樹系和網域正常運作的層級Forest and Domain Functional Levels

適用於:Windows ServerApplies To: Windows Server

使用 Windows 2003 生活結束後,更新到 Windows Server 2008、2012 年或 2016 年需要 Windows 2003 網域控制站(網域控制站)。With the end of life of Windows 2003, Windows 2003 domain controllers (DCs) need to be updated to Windows Server 2008, 2012 or 2016. 如此一來,應該會執行 Windows Server 2003 的任何網域控制站從網域。As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. 網域和樹系提高功能等級應該要至少為防止新增的環境中執行較舊版本的 Windows Server 的網域控制站的 Windows Server 2008。The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

我們建議針對的更新他們的網域功能等級 (DFL) 和功能等級 (FFL) 樹系的一部分,因為 FFL 與 2003 DFL 取代在 Windows Server 2016 和他們將不再支援在未來的版本。We recommend that customers update their domain functional level (DFL) and forest functional level (FFL) as part of this, since the 2003 DFL and FFL have been deprecated in Windows Server 2016 and they will no longer be supported in future releases.

針對需要額外的時間評估他們 DFL 與 FFL 從 2003 年移轉的 2003 DFL 及 FFL 將會繼續支援 Windows 10 與 Windows Server 2016 提供網域森林中的所有網域控制站都的 Windows Server 2008、2008R2,在 2012,2012R2,或是 2016 年。For customers who need additional time to evaluate moving their DFL & FFL from 2003, the 2003 DFL and FFL will continue to be supported with Windows 10 and Windows Server 2016 provided all domain controllers in the domain and forest are either on Windows Server 2008, 2008R2, 2012, 2012R2, or 2016.

Windows Server 2008 及較高的網域功能層級,散發檔案服務 (DFS) 複寫用來網域控制站之間複製 SYSVOL 資料夾內容。At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. 如果您建立新的網域網域層級 Windows Server 2008 功能或更高版本,DFS 複寫自動用於複寫 SYSVOL。If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. 如果您建立網域層級會正常運作,您必須從使用 SYSVOL DFS 複寫 FRS 移轉。If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL. 移轉的步驟,您可以依照任一個參考 TechNet 上的程序或您可以參考簡化步驟儲存小組檔案櫃部落格上的For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.

Windows Server 2003 網域及森林功能等級繼續支援,但組織應該提高以 Windows Server 2008(或更高版本,如果可能的話)功能等級確保 SYSVOL 複寫相容性,並在未來的支援。The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. 除此之外,有許多其他優點和功能提供較高的功能等級更高版本。In addition, there are many other benefits and features available at the higher functional levels higher. 查看下列的詳細資訊的資源:See the following resources for more information:

Windows Server 2016Windows Server 2016

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016

Windows Server 2016 的樹系層級功能Windows Server 2016 forest functional level features

Windows Server 2016 網域層級功能Windows Server 2016 domain functional level features

  • 預設 Active Directory 的所有功能,從 Windows Server 2012R2 網域功能層級,所有功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features:

    • 網域控制站可支援循環公用按鍵只使用者的 NTLM 的機密資訊。DCs can support rolling a public key only user's NTLM secrets.
    • 網域控制站使用者限於特定加入網域的裝置時,可支援允許網路 NTLM。DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices.
    • 成功驗證 PKInit 有效期限副檔名 Kerberos 戶端將會收到新公開金鑰身分 SID。Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.

      如需詳細資訊請查看F:kerberos 驗證中的新功能認證保護中的新功能For more information see What's New in Kerberos Authentication and What's new in Credential Protection

Windows Server 2012R2Windows Server 2012R2

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2

Windows Server 2012R2 森林層級功能Windows Server 2012R2 forest functional level features

  • 所有功能,可在 Windows Server 2012 的樹系層級,但不是額外功能。All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

Windows Server 2012R2 網域層級功能Windows Server 2012R2 domain functional level features

  • 預設 Active Directory 的所有功能,從 Windows Server 2012 網域功能層級,所有功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features:
    • 保護使用者俠端保護。DC-side protections for Protected Users. 保護使用者網域不能再 Windows Server 2012 R2 驗證:Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
      • 驗證 NTLM 驗證Authenticate with NTLM authentication
      • 使用 F:kerberos 預先驗證 DES 或 RC4 密碼套件Use DES or RC4 cipher suites in Kerberos pre-authentication
      • 使用未限制或限制委派委派Be delegated with unconstrained or constrained delegation
      • 續約初始 4 小時期間以外的使用者門票 (Tgt)Renew user tickets (TGTs) beyond the initial 4 hour lifetime
    • 驗證原則Authentication Policies
      • 新的樹系的 Active Directory 原則可套用到 Windows Server 2012 R2 網域控制的主機中帳號,account 可以登入從且適用於驗證存取控制項條件為 account 執行的服務。New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
    • 驗證原則筒倉Authentication Policy Silos
      • 為基礎新的樹系的 Active Directory 物件,可以建立的使用者,受管理的服務和電腦上,用來可帳號驗證原則或驗證隔離帳號之間的關係。New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.

Windows Server 2012Windows Server 2012

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012

Windows Server 2012 森林層級功能Windows Server 2012 forest functional level features

  • 所有功能,可在 Windows Server 2008 R2 的樹系層級,但不是額外功能。All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

Windows Server 2012 網域層級功能Windows Server 2012 domain functional level features

  • 預設 Active Directory 的所有功能,從 Windows Server 2008R2 網域功能層級,所有功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2008R2 domain functional level, plus the following features:
    • \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \ [KDC 系統管理範本原則有兩種設定(永遠提供宣告和失敗護身的驗證要求)需要 Windows Server 2012 網域功能層級。The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. 如需詳細資訊,請查看在 F:kerberos 驗證中的新功能For more information, see What's New in Kerberos Authentication

Windows Server 2008R2Windows Server 2008R2

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2

Windows Server 2008R2 森林層級功能Windows Server 2008R2 forest functional level features

  • 所有功能,可在 Windows Server 2003 的樹系正常運作的層級,再加上下列功能:All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
    • Active Directory 資源回收桶,會提供 AD DS 執行時還原刪除的物件完整的能力。Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

Windows Server 2008R2 網域層級功能Windows Server 2008R2 domain functional level features

  • 預設 Active Directory 的所有功能,從 Windows Server 2008 網域功能層級,所有功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:
    • 驗證機制保證,封裝類型的登入方法(智慧卡或使用者名稱/密碼)來驗證網域使用者每個使用者的 Kerberos 權杖中相關資訊。Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user’s Kerberos token. 這項功能在已部署聯盟的身分管理基礎結構,例如 Active Directory 同盟 Services (AD FS) 網路環境時可以再任何時候使用者嘗試存取已開發判斷根據使用者登入方法授權的任何宣告感知應用程式中擷取權杖中的資訊。When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user’s logon method.
    • 自動 SPN 管理時 DNS 名稱或主機的 account 變更電腦的名稱下方的服務管理 Account 特定電腦上執行的服務。Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. 如需受管理的服務帳號,請查看服務帳號 Step-by-Step 指南For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide.

Windows Server 2008Windows Server 2008

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2016Windows Server 2016
  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008

Windows Server 2008 森林層級功能Windows Server 2008 forest functional level features

  • 所有功能,都可在 Windows Server 2003 森林功能層級,但不是額外的功能都都可使用。All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available.

Windows Server 2008 網域層級功能Windows Server 2008 domain functional level features

  • 所有的預設 AD DS 功能、所有的 Windows Server 2003 網域功能層級的功能和下列功能可供使用:All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

    • 分散式的檔案系統 (DFS) 複寫支援針對 Windows Server 2003 系統磁碟區 (SYSVOL)Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)

      • DFS 複寫支援提供更加穩定與詳細複寫 SYSVOL 內容。DFS replication support provides more robust and detailed replication of SYSVOL contents. [!NOTE]> >開始使用 Windows Server 2012 R2,會取代檔案複寫服務 (FRS)。Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. 新的網域建立網域控制站最少執行的 Windows Server 2008 網域功能等級或更高版本必須設定 Windows Server 2012 R2。A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher.
    • 網域型 DFS 命名空間執行 Windows Server 2008 模式,包括存取型為基礎的值與增加擴充性的支援。Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Windows Server 2008 模式中的網域型命名空間也需要樹系使用的 Windows Server 2003 森林功能層級。Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level. 如需詳細資訊,請查看選擇命名空間類型For more information, see Choose a Namespace Type.

    • 進階加密標準(好一段 128 和好一段 256)支援 Kerberos 通訊協定。Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. 為了讓 Tgt 好一段發行,網域功能等級必須 Windows Server 2008,或更高版本,並網域密碼需要變更。In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.

      • 如需詳細資訊,請查看Kerberos 調節For more information, see Kerberos Enhancements. [!NOTE]> >驗證可能會發生錯誤網域控制站之後提高網域功能等級是以 Windows Server 2008,或更高的網域控制站如果已經有複寫 DFL 變更,但未尚未重新整理 krbtgt 密碼。Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. 在這種情形下,將觸發新 krbtgt 密碼記憶體中重新整理網域控制站的 \ [KDC 服務重新開機,並解析相關的驗證錯誤。In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.
    • 最後一次互動式登入的資訊會顯示下列資訊:Last Interactive Logon Information displays the following information:

      • 總加入網域的 Windows Server 2008 server 或 Windows Vista 工作站嘗試登入失敗的次數The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
      • Windows Server 2008 server 或 Windows Vista 工作站成功登入後的嘗試登入失敗總數目The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
      • 中的上一次登入失敗的嘗試在 Windows Server 2008 或 Windows Vista 工作站時間The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
      • Windows Server 2008 server 或 Windows Vista 工作站嘗試的最後成功登入的時間The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation
    • 細緻密碼原則,讓您的網域中指定的使用者和安全性的全域群組的密碼,以及 account 鎖定原則。Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. 如需詳細資訊,請查看適用於 Fine-Grained 密碼和 Account 鎖定原則設定中的指示For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration.
    • 個人 Virtual 桌面Personal Virtual Desktops

