Active Directory has a number of functional levels
that dictate what features are available and what versions of Windows
can serve as domain controllers. In a forest that includes any Windows
Server 2003 domain controllers, there are three forest functional
levels, and four domain functional levels. This is an increase from the
single forest functional level and two domain functional levels
available in Windows 2000.
The following sections
help you sort out this increased complexity and figure out what
functional levels are appropriate for your network.
Choosing a Forest Functional Level
There are three
forest functional levels available in a network with Windows Server 2003
domain controllers: Windows 2000, Windows Server 2003 Interim, and
Windows Server 2003.
Windows 2000
The baseline forest functional level that supports Windows Server 2003
and Windows 2000 domain controllers, as well as Windows NT 4.0 BDCs. The
Windows 2000 forest functional level permits domains to use any
functional level—Windows 2000 mixed or higher—and is the default forest
functional level. Windows Server 2003 interim
A special functional level that is available when upgrading from
Windows NT 4.0. The Windows Server 2003 interim functional level
supports only Windows Server 2003 domain controllers and Windows NT 4.0
BDCs. It allows group membership changes (instead of the entire group
membership list) to be replicated, and it improves the generation of
intersite replication topologies. When you choose the Windows Server
2003 interim forest functional level, you must use the Windows Server
2003 interim domain functional level or higher for all domains in the
forest. Windows Server 2003
The native functional level of a forest where all domain controllers
run Windows Server 2003. The Windows Server 2003 forest functional level
provides the features of the interim functional level, along with other
new features such as the ability to rename domains and create two-way,
transitive trusts between forests. When you choose the Windows Server
2003 forest functional level, you must use the Windows Server 2003
domain functional level for all domains in the forest.
Start with the Windows
2000 forest functional level if you have any Windows 2000 domain
controllers in your forest or if you anticipate that you might.
Switching forest or domain functional levels is a one-way process
(there’s no going back), and old servers have a surprising knack for
sticking around and making themselves useful. For example, you can put
an aging Windows 2000 domain controller to good use as a second or third
domain controller at a remote site.
Important
Upgrade all
Exchange 2000 Active Directory Connection (ADC) servers to Microsoft
Exchange Server 2003 before using the Windows Server 2003 interim forest
functional level or upgrading to Windows Server 2003 forest functional
level. See Microsoft Knowledge Base Article 825916 at http://support.microsoft.com for more information.
If you’re upgrading directly from Windows NT 4.0 and you know that you’ll never
want to add a Windows 2000 domain controller to the forest (in any
domain), choose the Windows Server 2003 interim functional level when
performing the upgrade. (This option appears in the Active Directory
Installation Wizard.) If you forgo this option when upgrading the PDC,
you can make the switch later, although you’ll have to use a script to
do so. (See the Windows Server 2003 Resource Kit
for more information.) If your Windows NT 4.0 domains make use of
groups with more than 5000 members, you must choose the Windows Server
2003 interim functional level or divide the groups into two or more
groups of 5000 members or less (except for the Domain Users group, which
is exempt from this limitation).
Note
You can raise
the domain functional levels of all domains in the forest to Windows
Server 2003 native level without touching each domain, as long as all
domains are already at the Windows 2000 native functional level (or
Windows Server 2003 native). Simply raise the forest functional level to
Windows Server 2003 native level, and all domains follow suit.
When you raise
the forest functional level to Windows Server 2003 functional level, you
automatically raise the domain functional level for all domains in the
forest to the Windows Server 2003 functional level. If there are any
Windows 2000 domain controllers, Windows generates a report listing the
offending servers and blocks the increase until you upgrade or remove
the domain controllers. If there are any domains using Windows 2000
mixed or Windows Server 2003 interim functional levels, Windows blocks
the increase until you raise the functional level of the domains to
Windows 2000 or Windows Server 2003.
Table 1 summarizes the differences between the different forest functional
levels. (For a more complete list, see the Windows Server 2003 Help and
Support Center.)
