了解 Active Directory Domain 服務 (AD DS) 功能的層級Understanding Active Directory Domain Services (AD DS) Functional Levels

適用於:Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2012 R2, Windows Server 2012

重要

下列文件寫入 2013 年中,且只提供僅供歷史。The following documentation was written in 2013 and is provided for historical purposes only. 目前我們正在查看這份文件,就如有變更。Currently we are reviewing this documentation and it is subject to change. 它可能不會反映目前的最佳做法。It may not reflect current best practices.

功能層級會判斷使用 Active Directory Domain Services (AD DS) 網域或森林功能。Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. 它們也會判斷您可以執行網域或森林中的網域控制站的 Windows Server 作業系統。They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. 不過,功能等級不會影響的作業系統,您可以執行工作站與成員加入網域的樹系的伺服器。However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

當您部署 AD DS 時,為您的環境可支援的最大值網域和森林功能層級。When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. 如此一來,您可以使用多個 AD DS 功能盡可能。This way, you can use as many AD DS features as possible. 例如,如果您不確定您從未加入網域控制站網域或森林執行 Windows Server 2003,部署程序期間選取的 Windows Server 2008 功能層級。For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process. 不過,您可能會保留或加入網域控制站執行 Windows Server 2003,如果選取的 Windows Server 2003 功能層級。However, if you might retain or add domain controllers that run Windows Server 2003, select the Windows Server 2003 functional level.

當部署新的樹系時,若要設定的樹系功能層級,然後設定的網域功能層級會提示您。When you deploy a new forest, you are prompted to set the forest functional level and then set the domain functional level. 您無法將的網域功能層級設定為低於的樹系功能層級的值。You cannot set the domain functional level to a value that is lower than the forest functional level. 例如,如果您設定 Windows Server 2008 的樹系功能層級,您可以設定的網域功能層級只是以 Windows Server 2008。For example, if you set the forest functional level to Windows Server 2008 , you can set the domain functional level only to Windows Server 2008 . 在這種情形下的原生 Windows 2000 和 Windows Server 2003 網域功能層級值是不提供。In this case, the Windows 2000 native and Windows Server 2003 domain functional level values are not available. 此外,之後新增到該樹系的所有網域都有的 Windows Server 2008 網域功能層級預設。In addition, all domains that you subsequently add to that forest have the Windows Server 2008 domain functional level by default.

您可以設定的網域功能層級高於的樹系功能層級的值。You can set the domain functional level to a value that is higher than the forest functional level. 例如,如果的樹系功能層級 Windows Server 2003,您可以設定網域功能等級以 Windows Server 2003or 更高版本。For example, if the forest functional level is Windows Server 2003, you can set the domain functional level to Windows Server 2003or higher.

下列章節描述的功能都可在不同的功能層級。The following sections describe the features that are available at the different functional levels.

層級網域功能都可使用功能Features that are available at domain functional levels

下表顯示每個層級網域功能可供使用的功能。The following table shows the features that are available at each domain functional level.

網域功能層級Domain functional level 可用的功能Available features 支援的網域控制站作業系統Supported domain controller operating systems
原生 Windows 2000Windows 2000 native AD DS 預設的功能與下列 directory 功能都可使用:All of the default AD DS features and the following directory features are available:

-通用 distribution 和安全性群組。- Universal groups for both distribution and security groups.
-巢群組- Group nesting
轉換群組,可讓安全性與 distribution 群組之間轉換- Group conversion, which allows conversion between security and distribution groups
安全性識別碼 (SID) 歷史請注意:在 Windows Server 2008 R2 的個人 Virtual 桌面功能推出。- Security identifier (SID) history Note: In Windows Server 2008 R2 , the Personal Virtual Desktop feature was introduced. 它需要至少必須為 Active Directory 樹系的 Windows 2000 原生網域功能 level.To 部署個人 virtual 桌面,您的結構描述 Windows Server 2008。It requires the Windows 2000 native domain functional level.To deploy personal virtual desktops, your schema for the Active Directory forest must be at least Windows Server 2008. 若要使用新增所提供的功能個人 Virtual 桌面索引標籤中使用者 Account 屬性對話方塊中 Active Directory 使用者,電腦必須執行 Active Directory 使用者和電腦的電腦執行的 Windows Server 2008 R2 或執行 Windows 7 的電腦已遠端伺服器管理工具 (RSAT) 安裝。To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer running Windows Server 2008 R2 or a computer running Windows 7 that has Remote Server Administration Tools (RSAT) installed.
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2003- Windows Server 2003
Windows 2000- Windows 2000
Windows Server 2003Windows Server 2003 是可用的所有 AD DS 預設功能、所有網域層級 Windows 2000 原生正常運作,有可用的功能和下列功能:All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level, and the following features are available:

-網域管理工具 Netdom.exe,可讓您的網域控制站重新命名- The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers
登入頻率更新- Logon time stamp updates
LastLogonTimestamp屬性登入上次的使用者或電腦的更新。The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. 此屬性複製網域中。This attribute is replicated within the domain.
-設定的能力userPassword屬性為有效的密碼,在需要和使用者物件- The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects
重新導向使用者和電腦-能力容器- The ability to redirect Users and Computers containers
有兩個已知的容器提供適用於電腦和使用者帳號,與容納根據預設,也就是 data-cn = 電腦,和 data-cn = 的使用者,By default, two well-known containers are provided for housing computer and user accounts, namely, cn=Computers, and cn=Users,. 這項功能可讓您的新的已知位置這些帳號定義。This feature allows the definition of a new, well-known location for these accounts.
-功能的授權管理員將其授權原則中 AD DS- The ability for Authorization Manager to store its authorization policies in AD DS
-限制委派- Constrained delegation
限制的委派可讓應用程式可以利用 Kerberos 驗證透過安全的使用者的認證委派。Constrained delegation makes it possible for applications to take advantage of the secure delegation of user credentials by means of Kerberos-based authentication.
您可以限制委派特定目的服務。You can restrict delegation to specific destination services only.
-選擇性驗證- Selective authentication
也可讓您指定的使用者和群組來自信任的樹系獲准信任的樹系的資源伺服器的驗證選擇性驗證讓。Selective authentication makes it is possible for you to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2003- Windows Server 2003
Windows Server 2008Windows Server 2008 所有的預設 AD DS 功能、所有的 Windows Server 2003 網域功能層級的功能和下列功能可供使用:All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

  • 分散式的檔案系統 (DFS) 複寫支援針對 Windows Server 2003 系統磁碟區 (SYSVOL)Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL)

    DFS 複寫支援提供更加穩定與詳細複寫 SYSVOL 內容。DFS replication support provides more robust and detailed replication of SYSVOL contents. 注意:開始使用 Windows Server 2012 R2,會取代檔案複寫服務 (FRS)。Note: Beginning with Windows Server 2012 R2, File Replication Service (FRS) is deprecated. 新的網域建立網域控制站最少執行的 Windows Server 2008 網域功能等級或更高版本必須設定 Windows Server 2012 R2。A new domain that is created on a domain controller that runs at least Windows Server 2012 R2 must be set to the Windows Server 2008 domain functional level or higher.
  • 網域型 DFS 命名空間執行 Windows Server 2008 模式,包括存取型為基礎的值與增加擴充性的支援。Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. Windows Server 2008 模式中的網域型命名空間也需要樹系使用的 Windows Server 2003 森林功能層級。Domain-based namespaces in Windows Server 2008 mode also require the forest to use the Windows Server 2003 forest functional level. 如需詳細資訊,請查看選擇命名空間類型(http://go.microsoft.com/fwlink/?LinkId=180400)。For more information, see Choose a Namespace Type (http://go.microsoft.com/fwlink/?LinkId=180400).
  • 進階加密標準(好一段 128 和好一段 256)支援 Kerberos 通訊協定。Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. 為了讓 Tgt 好一段發行,網域功能等級必須 Windows Server 2008,或更高版本,並網域密碼需要變更。In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed. 注意:驗證可能會發生錯誤網域控制站功能網域後層級以 Windows Server 2008,或更高版本如果引發的網域控制站已複寫 DFL 變更,但未尚未重新整理 krbtgt 密碼。Note: Authentication errors may occur on a domain controller after the domain functional level is raised to Windows Server 2008 or higher if the domain controller has already replicated the DFL change but has not yet refreshed the krbtgt password. 在這種情形下,將觸發新 krbtgt 密碼記憶體中重新整理網域控制站的 \ [KDC 服務重新開機,並解析相關的驗證錯誤。In this case, a restart of the KDC service on the domain controller will trigger an in-memory refresh of the new krbtgt password and resolve related authentication errors.

    如需詳細資訊,請查看Kerberos 調節For more information, see Kerberos Enhancements.
  • 最近一次互動式登入資訊Last Interactive Logon Information

    互動式上次的登入資訊,會顯示下列資訊:Last Interactive Logon Information displays the following information:

    • 總加入網域的 Windows Server 2008 server 或 Windows Vista 工作站嘗試登入失敗的次數The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista workstation
    • Windows Server 2008 server 或 Windows Vista 工作站成功登入後的嘗試登入失敗總數目The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
    • 中的上一次登入失敗的嘗試在 Windows Server 2008 或 Windows Vista 工作站時間The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
    • Windows Server 2008 server 或 Windows Vista 工作站嘗試的最後成功登入的時間The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation

    如需詳細資訊,請查看Active Directory Domain Services:互動式上次的登入(http://go.microsoft.com/fwlink/?LinkId=180387)。For more information, see Active Directory Domain Services: Last Interactive Logon (http://go.microsoft.com/fwlink/?LinkId=180387).
  • 細緻密碼原則Fine-grained password policies

    細緻密碼原則,讓您的網域中指定的使用者和安全性的全域群組的密碼,以及 account 鎖定原則。Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain. 如需詳細資訊,請查看 Step-by-Step 指南 Fine-Grained 密碼,以及 Account 鎖定原則設定 (http://go.microsoft.com/fwlink/?LinkID=91477)。For more information, see Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477).
  • 個人 Virtual 桌面Personal Virtual Desktops

    若要使用新增的功能提供個人 Virtual 桌面索引標籤中使用者 Account 屬性對話方塊在 Active Directory 使用者,電腦必須延伸您 AD DS 結構描述 Windows Server 2008 R2 的 (架構物件版本 = 47)。To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, your AD DS schema must be extended for Windows Server 2008 R2 (schema object version = 47). 如需詳細資訊,請查看部署個人 Virtual 桌面使用 RemoteApp 並桌面連接 Step-by-Step 指南(http://go.microsoft.com/fwlink/?LinkId=183552)。For more information, see Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=183552).
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2008 R2Windows Server 2008 R2 預設 Active Directory 的所有功能,從 Windows Server 2008 網域功能層級,所有功能,以及下列功能:All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features:

驗證機制保證,封裝類型的登入方法(智慧卡或使用者名稱/密碼)來驗證網域使用者每個使用者的 Kerberos 權杖中相關資訊。- Authentication mechanism assurance, which packages information about the type of logon method (smart card or user name/password) that is used to authenticate domain users inside each user's Kerberos token. 這項功能在已部署聯盟的身分管理基礎結構,例如 Active Directory 同盟 Services (AD FS) 網路環境時可以再任何時候使用者嘗試存取已開發判斷根據使用者登入方法授權的任何宣告感知應用程式中擷取權杖中的資訊。When this feature is enabled in a network environment that has deployed a federated identity management infrastructure, such as Active Directory Federation Services (AD FS), the information in the token can then be extracted whenever a user attempts to access any claims-aware application that has been developed to determine authorization based on a user's logon method.
自動 SPN 時 DNS 名稱或主機的 account 變更電腦的名稱下方的服務管理 Account 特定電腦上執行的服務管理。- Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. 如需受管理的服務帳號,請查看服務帳號 Step-by-Step 指南(http://go.microsoft.com/fwlink/?LinkId=180401)。For more information about Managed Service Accounts, see Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=180401).
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2012Windows Server 2012 \ [KDC 支援宣告、複合驗證以及 Kerberos 保護 \ \ [KDC 系統管理範本原則有兩種設定 (永遠提供宣告失敗護身的驗證要求) 需要的 Windows Server 2012 網域功能層級。The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. 如需詳細資訊,請查看最新的 F:kerberos 驗證For more information, see What's New in Kerberos Authentication. Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2012 R2Windows Server 2012 R2
  • 保護使用者俠端保護。DC-side protections for Protected Users. 保護使用者網域不能再 Windows Server 2012 R2 驗證:Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

    • 驗證 NTLM 驗證Authenticate with NTLM authentication
    • 使用 F:kerberos 預先驗證 DES 或 RC4 密碼套件Use DES or RC4 cipher suites in Kerberos pre-authentication
    • 使用未限制或限制委派委派Be delegated with unconstrained or constrained delegation
    • 續約初始 4 小時期間以外的使用者門票 (Tgt)Renew user tickets (TGTs) beyond the initial 4 hour lifetime
  • 驗證原則Authentication Policies

    新的樹系的 Active Directory 原則可套用到 Windows Server 2012 R2 網域控制的主機中帳號,account 可以登入從且適用於驗證存取控制項條件為 account 執行的服務。New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account.
  • 驗證原則筒倉Authentication Policy Silos

    為基礎新的樹系的 Active Directory 物件,可以建立的使用者,受管理的服務和電腦上,用來可帳號驗證原則或驗證隔離帳號之間的關係。New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.
Windows Server 2012 R2- Windows Server 2012 R2

層級樹系正常運作的功能Features that are available at forest functional levels

下表顯示每個層級樹系功能可供使用的功能。The following table shows the features that are available at each forest functional level.

森林功能層級Forest functional level 可用的功能Available features 支援的網域控制站Supported domain controllers
Windows 2000Windows 2000 預設 AD DS 功能都可使用。All of the default AD DS features are available. Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2003- Windows Server 2003
Windows 2000- Windows 2000
Windows Server 2003Windows Server 2003 所有 AD DS 預設的功能,以及項功能,可:All of the default AD DS features, and the following features, are available:

的信任樹系- Forest trust
-重新命名網域- Domain rename
-連結-值複寫- Linked-value replication
連結值複寫可讓您變更來儲存和值複寫個人的成員,而不是複寫單位整個成員資格群組成員資格。Linked-value replication makes it possible for you to change group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit. 儲存複寫個人成員值使用較少的頻寬,較少的處理器循環期間複寫,並會防止您遺失的更新,當您新增或移除多個不同的網域控制站同時的成員。Storing and replicating the values of individual members uses less network bandwidth and fewer processor cycles during replication, and prevents you from losing updates when you add or remove multiple members concurrently at different domain controllers.
-部署唯讀網域控制站 (RODC) 的能力- The ability to deploy a read-only domain controller (RODC)
-改善知識一致性檢查程式 (KCC) 演算法和擴充性- Improved Knowledge Consistency Checker (KCC) algorithms and scalability
間拓撲發電機 (ISTG) 使用改進縮放超過 AD DS 可支援層級 Windows 2000 的樹系功能支援更多的網站的樹系的演算法。The intersite topology generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than AD DS can support at the Windows 2000 forest functional level. 改善的 ISTG 選舉演算法是小於干擾機制來選擇 ISTG 層級 Windows 2000 的樹系正常運作。The improved ISTG election algorithm is a less-intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
建立名為動態輔助的執行個體-能力dynamicObject在網域 directory 磁碟分割- The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition
-能力轉換需要到物件執行個體使用者物件執行個體,並完成以相反的方向轉換- The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction
的建立的新群組類型角色為基礎的授權,才能執行個體能力。- The ability to create instances of new group types to support role-based authorization.
這些類型稱為「基本的應用程式群組和 LDAP 查詢群組。These types are called application basic groups and LDAP query groups.
-停用和屬性和類別架構中的重複定義。- Deactivation and redefinition of attributes and classes in the schema. 重複使用下列屬性:ldapDisplayName,schemaIdGuid,OID,以及 mapiID。The following attributes can be reused: ldapDisplayName, schemaIdGuid, OID, and mapiID.
-網域型 DFS 命名空間執行 Windows Server 2008 模式,包括存取型為基礎的值與增加擴充性的支援。- Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability. 如需詳細資訊,請查看選擇命名空間類型(http://go.microsoft.com/fwlink/?LinkId=180400)。For more information, see Choose a Namespace Type (http://go.microsoft.com/fwlink/?LinkId=180400).
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2003- Windows Server 2003
Windows Server 2008Windows Server 2008 所有功能,都可在 Windows Server 2003 森林功能層級,但不是額外的功能都都可使用。All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. 所有網域接著新增至 [樹系,但網域層級 Windows Server 2008 功能都運作,預設。All domains that are subsequently added to the forest, however, operate at the Windows Server 2008 domain functional level by default. Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2008- Windows Server 2008
Windows Server 2008 R2Windows Server 2008 R2 所有功能,可在 Windows Server 2003 的樹系正常運作的層級,再加上下列功能:All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

