林和域功能级别Forest and Domain Functional Levels

适用于:Windows ServerApplies To: Windows Server

功能级别决定了可用的 Active Directory 域服务 (AD DS) 域或林功能。Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. 功能级别还决定了你可以在域或林中的域控制器上运行哪些 Windows Server 操作系统。They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. 但是,功能级别不会影响你可以在已加入域或林的工作站和成员服务器上运行哪些操作系统。However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

部署 AD DS 时,请将域和林功能级别设置为环境可以支持的最高值。When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. 这样一来,你就可以尽可能使用多项 AD DS 功能。This way, you can use as many AD DS features as possible. 部署新的林时,系统会提示你设置林功能级别,然后设置域功能级别。When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. 可以将域功能级别设置为高于林功能级别的值,但不能将域功能级别设置为低于林功能级别的值。You can set the domain functional level to a value that is higher than the forest functional level, but you cannot set the domain functional level to a value that is lower than the forest functional level.

随着 Windows Server 2003、2008 和 2008 R2 生存期的结束,这些域控制器 (DC) 需要更新到 Windows Server 2012、2012 R2、2016 或 2019。With the end of life of Windows Server 2003, 2008, and 2008 R2, these domain controllers (DCs) need to be updated to Windows Server 2012, 2012 R2, 2016, or 2019. 因此,应从域中删除任何运行 Windows Server 2008 R2 及更低版本的域控制器。As a result, any domain controller that runs Windows Server 2008 R2 and older should be removed from the domain.

在 Windows Server 2008 及更高的域功能级别,分布式文件服务 (DFS) 复制用于在域控制器之间复制 SYSVOL 文件夹内容。At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. 如果在 Windows Server 2008 或更高的域功能级别创建新的域,系统会自动使用 DFS 复制来复制 SYSVOL。If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. 如果在较低的功能级别创建域,则在复制 SYSVOL 时,需从使用 FRS 复制迁移到使用 DFS 复制。If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL. 有关迁移步骤,可以参阅 TechNet 上的过程,也可参阅存储团队文件柜博客上的简化步骤集For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog. Windows Server 2016 RS1 是最后一个包含 FRS 的 Windows Server 版本。Windows Server 2016 RS1 is the last Windows Server release that includes FRS.

Windows Server Standard 2012 R2Windows Server 2019

此版本没有新增的林或域功能级别。There are no new forest or domain functional levels added in this release.

若要添加 Windows Server 2019 域控制器,最低要求是 Windows Server 2008 功能级别。The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. 该域还需使用 DFS-R 作为引擎来复制 SYSVOL。The domain also has to use DFS-R as the engine to replicate SYSVOL.

Windows Server 2016Windows Server 2016

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server Standard 2012 R2Windows Server 2019
  • Windows Server 2016Windows Server 2016

Windows Server 2016 林功能级别功能Windows Server 2016 forest functional level features

Windows Server 2016 域功能级别功能Windows Server 2016 domain functional level features

  • 所有默认的 Active Directory 功能、所有来自 Windows Server 2012R2 域功能级别的功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:
    • DC 可以支持在已配置为需要 PKI 身份验证的用户帐户上自动推出 NTLM 和其他基于密码的机密。DCs can support automatic rolling of the NTLM and other password-based secrets on a user account configured to require PKI authentication. 此配置也称为“交互式登录需要智能卡”This configuration is also known as "Smart card required for interactive logon"

    • 当用户只能使用特定的加入域的设备时,DC 支持为其启用网络 NTLM。DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.

    • 成功使用 PKInit Freshness Extension进行身份验证的 Kerberos 客户端会获取新的公钥标识 SID。Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.

