The main point is this redircmp needs a higher level of our domain FL.
This redirection command did not successful due to the current domain functional level is Windows Server 2000 Native, not Windows Server 2003 or higher as it required.
Thus, we need to raise our domain FL by using the Active Directory Domains and Trusts management snap-in.
Okay, now every new computer which joins into this domain will be redirected to this OU Deploy Security instead of the CN Computers, and so, they will be affected by GPOs which are binding to this OU.
[04:37] Let's join a computer into this domain to check this redirection.
[05:19] Okay, the computer account of that new computer joined to the domain was properly placed here.
[05:39] Wait for the part 2 to know the need for a higher "forest and forest FL" 2003/2008.
Take a look at features they can bring to you: