joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

What is DFL3? or What is FFL2?

by @ 8:00 pm on 11/15/2010. Filed under tech

On a regular basis I will say some tool or app or something requires DFL2 or DFL3 or FFL2 or something like that, I am amazed still how many people do not know what that means and I get a response of “huh? I don’t think I have that tool.” or “I typed in DFL2 and it says it is a bad command".”  Sad smile 

DFL stands for Domain Functional Level. It tells you quickly the minimum level that your Domain Controllers in a given domain must be. And FFL stands for Forest Functional Level. And you may surmise it tells you what the minimum level that your Domain Controllers must be across the entire forest. Here is a nice KB about it all http://support.microsoft.com/kb/322692.

These functional levels are important because certain types of functionality only become available once you hit certain functionality levels. A few “important” FL’s that I regularly mention:

  • DFL2 – Windows Server 2003 Domain Functional Level. This DFL gets you the lastLogonTimeStamp attribute.
  • FFL2 – Windows Server 2003 Forest Functional Level. This FFL gets you Linked Value Replication (LVR) which is a pretty substantial change in how your replication works. To most people that means that you don’t replicate entire group memberships when a single member changes, you replicate just the changed values. It means that you can avoid a particularly nasty replication error due to version store exhaustion you could hit with very large groups and it also means that you can have the opportunity to experience lingering backlinks.
  • DFL3 – Windows Server 2008 Domain Functional Level. This gets you Fine Grained Password Policy.
  • FFL4 – Windows Server 2008 R2 Forest Functional Level. This gets you to a state that you can enable the AD Recycle Bin.

 

You may ask… but why would they need to do this… Because when you are writing operating systems, you can’t always back port every function to every old version of the OS. This could be due to substantial changes in the new OS that just won’t allow the change to be ported backwards, or it could be more costly than it is worth, or it could be a desire to get people to upgrade to the new versions so you can stop supporting the old versions or say, make money on selling new versions of the OS. Winking smile  So you have to set a minimum bar and the bar is set via the DFL and FFL requirements. You want the whole domain or the whole forest to be at that required level because you want consistency. Say you only have fine grained password policy working on 1/3 of your domain controllers, how much fun would that be for your users? Not much at all if I can hazard a guess. You would need to know what the OS of your DC is before you could know properly what kind of password you might be able to use or whether you will lock out or not for some given bad number of attempts. Or from a replication standpoint, if 1/4 of your DCs know about LVR but the other 3/4’s don’t, that would be a pain in the butt to deal with even if MSFT said, we will waste the time to write the code to make this work for you by sending the whole group membership to those 3/4 that don’t know LVR.

 

Here is a quick pair of tables to tell you the DFL/FFL numbers and their related OS level…

DFL Level OS Version
0 Windows 2000
1 Windows Server 2003 (interim)
2 Windows Server 2003
3 Windows Server 2008
4 Windows Server 2008 R2

 

FFL Level OS Version
0 Windows 2000
1 Windows Server 2003 (interim)
2 Windows Server 2003
3 Windows Server 2008
4 Windows Server 2008 R2

 

If you are looking at the values of “1” and thinking, “WTF is that?” Don’t worry about it. It is rare and unless you are a developer of AD software or actually dealing with a situation that requires you to be involved with a D/FFL1 environment, you don’t need to worry about it. I personally have never seen one in actual production, only in test labs. If you want to learn what it is, knock yourself out, I am not going to spend any more time on it here. Smile

BTW, you can easily ascertain what functionality modes you are at with AdFind and querying the RootDSE of a DC.

Ex 1:

C:\>adfind -rootdse domaincontrollerfunctionality domainfunctionality forestfunctionality

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: TEST-DC1.test.loc:389
Directory: Windows Server 2003

dn:
>domainFunctionality: 2 [Windows Server 2003 Domain Mode]
>forestFunctionality: 2 [Windows Server 2003 Forest Mode]
>domainControllerFunctionality: 2 [Windows Server 2003 Mode]

1 Objects returned

Ex 2:

C:\temp>adfind -rootdse domaincontrollerfunctionality domainfunctionality forestfunctionality

AdFind V01.42.00cpp Joe Richards (joe@joeware.net) April 2010

Using server: K8R2Dom-DC01.K8R2Dom.loc:389
Directory: Windows Server 2008 R2

dn:
>domainFunctionality: 4 [Windows Server 2008 R2 Domain Mode]
>forestFunctionality: 4 [Windows Server 2008 R2 Forest Mode]
>domainControllerFunctionality: 4 [Windows Server 2008 R2 Mode]

1 Objects returned

 

   joe

Rating 4.00 out of 5

One Response to “What is DFL3? or What is FFL2?”

  1. Mike Kline says:

    We can’t type all that out 🙂

    adfind -sc modes

    once again joe…thanks for the tool, love the shortcuts

[joeware – never stop exploring… :) is proudly powered by WordPress.]