      有关详细信息,请参阅 Kerberos 身份验证的新增功能凭据保护的新增功能For more information see What's New in Kerberos Authentication and What's new in Credential Protection

Windows Server 2012R2Windows Server 2012R2

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server Standard 2012 R2Windows Server 2019
  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2

Windows Server 2012R2 林功能级别功能Windows Server 2012R2 forest functional level features

  • Windows Server 2012 林功能级别可用的所有功能,而不是任何其他功能。All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

Windows Server 2012R2 域功能级别功能Windows Server 2012R2 domain functional level features

  • 所有默认的 Active Directory 功能、所有来自 Windows Server 2012 域功能级别的功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:
    • 针对受保护用户的 DC 端保护。DC-side protections for Protected Users. 向 Windows Server 2012 R2 域进行身份验证的受保护用户再也不能执行以下操作:Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
      • 使用 NTLM 身份验证进行验证Authenticate with NTLM authentication
      • 在 Kerberos 预身份验证中使用 DES 或 RC4 密码套件Use DES or RC4 cipher suites in Kerberos pre-authentication
      • 使用不受约束的或受约束的委派进行委派Be delegated with unconstrained or constrained delegation
      • 在超出最初的 4 小时生存期后续订用户票证 (TGT)Renew user tickets (TGTs) beyond the initial 4 hour lifetime
    • 身份验证策略Authentication Policies
      • 新的基于林的 Active Directory 策略,这些策略可以应用到 Windows Server 2012 R2 域中的帐户,用于控制一个帐户可以从哪些主机登录,并将身份验证的访问控制条件应用到作为帐户运行的服务。New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
    • 身份验证策略接收器Authentication Policy Silos
      • 新的基于林的 Active Directory 对象,可以在用户、托管服务和计算机,以及帐户(用于对帐户分类,以便实施身份验证策略或进行身份验证隔离)之间创建关系。New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

Windows Server 2012Windows Server 2012

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server Standard 2012 R2Windows Server 2019
  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012

Windows Server 2012 林功能级别功能Windows Server 2012 forest functional level features

  • Windows Server 2008 R2 林功能级别可用的所有功能,而不是任何其他功能。All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

Windows Server 2012 域功能级别功能Windows Server 2012 domain functional level features

  • 所有默认的 Active Directory 功能、所有来自 Windows Server 2008R2 域功能级别的功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2008R2 domain functional level, plus the following features:
    • KDC 对声明、复合身份验证和 Kerberos 保护的支持 KDC 管理模板策略的两个设置(“始终提供声明”和“拒绝未保护身份验证请求”)需要 Windows Server 2012 域功能级别。The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. 有关详细信息,请参阅 Kerberos 身份验证的新增功能For more information, see What's New in Kerberos Authentication

Windows Server 2008R2Windows Server 2008R2

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server Standard 2012 R2Windows Server 2019
  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2

Windows Server 2008R2 林功能级别功能Windows Server 2008R2 forest functional level features

  • Windows Server 2003 林功能级别上可用的所有功能,以及下列功能:All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
    • Active Directory 回收站,提供在运行 AD DS 时还原整个已删除对象的功能。Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Windows Server 2008R2 域功能级别功能Windows Server 2008R2 domain functional level features

  • 所有默认的 Active Directory 功能、所有来自 Windows Server 2008 域功能级别的功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
    • 身份验证机制保证,将对域用户进行身份验证所用的登录方法类型(智能卡或用户名/密码)的相关信息封装在每个用户的 Kerberos 令牌中。Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user's Kerberos token. 如果在已部署联合身份管理基础结构(如 Active Directory 联合身份验证服务 (AD FS))的网络环境中启用此功能,则每当用户尝试访问已开发为根据用户登录方法确定是否授权的声明感知应用程序时,都可以提取令牌中的信息。When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user's logon method.
    • 当计算机帐户的名称或 DNS 主机名更改时,针对在特定计算机上运行且处于“托管服务帐户”上下文中的服务自动进行 SPN 管理。Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. 有关托管服务帐户的详细信息,请参阅 Service Accounts Step-by-Step Guide(服务帐户分步指南)。For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide.

Windows 2008 ServerWindows Server 2008

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server Standard 2012 R2Windows Server 2019
  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008

Windows Server 2008 林功能级别功能Windows Server 2008 forest functional level features

  • 提供 Windows Server 2003 林功能级别可用的所有功能,而不是任何其他功能。All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available.

Windows Server 2008 域功能级别功能Windows Server 2008 domain functional level features

  • 提供所有默认的 AD DS 功能、所有来自 Windows Server 2003 域功能级别的功能,以及下列功能:All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
    • 针对 Windows Server 2003 系统卷 (SYSVOL) 的分布式文件系统 (DFS) 复制支持Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)

      • DFS 复制支持提供 SYSVOL 内容的更稳健且更详细的复制。DFS replication support provides more robust and detailed replication of SYSVOL contents.

        备注

        文件复制服务 (FRS) 从 Windows Server 2012 R2 开始弃用。Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. 在至少运行 Windows Server 2012 R2 的域控制器上创建的新域必须设置为 Windows Server 2008 域功能级别或更高级别。A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher.

    • 在 Windows Server 2008 模式下运行的基于域的 DFS 命名空间,支持基于访问的枚举和增强的可伸缩性。Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. 在 Windows Server 2008 模式下的基于域的命名空间还要求林使用 Windows Server 2003 林功能级别。Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level. 有关详细信息,请参阅 Choose a Namespace Type(选择命名空间类型)。For more information, see Choose a Namespace Type.

    • 针对 Kerberos 协议的高级加密标准(AES 128 和 AES 256)支持。Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. 若要使用 AES 来颁发 TGT,域功能级别必须为 Windows Server 2008 或更高版本,且域密码需要更改。In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.

      • 有关详细信息,请参阅 Kerberos Enhancements(Kerberos 增强功能)。For more information, see Kerberos Enhancements.

        备注

        如果已将域功能级别提升到 Windows Server 2008 或更高版本,但此时域控制器已复制 DFL 更改但尚未刷新 krbtgt 密码,则可能会在域控制器上出现身份验证错误。Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. 在这种情况下,在域控制器上重启 KDC 服务会触发内存对新 krbtgt 密码的刷新,解决相关的身份验证错误。In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.

    • 上次交互式登录信息会显示以下信息:Last Interactive Logon Information displays the following information:

      • 在加入域的 Windows Server 2008 服务器或 Windows Vista 工作站上尝试登录失败的总次数The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
      • 在成功登录到 Windows Server 2008 服务器或 Windows Vista 工作站后又尝试登录的失败总次数The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
      • 在 Windows Server 2008 或 Windows Vista 工作站上最后一次尝试登录失败的时间The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
      • 在 Windows Server 2008 服务器或 Windows Vista 工作站上最后一次尝试登录成功的时间The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation
    • 严格的密码策略,这可以为域中的用户和全局安全组指定密码和帐户锁定策略。Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. 有关详细信息,请参阅有关细化密码和帐户锁定策略配置的分步指南For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration.

    • 个人虚拟桌面Personal Virtual Desktops

Windows Server 2003Windows Server 2003

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008
  • Windows Server 2003Windows Server 2003