Table 1. Some differences among forest functional levels| Feature | Windows 2000 | Windows Server 2003 Interim | Windows Server 2003 |
|---|
| Supported domain controllers | Windows Server 2003, Windows 2000, Windows NT 4.0 BDCs | Windows NT 4.0 BDCs, Windows Server 2003 | Windows Server 2003 | | Efficient Group Member Replication | No | Yes | Yes | | Improved Replication Topology Generation | Limited; requires Windows Server 2003 domain controller | Full | Full | | Linked value replication | No | Yes | Yes | | Global catalog replication improvements | When both domain controllers are Windows Server 2003 | Yes | Yes | | Maximum number of group members | 5000 (except Domain Users group, which can be higher) | 5000+ | 5000+ | | Domain rename | No | No | Yes | | Transitive forest trusts | No | No | Yes | | Defunct schema objects | No | No | Yes | | Application Group | No | No | Yes |
Choosing a Domain Functional Level
An
Active Directory domain can run in one of four functional levels:
Windows 2000 mixed, Windows Server 2003 interim, Windows 2000 native,
and Windows Server 2003.
Windows 2000 mixed
The default mode of all newly created domains, as well as upgraded
Windows NT domains. While a domain is in mixed mode, Windows NT 4.0
BDCs, Windows 2000 domain controllers, and Windows Server 2003 domain
controllers can all coexist on the network. Windows Server 2003 interim
A new functional level designed for networks that are upgrading a
Windows NT domain directly to Windows Server 2003. When using Windows
Server 2003 interim functional level, you cannot use Windows 2000 domain
controllers in the domain, though you can use Windows 2000 clients and
member servers. The Windows Server 2003 interim functional level doesn’t
offer any new features on a domain level (though the Windows Server
2003 Interim forest
functional level does). Adprep automatically raises all domains in the
forest to this level when you raise the forest functional level to the
Windows Server 2003 interim functional level. Windows 2000 native
A functional level for Windows 2000 and newer domain controllers that
permits domains to scale past the Windows NT 40,000 account limit,
enables the SIDHistory feature (which makes domain restructuring much
less painful), and provides the additional Universal and Domain Local
groups. When using Windows Server 2000 native functional level, you can
only use Windows 2000 and Windows Server 2003 domain controllers. Windows Server 2003
A functional level for Windows Server 2003 domain controllers only that
provides all the features of Windows 2000 functional level, as well as
domain controller renaming and a higher maximum number of sites per
domain, among other things.
Start with the
Windows 2000 mixed domain functional level if you have any Windows 2000
domain controllers in your forest or if you anticipate that you might.
Otherwise, choose the Windows Server 2003 Interim functional level. Most
companies find themselves remaining in Windows 2000 mixed or Windows
Server 2003 interim functional level for some time to ensure
compatibility with existing Windows NT 4.0 BDCs or other servers that
need access to a “real” Windows NT 4.0 BDC. However, there are
advantages to using the Windows 2000 and Windows Server 2003 native
functional levels, as described in Table 2, especially when restructuring or consolidating domains.