Windows Server 2003Windows Server 2003

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2012 R2Windows Server 2012 R2
  • Windows Server 2012Windows Server 2012
  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008
  • Windows Server 2003Windows Server 2003

Windows Server 2003 森林層級功能Windows Server 2003 forest functional level features

  • 所有 AD DS 預設的功能,以及項功能,可:All of the default AD DS features, and the following features, are available:
    • 信任的樹系Forest trust
    • 重新命名網域Domain rename
    • 連結值複寫Linked-value replication
      • 連結值複寫可讓您變更來儲存和值複寫個人的成員,而不是複寫單位整個成員資格群組成員資格。Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. 儲存複寫個人成員值使用較少的頻寬,較少的處理器循環期間複寫,並會防止您遺失的更新,當您新增或移除多個不同的網域控制站同時的成員。Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
    • 部署唯讀網域控制站 (RODC) 的能力The ability to deploy a read-only domain controller (RODC)
    • 已改善知識一致性檢查程式 (KCC) 演算法和擴充性Improved Knowledge Consistency Checker (KCC) algorithms and scalability
      • 間拓撲發電機 (ISTG) 使用改進縮放超過 AD DS 可支援層級 Windows 2000 的樹系功能支援更多的網站的樹系的演算法。The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. 改善的 ISTG 選舉演算法是小於干擾機制來選擇 ISTG 層級 Windows 2000 的樹系正常運作。The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
    • 建立名為動態輔助執行個體的能力dynamicObject在網域 directory 磁碟分割The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
    • 要轉換的能力需要到物件執行個體使用者物件執行個體,並完成以相反的方向轉換The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
    • 建立的新群組類型角色為基礎的授權,才能執行個體的能力。The ability to create instances of new group types to support role-based authorization.
      • 這些類型稱為「基本的應用程式群組和 LDAP 查詢群組。These types are called application basic groups and LDAP query groups.
    • 停用的屬性和類別架構中的重新定義。Deactivation and redefinition of attributes and classes in the schema. 重複使用下列屬性:ldapDisplayName,schemaIdGuid,OID,以及 mapiID。The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
    • 網域型 DFS 命名空間執行 Windows Server 2008 模式,包括存取型為基礎的值與增加擴充性的支援。Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. 如需詳細資訊,請查看選擇命名空間類型For more information, see Choose a Namespace Type.

Windows Server 2003 網域層級功能Windows Server 2003 domain functional level features

  • 是可用的所有 AD DS 預設功能、所有網域層級 Windows 2000 原生正常運作,有可用的功能和下列功能:All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:
    • 網域管理工具,Netdom.exe,可讓您的網域控制站重新命名The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
    • 登入頻率更新Logon time stamp updates
      • LastLogonTimestamp屬性登入上次的使用者或電腦的更新。The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. 此屬性複製網域中。This attribute is replicated within the domain.
    • 若要設定的功能userPassword上屬性為有效的密碼需要和使用者物件The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
    • 重新導向使用者及電腦的能力容器The ability to redirect Users and Computers containers
      • 有兩個已知的容器提供適用於電腦和使用者帳號,與容納根據預設,也就是 data-cn = 電腦,和 data-cn = 的使用者,By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers, and cn=Users,. 這項功能可讓您的新的已知位置這些帳號定義。This feature allows the definition of a new, well-known location for these accounts.
    • 功能的授權管理員將其授權原則中 AD DSThe ability for Authorization Manager to store its authorization policies in AD DS
    • 限制的委派Constrained delegation
      • 限制的委派可讓應用程式可以利用 Kerberos 驗證透過安全的使用者的認證委派。Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
      • 您可以限制委派特定目的服務。You can restrict delegation to specific destination services only.
    • 選擇式驗證Selective authentication
      • 也可讓您指定的使用者和群組來自信任的樹系獲准信任的樹系的資源伺服器的驗證選擇性驗證讓。Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows 2000Windows 2000

支援的網域控制站作業系統中:Supported Domain Controller Operating System:

  • Windows Server 2008 R2Windows Server 2008 R2
  • Windows Server 2008Windows Server 2008
  • Windows Server 2003Windows Server 2003
  • Windows 2000Windows 2000

Windows 2000 原生森林層級功能Windows 2000 native forest functional level features

  • 預設 AD DS 功能都可使用。All of the default AD DS features are available.

Windows 2000 原生網域層級功能Windows 2000 native domain functional level features

  • 預設 AD DS 的功能與下列 directory 功能都可包括:All of the default AD DS features and the following directory features are available including:
    • 萬用 distribution 和安全性群組。Universal groups for both distribution and security groups.
    • 巢群組Group nesting
    • 群組轉換,可讓安全性與 distribution 群組之間轉換Group conversion, which allows conversion between security and distribution groups
    • 安全性識別碼 (SID) 歷史Security identifier (SID) history

後續步驟Next Steps