Windows Server 2003 林功能级别功能Windows Server 2003 forest functional level features

  • 提供所有默认的 AD DS 功能及以下功能:All of the default AD DS features, and the following features, are available:
    • 林信任Forest trust
    • 域重命名Domain rename
    • 链接值复制Linked-value replication
      • 有了链接值复制功能,就可以更改组成员身份,为各个成员存储并复制值,而不需以单个单位形式复制整个成员身份。Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. 在复制期间存储和复制单个成员的值使用的网络带宽和处理器循环都较少,这样,当你以并发方式在不同的域控制器中添加或删除多个成员时,就不会丢失更新。Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
    • 部署只读域控制器 (RODC) 的功能The ability to deploy a read-only domain controller (RODC)
    • 改进的知识一致性检查器 (KCC) 的算法和可伸缩性Improved Knowledge Consistency Checker (KCC) algorithms and scalability
      • 站点间拓扑生成器 (ISTG) 使用改进的算法,可通过缩放支持多个林,其中的站点数目大于 AD DS 在 Windows 2000 林功能级别能够支持的站点数量。The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. 改进的 ISTG 选择算法是一种在 Windows 2000 林功能级别选择 ISTG 的入侵性较小的机制。The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
    • 在域目录分区中创建动态辅助类(名为 dynamicObject)的实例的功能The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
    • inetOrgPerson 对象实例转换为 User 对象实例以及完成反向转换的功能The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
    • 创建新组类型的实例以支持基于角色的授权的功能。The ability to create instances of new group types to support role-based authorization.
      • 这些类型称为应用程序基本组和 LDAP 查询组。These types are called application basic groups and LDAP query groups.
    • 在架构中停用并重新定义属性和类别。Deactivation and redefinition of attributes and classes in the schema. 以下属性可以重用:ldapDisplayName、schemaIdGuid、OID、mapiID。The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
    • 在 Windows Server 2008 模式下运行的基于域的 DFS 命名空间,支持基于访问的枚举和增强的可伸缩性。Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. 有关详细信息,请参阅 Choose a Namespace Type(选择命名空间类型)。For more information, see Choose a Namespace Type.

Windows Server 2003 域功能级别功能Windows Server 2003 domain functional level features

  • 提供所有默认的 AD DS 功能、所有在 Windows 2000 本机域功能级别可用的功能,以及下列功能:All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:
    • 域管理工具 Netdom.exe,有了它就可以重命名域控制器。The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
    • 登录时间戳更新Logon time stamp updates
      • 使用用户或计算机的上次登录时间来更新 lastLogonTimestamp 属性 。The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. 可以在域内复制该属性。This attribute is replicated within the domain.
    • inetOrgPerson 和用户对象上将 userPassword 属性设置为有效密码的功能The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
    • 重定向用户和计算机容器的功能The ability to redirect Users and Computers containers
      • 默认情况下,已提供了两个已知的容器,用于容纳计算机和用户帐户,即:cn=Computers, 和 cn=Users,By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers, and cn=Users,. 该功能可用于定义这些帐户新的已知位置。This feature allows the definition of a new, well-known location for these accounts.
    • 授权管理器的功能,可以将其授权策略存储在 AD DS 中The ability for Authorization Manager to store its authorization policies in AD DS
    • 约束的委派Constrained delegation
      • 受限制的委派使得应用程序可通过基于 Kerberos 的身份验证充分利用用户凭据的安全委派。Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
      • 可以将委派限制为仅允许特定的目标服务。You can restrict delegation to specific destination services only.
    • 选择性身份验证Selective authentication
      • 有了选择性的身份验证,就可以从受信任林指定允许对信任林中资源服务进行身份验证的用户和组。Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows 2000Windows 2000

支持的域控制器操作系统:Supported Domain Controller Operating System:

  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008
  • Windows Server 2003Windows Server 2003
  • Windows 2000Windows 2000

Windows 2000 本机林功能级别功能Windows 2000 native forest functional level features

  • 提供所有默认的 AD DS 功能。All of the default AD DS features are available.

Windows 2000 本机域功能级别功能Windows 2000 native domain functional level features

  • 提供所有默认的 AD DS 功能及以下目录功能:All of the default AD DS features and the following directory features are available including:
    • 与分发和安全组对应的通用组。Universal groups for both distribution and security groups.
    • 组嵌套Group nesting
    • 组转换,允许在安全组与分发组之间进行转换Group conversion, which allows conversion between security and distribution groups
    • 安全标识符 (SID) 历史记录Security identifier (SID) history

后续步骤Next Steps