Table 2. The differences among domain functional levels| Feature | Windows NT 4.0 | Windows 2000 Mixed | Windows 2000 Native | Windows Server 2003 Interim | Windows Server 2003 |
|---|
| Supported domain controllers | Windows NT 4.0, Windows NT 3.51 BDCs | Windows Server 2003, Windows 2000, Windows NT 4.0 BDCs | Windows Server 2003, Windows 2000 | Windows NT 4.0, Windows Server 2003 | Windows Server 2003 | | Objects per domain | Fewer than 40,000 (20,000 user accounts) recommended | Fewer than 40,000 (20,000 user accounts) recommended | Millions | Millions | Millions | | Multimaster replication | No | Yes | Yes | Yes | Yes | | Group types | Global, Local | Global, Local | Universal, Domain Global, Domain Local, Local | Global, Local | Universal, Domain Global, Domain Local, Local | | Domain controller rename | No | No | No | No | Yes | | Nested groups | No | Distribution groups and local groups that can store global groups only | Yes | Distribution groups and local groups that can store global groups only | Yes | | Convert groups | No | No | Yes | No | Yes | | Cross-domain administration | Limited | Limited | Full | Limited | Full | | Group membership replication | Only membership changes | Entire group membership list | Entire group membership list | Only membership changes | Only membership changes | | Maximum sites per domain | N/A | 300 | 300 | 300 | 3000 | | SIDHistory | No | No | Yes | No | Yes | | Password filters | Installed manually on each PDC and BDC | Installed manually on each domain controller | Installed automatically on all domain controllers | Installed manually on each domain controller | Installed automatically on all domain controllers | | Queries using Desktop Change/Configuration Management | No | Only on Windows 2000 domain controllers | Yes | Only on Windows Server 2003 domain controllers | Yes | | Authentication protocols | NTLM | NTLM, Kerberos | Kerberos | NTLM, Kerberos | Kerberos | | lastLogonTimestamp user/computer attributes | No | No | No | No | Yes | | inetOrgPerson user password | N/A | No | No | No | Yes | | Redirect the Users and Computers containers | No | No | No | No | Yes |
Microsoft
recommends a rapid switch to Windows 2000 functional level; however,
consider taking a more cautious approach when upgrading from a Windows
NT 4.0 network. Running in Windows 2000 mixed or Windows Server 2003
interim functional level allows nervous network administrators a chance
to start using Active Directory in a limited manner without losing their
Windows NT 4.0 safety net. Wait until it’s clear there is no need for
Windows NT 4.0 BDCs before making the domain functional level upgrade
because, after you upgrade the domain mode, there is no going back.
There is less incentive for most networks to move to the Windows Server
2003 functional level, although large networks should evaluate it more
closely, as the increased scalability and replication efficiency can be
invaluable.
It’s
important to understand that not all systems in the domain need to run
Windows 2000, Windows XP, or Windows Server 2003 to operate in a Windows
Server 2003 functional level domain. Functional levels affect only the
operation of the domain controllers. The issue of legacy systems (Windows NT, Windows 95, Windows 98, Windows Me, MS-DOS, or Windows 3.x)
in the domain is important, however, when it comes to planning WINS
server deployment. As long as you have legacy clients and servers in the
domain, you need WINS servers for NetBIOS name resolution (unless you
have a small, nonrouted network that can handle NetBIOS name resolution
using broadcast). In addition, don’t turn off NetBIOS over Transmission
Control Protocol/Internet Protocol (NetBIOS over TCP/IP), even if your
network consists entirely of Windows 2000, Windows XP, and Windows
Server 2003 systems, because legacy applications (which are many) may
still rely on NetBIOS calls for network communication, as does network
Browsing. |
|
Switching Functional Levels
Before switching
functional levels, take the last Windows NT 4.0 BDC or Windows 2000
domain controller offline and test whether there are any remaining
legacy applications or servers that break as a result. This step is
important because you cannot undo a functional level switch. Once you
are sure that you don’t need any legacy domain controllers on the
network, and will never again need any, log on to a domain controller
using an administrator account and follow these steps to raise the
forest or domain functional level:
1. | Click Start, choose Administrative Tools, and then select Active Directory Domains And Trusts.
| 2. | To
raise the forest functional level, right-click Active Directory Domains
And Trusts and then choose Raise Forest Functional Level. To raise the
domain functional level, right-click the domain for which you want to
change the functional level and choose the Raise Domain Functional Level
option.
You can also upgrade forests from a command line. (See the Help menu for the procedure.)
| 3. | Select the functional level, as shown in Figure 1, and then click Raise.
| 4. | When Windows asks you to verify the switch, click OK. Click OK in the next dialog box also.
|
Important
You can upgrade
the functionality of a forest only after all domains within the forest
use the Windows 2000 or Windows Server 2003 functional levels. After you
upgrade a forest, you can add only domains operating in the same mode
or higher. To add a domain with a lower functionality level, you have to
create a whole new forest.
|
