Domain Functional Level | What are DFL?

When you create a domain (Active Directory), it takes a functional level that determines your level of compatibility with domain controllers. For example when creating a domain from a Windows 2000, functional level is Domain Functional Level Windows 2000 and you do not take advantage of all the new functionalities from this domain functional level.

There are two functional levels that are domain functional level and forest function level.

Domain Functional Levels

In domain factional level the lowest level that you can use windows 2000 server.

Domain Functional Level (DFL): Windows 2000:

In this level you can use the windows 2000 as OS and for domain controller you can also use windows server 2000, windows server 2003 and windows server 2008. In this level you can run and enable only basic active directory services. This DFL for 2000 is now no longer used.

DFL: Windows server 2003:

In this domain functional level you can use windows 2k3 and windows 2k8 for domain controller.

In this functional level Microsoft provide you

  • Domain renaming feature
  • last logon time
  • You can create a forest trust between two Forest as well.
  • W2k3 DFL level provide you redirect feature using this feature you can create user in your desire organizational unit using command prompt. Suppose you have create a user “john” in Marketing OU and marketing OU is in departments OU and domain is you should use the following command.

Dedirusrou-marketing users,ou-departments,dc-w7cloud,dc-com

If you use the net user command to create a user it will simply create user in user’s container in users and groups.

  • In W2k3 DFL you have selective authentication, if you have forest trust between two forests you can only specify the selective user to access the recourses of other forest. Suppose you have two forests and and you have a trusted relation between these two forests, you have a user “viki” on w7cloud. Using selective authentication in windows 2003 domain functional level you can assign the full rights to “viki” user on different systems of forest also you can made retractions on other systems of
  • Authorization manager: Usingdomain functional level windows 2003,an application developer can implement different restrictions on user application.

Domain Functional Level: Windows server 2008:

This functional level includes all the feature of domain functional level w2k3 and also some following extra features:

  • DC for DFL W2k8:For this function level you have to run only window server 2008.
  • DFS and SYSVOL replication:You have DFS and SYSVOL replication services.
  • User Login Attempts:Also keep the last login info with number of password attempts.
  • You have the advance encryption standard (AES) in W2K8 DFL. This is a strong security feature that you have in this DFL.
  • Fine-Grained Password and Account Lockout Policy:  You can implement Fine-Grained Password policy in this functional level and can create multiple password policies and account lock user polices for different users. In windows 2000 and 2003 you don’t have this feature you have to rely on default password policy in those functional levels.

Learn about “Forest Functional Level

Waqas Azam
Me Waqas Azam and I am a professional blogger & freelance writer. I also working in the IT industry for over 7 years. I am graduated in Computer Science and information technology.