-Active Directory 資源回收筒」,會提供 AD DS 執行時還原刪除的物件完整的能力。- Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.

所有接下來的樹系加入網域將會維持預設的 Windows Server 2008 R2 網域功能層級。All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

如果您想要包含整個森林中執行 Windows Server 2008 R2 網域控制站,您可以選擇管理方便此森林功能層級。If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. 如果有看到,您將永遠不會有以提升網域正常運作的每個您在森林中建立網域。If you do, you will never have to raise the domain functional level for each domain that you create in the forest.
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2008 R2- Windows Server 2008 R2
Windows Server 2012Windows Server 2012 所有功能,可在 Windows Server 2008 R2 的樹系層級,但不是額外功能。All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

接著新增至 [樹系所有網域將預設都運作網域層級 Windows Server 2012 正常運作。All domains that are subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.
Windows Server 2012 R2- Windows Server 2012 R2
Windows Server 2012- Windows Server 2012
Windows Server 2012 R2Windows Server 2012 R2 所有功能,可在 Windows Server 2012 的樹系層級,但不是額外功能。All of the features that are available at the Windows Server 2012 forest functional level, but no additional features.

所有接下來的樹系加入網域將會維持預設的 Windows Server 2012 R2 網域功能層級。All domains that are subsequently added to the forest will operate at the Windows Server 2012 R2 domain functional level by default.
Windows Server 2012 R2- Windows Server 2012 R2

提升網域和森林功能等級的指導方針Guidelines for raising domain and forest functional levels

提升網域或森林功能等級適用於下列指導方針:The following guidelines apply to raising the domain or forest functional levels:

  • 您必須以提升網域功能網域管理群組成員。You must be a member of the Domain Admins group to raise the domain functional level.

  • 您必須以提升樹系正常運作的企業系統管理員群組成員。You must be a member of the Enterprise Admins group to raise the forest functional level.

  • 您可以提高主要網域控制站 (PDC) 模擬器操作主機上只的網域功能層級。You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. AD DS 系統管理工具,您用來提升網域正常運作(Active Directory 網域信任嵌入式管理單元及 Active Directory 使用者和電腦嵌入式管理單元)自動目標肯定當您提升網域正常運作。The AD DS administrative tools that you use to raise the domain functional level (the Active Directory Domains and Trusts snap-in and the Active Directory Users and Computers snap-in) automatically target the PDC emulator when you raise the domain functional level.

  • 您可以提高只架構作業主機上的樹系功能層級。You can raise the forest functional level on the schema operations master only. Active Directory 網域和信任自動目標架構操作主機,當您提高的樹系功能層級。Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.

  • 您可以提升正常運作的網域才網域中的所有網域控制站都執行的版本或支援的新功能的層級的 Windows Server 版本。You can raise the functional level of a domain only if all domain controllers in the domain run the version or versions of Windows Server that the new functional level supports.

  • 您可以提升正常運作的樹系才森林中的所有網域控制站都執行的版本或支援的新功能的層級的 Windows Server 版本。You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows Server that the new functional level supports.

  • 您無法將的網域功能層級設定為低於森林功能層級,但它設為等於或更高的樹系功能層級的值。You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.

  • 與 Windows Server 2008 R2 早的 Windows Server 版本,您無法復原或降低功能層級在所有的環境。With versions of Windows Server that are earlier than Windows Server 2008 R2 , you cannot roll back or lower a functional level under any circumstances. 如果您有還原到較低的功能層級早 Windows Server 2008 R2 的 Windows Server 的版本,您必須重新建立網域或森林或從備份還原。If you have to revert to a lower functional level with a version of Windows Server that is earlier than Windows Server 2008 R2 , you must rebuild the domain or forest or restore it from a backup copy.

  • 您設定的網域功能層級之後,您無法復原或較低的網域功能層級以外在下表中列出的案例。After you set the domain functional level, you cannot roll back or lower the domain functional level except in the cases listed in the following table. 可以只使用 Windows PowerShell 來降低網域功能層級。The domain functional level can be lowered only by using Windows PowerShell. 如需詳細資訊,請查看設定為 ADDomainModeFor more information, see Set-ADDomainMode.

    目前的網域功能層級Current domain functional level 目前的樹系功能層級Current forest functional level 復原選項Rollback options
    Windows Server 2012 R2Windows Server 2012 R2 Windows Server 2012 R2Windows Server 2012 R2 無除非您第一次降低森林功能層級None unless you first lower forest functional level
    Windows Server 2012 R2Windows Server 2012 R2 Windows Server 2012Windows Server 2012 Windows Server 2012Windows Server 2012
    Windows Server 2012 R2Windows Server 2012 R2 Windows Server 2008 R2Windows Server 2008 R2 Windows Server 2012 或 Windows Server 2008 R2Windows Server 2012 or Windows Server 2008 R2
    Windows Server 2012 R2Windows Server 2012 R2 Windows Server 2008Windows Server 2008 Windows Server 2012、Windows Server 2008 R2 或 Windows Server 2008Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008
    Windows Server 2012Windows Server 2012 Windows Server 2012Windows Server 2012 無除非您第一次降低森林功能層級None unless you first lower forest functional level
    Windows Server 2012Windows Server 2012 Windows Server 2008 R2Windows Server 2008 R2 Windows Server 2008 R2Windows Server 2008 R2
    Windows Server 2012Windows Server 2012 Windows Server 2008Windows Server 2008 Windows Server 2008 R2 或 Windows Server 2008Windows Server 2008 R2 or Windows Server 2008
    Windows Server 2008 R2Windows Server 2008 R2 Windows Server 2008 R2Windows Server 2008 R2 無除非您第一次降低森林功能層級None unless you first lower forest functional level
    Windows Server 2008 R2Windows Server 2008 R2 Windows Server 2008Windows Server 2008 Windows Server 2008Windows Server 2008
    Windows Server 2008,或較低Windows Server 2008 or lower Windows Server 2008,或較低Windows Server 2008 or lower None
  • 樹系功能層級在設定後,您無法復原或較低的樹系功能層級以外在下表中列出的案例。After you set the forest functional level, you cannot roll back or lower the forest functional level except in the cases listed in the following table. 可以只使用 Windows PowerShell 來降低的樹系功能層級。The forest functional level can be lowered only by using Windows PowerShell. 如需詳細資訊,請查看設定為 ADForestModeFor more information, see Set-ADForestMode. 如需有關 Active Directory 資源回收筒的詳細資訊,請查看AD DS 中的新功能:Active Directory 資源回收筒] (http://go.microsoft.com/fwlink/?LinkId=141392)。For more information about the Active Directory Recycle Bin, see What's New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392).

    目前的樹系功能層級Current forest functional level 資源回收筒支援?Recycle Bin enabled? 復原選項Rollback options
    Windows Server 2012 R2Windows Server 2012 R2 [是]Yes Windows Server 2012 或 Windows Server 2008 R2Windows Server 2012 or Windows Server 2008 R2
    Windows Server 2012 R2Windows Server 2012 R2 否]No Windows Server 2012、Windows Server 2008 或 Windows Server 2008 R2Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2
    Windows Server 2012Windows Server 2012 [是]Yes Windows Server 2008 R2Windows Server 2008 R2
    Windows Server 2012Windows Server 2012 否]No Windows Server 2008 R2 或 Windows Server 2008Windows Server 2008 R2 or Windows Server 2008
    Windows Server 2008 R2Windows Server 2008 R2 [是]Yes None
    Windows Server 2008 R2Windows Server 2008 R2 否]No Windows Server 2008Windows Server 2008