Domain Functional Levels
The
functional level at which a domain is configured affects an entire
domain, but it affects that domain only. Within a Windows Server 2003
Active Directory forest, you can configure different domains to
different domain functional levels, according to the versions of
Windows deployed within that domain as domain controllers. As such,
features that are available in a domain configured at one domain
functional level might not be available in another domain within the
same forest that is configured at a different domain functional level.
Windows Server 2003 Active Directory supports four domain functional levels, including:
Each
of the four domain functional levels available in Windows Server 2003
is discussed in the following sections, including the capabilities and
limitations associated with each.
Windows 2000 Mixed
After
installing the first domain controller running Windows Server 2003 in a
new domain, the domain functional level is set at Windows 2000 mixed by
default. The Windows 2000 mixed domain functional level allows a
Windows Server 2003 domain controller to interact with other domain
controllers running Windows NT 4.0, Windows 2000, or Windows Server
2003, as illustrated in Figure 1.
In this way, the Windows 2000 mixed domain functional level is similar
to mixed mode in Windows 2000 Active Directory environments.
Although
the Windows 2000 mixed domain functional level provides the flexibility
to support different versions of Windows as domain controllers during
the process of migrating a domain to Windows Server 2003 Active
Directory, this functional level does not support many new or existing
Active Directory features available when a domain is configured to the
Windows 2000 native or Windows Server 2003 domain functional levels.
For example, domains configured at the Windows 2000 mixed functional
level do not support universal groups, the nesting of security groups,
converting groups from one type to another, the ability to rename
domain controllers, and more.
Note
Although
the default domain functional level for Windows Server 2003 Active
Directory is Windows 2000 mixed, the default domain functional level
might be different if you are upgrading a domain from Windows 2000 to
Windows Server 2003. For example, if the domain controller being
upgraded is part of a Windows 2000 domain configured in native mode,
the domain functional level after the upgrade will be Windows 2000
native rather than Windows 2000 mixed. |
Windows 2000 Native
The
Windows 2000 native domain functional level allows a domain controller
running Windows Server 2003 to interact with other domain controllers
running Windows 2000 or Windows Server 2003, as illustrated in Figure 2.
Unlike the Windows 2000 mixed domain functional level, the Windows 2000
native domain functional level does not support domain controllers
running Windows NT 4.0. In this way, the Windows 2000 native domain
functional level is somewhat similar to native mode in Windows 2000
Active Directory environments.
Although
the Windows 2000 native domain functional level provides the
flexibility to support both Windows 2000 and Windows Server 2003 domain
controllers during the process of migrating a domain to Windows Server
2003 Active Directory, this domain functional level does not support
some of the new domain features available in Windows Server 2003. For
example, while domains configured at the Windows 2000 native functional
level do support universal groups, the nesting of security groups, and
converting groups from one type to another, this domain functional
level still lacks the ability to rename domain controllers, as well as
other new features we will look at shortly.
Windows Server 2003 Interim
The
Windows Server 2003 interim domain functional level is a special
functional level that applies only to domains being upgraded from
Windows NT 4.0 to Windows Server 2003 Active Directory. This domain
functional level supports only domain controllers running Windows NT
4.0 and Windows Server 2003, as shown in Figure 3.
Tip
The Windows Server 2003 interim domain functional level does not support domain controllers running Windows 2000. |
The
Windows Server 2003 interim functional level is subject to the same
feature limitations as the Windows 2000 mixed domain functional level.
Windows Server 2003
Once
all domain controllers in a domain are running Windows Server 2003, the
domain can be raised to the Windows Server 2003 domain functional
level. At the Windows Server 2003 domain functional level, neither
Windows 2000 nor Windows NT 4.0 domain controllers are supported. The
main advantage of the Windows Server 2003 domain functional level is
that it allows you to use all the new domain features available in
Windows Server 2003 Active Directory. Table 1
outlines the new domain features of Windows Server 2003 Active
Directory and describes the level of support for each feature in the
various domain functional levels.
Table 1. Features Enabled by Domain Functional Level
| Domain Feature | Windows 2000 Mixed/Windows Server 2003 Interim | Windows 2000 Native | Windows Server 2003 |
|---|
| Domain controller rename tool | Disabled. | Disabled. | Enabled. |
| Update logon timestamp | Disabled. | Disabled. | Enabled. |
| User password on InetOrgPerson object | Disabled. | Disabled. | Enabled. |
| Universal Groups | Enabled for distribution groups. Disabled for security groups. | Enabled. Allows security and distribution groups. | Enabled. Allows security and distribution groups. |
| Group Nesting | Enabled
for distribution groups. Disabled for security groups, except for
domain local security groups that can have global groups as members. | Enabled. Allows full group nesting. | Enabled. Allows full group nesting. |
| Converting Groups | Disabled. No group conversions allowed. | Enabled. Allows conversion between security groups and distribution groups. | Enabled. Allows conversion between security groups and distribution groups. |
| SID History | Disabled. | Enabled. Allows migration of security principals from one domain to another. | Enabled. Allows migration of security principals from one domain to another. |
Note
Changing
a domain functional level is a one-way process only; once you raise the
functional level of a domain, you cannot return to a previously
configured level. |
Table 1 describes the status of domain-wide features in each domain functional level.
Ensure
that you are familiar with the various domain functional levels in
Windows Server 2003, including the versions of domain controllers
supported in each and the capabilities available in one domain
functional level versus another. |
To change the domain functional level to Windows 2000 native or Windows Server 2003, complete the following steps:
1. | Click Start, select Administrative Tools, and then click Active Directory Domains And Trusts.
|
2. | Right-click the domain object whose domain functional level should be changed, and then click Raise Domain Functional Level.
Note To
raise the functional level of a domain, you must be a member of either
the Domain Admins group in that domain or the Enterprise Admins group
in the forest root domain, or you must have been delegated the proper
authority. |
|
3. | In
the Select An Available Domain Functional Level drop-down box, select
the domain functional level you want, as illustrated in Figure 4. Click Raise.
|
4. | In the Raise Domain Functional Level message box, click OK.
|
If
you plan to install Windows 2003 Servers domain controllers into an
existing Windows 2000 domain, or upgrade a Windows 2000 domain
controller to Windows Server 2003, you first need to run the Adprep.exe
utility on the Windows 2000 domain controllers currently holding the
Schema Master and Infrastructure Master roles. This utility is located
in the I386 directory of the Windows 2003 Server installation CD-ROM.
The adprep /forestprep
command must be issued on the Windows 2000 server holding the Schema
Master role in the forest root domain to prepare the existing schema to
support Windows Server 2003 Active Directory. The adprep /domainprep
command must be issued on the server currently holding the
Infrastructure Master role in the domain where the Windows Server 2003
domain controller will be deployed. Until these steps are completed, a
Windows Server 2003 domain controller cannot be added to an existing
Windows 2000 domain environment. |
|
Forest Functional Levels
In
much the same way as domain functional levels, forest functional levels
affect the versions of Windows that can be employed as domain
controllers throughout a forest, as well as the ability to implement
forest-wide features of Windows Server 2003 Active Directory. While the
two concepts are similar, the new Active Directory features enabled by
changing the functional level of a forest are different than those
enabled by changing the functional level of a domain.
Windows Server 2003 Active Directory supports three forest functional levels, including:
Each
of the three forest functional levels available in Windows Server 2003
is discussed in the following sections, including the capabilities and
limitations associated with each.
Windows 2000
When
you first install or upgrade a domain controller to a Windows Server
2003 operating system, the forest is configured to use the Windows 2000
forest functional level by default. At this forest functional level,
domains within the forest that include domain controllers running
Windows NT 4.0, Windows 2000, and Windows Server 2003 are all
supported, as shown in Figure 5.
At
the Windows 2000 forest functional level, almost all new forest-wide
features associated with Windows Server 2003 Active Directory are
disabled. The one exception is that any global catalog servers running
Windows Server 2003 configured as replication partners can take
advantage of the improved replication method used when new attributes
are added to the global catalog. In Windows 2000 Active Directory,
extending the partial attribute set maintained in the global catalog
required a complete synchronization of the global catalog, which could
lead to significant network traffic, especially in large environments.
When the global catalog is extended to include a new attribute on
domain controllers running Windows Server 2003, only the new attribute
needs to be synchronized, rather than the entire global catalog.
Windows Server 2003 Interim
The
Windows Server 2003 interim forest functional level is a special
functional level used to support domain environments that are being
upgraded from Windows NT 4.0 to Windows Server 2003 Active Directory.
When the first domain controller in a Windows NT 4.0 domain is being
upgraded to Windows Server 2003, the forest functional level is set to
Windows Server 2003 interim by default. This forest functional level
incurs the same limitations as those associated with the Windows 2000
forest functional level looked at in the previous section.
Windows Server 2003
The
Windows Server 2003 forest functional level enables all the new
forest-wide features of Windows Server 2003 Active Directory. To raise
a forest to the Windows Server 2003 functional level, all domain
controllers in all domains within the forest must be running Windows
Server 2003. Prior to raising a forest to the Windows Server 2003
forest functional level, you must first raise each individual domain to
at least the Windows 2000 native domain functional level. As part of
the process of raising a forest to the Windows Server 2003 forest
functional level, all domains within the forest are automatically
raised to the Windows Server 2003 domain functional level.
Once
the forest functional level has been raised, domain controllers running
Windows 2000 or Windows NT 4.0 are no longer supported and cannot be
introduced into the forest. Table 2
describes the forest-wide features introduced by Windows Server 2003
Active Directory and the status of these features at different forest
functional levels.
Table 2. Features Enabled by Forest Functional Levels
| Forest Feature | Windows 2000/Windows Server 2003 interim | Windows Server 2003 |
|---|
| Global catalog replication improvements | Enabled if both replication partners are running Windows Server 2003. Otherwise, disabled. | Enabled. |
| Defunct schema objects | Disabled. | Enabled. |
| Forest trusts | Disabled. | Enabled. |
| Linked value replication | Disabled. | Enabled. |
| Domain rename | Disabled. | Enabled. |
| Improved Active Directory replication algorithms | Disabled. | Enabled. |
| Dynamic auxiliary classes. | Disabled. | Enabled. |
| InetOrgPerson objectClass change | Disabled. | Enabled. |
Tip
Ensure
that you are familiar with the various forest functional levels in
Windows Server 2003, including the versions of domain controllers
supported in each and the capabilities available in one forest
functional level versus another. |
To change the forest functional level to Windows Server 2003, complete the following steps:
1. | Click Start, select Administrative Tools, and then click Active Directory Domains And Trusts.
|
2. | Right-click
the Active Directory Domains And Trusts node, and then click Raise
Forest Functional Level. If any domains within the forest are not
configured to at least the Windows 2000 native domain functional level,
you will not be able to raise the functional level of the forest, as
shown in Figure 6.
Note To
raise the functional level of a forest, you must be a member of either
the Domain Admins group in the forest root domain or the Enterprise
Admins group, or you must have been delegated the proper authority. |
|
3. | If all domains have already been raised to at least the Windows 2000 native domain functional level, click Raise.
|
4. | In the Raise Forest Functional Level message box, click OK.
|
1: Raising the Domain Functional Level
1. | On Server01, click Start, select Administrative Tools, and then click Active Directory Users And Computers.
|
2. | Right-click the contoso.com domain object, and then click Raise Domain Functional Level.
|
3. | In the Select An Available Domain Functional Level drop-down box, select Windows Server 2003 and click the Raise button.
|
4. | In the Raise Domain Functional Level dialog box, click OK.
|
5. | In the Raise Domain Functional Level dialog box, read the status message that appears and click OK.
|
6. | Close Active Directory Users And Computers.
|
2: Raising the Forest Functional Level
1. | On Server01, click Start, select Administrative Tools, and then click Active Directory Domains And Trusts.
|
2. | Right-click the Active Directory Domains And Trusts node, and then click Raise Forest Functional Level.
|
3. | In
the Raise Forest Functional Level window, notice that the Select An
Available Forest Functional Level drop-down box contains only one
choice, Windows Server 2003. Click the Raise button.
|
4. | In the Raise Forest Functional Level dialog box, click OK.
|
5. | In the Raise Forest Functional Level dialog box, read the status message that appears and click OK.
|
6. | Close Active Directory Domains And Trusts.
|
