Forest and Domain Functional Levels
Domain and forest functional levels provide a means of enabling additional domain and forest-wide Active Directory features, remove outdated backward compatibility in an environment, and improve Active Directory performance and security. In Windows 2000, the terminology for domain functional levels was domain modes. Forests in Windows 2000 have one mode and domains can have the domain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came the introduction of the Windows Server 2003 interim functional level and Windows Server 2003 functional level for both domains and forests. The four domain functional levels that can be set for domain controllers are Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000.
When the Windows Server 2003 functional level is enabled in an environment, additional Active Directory domain and forest-wide features are automatically enabled. Windows Server 2003’s functional level is enabled in an environment when all domain controllers are running Windows Server 2003. The Active Directory Domains And Trusts console raises the functional levels of domains and forests in Active Directory.
Domain Functional Levels
When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server 2003 functional level, domain controllers are regarded as peers to each other. What this essentially means is that the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longer exists. Those who are considering raising the domain functional level within their environment to Windows Server 2003 should remember that after the domain functional level is raised, they cannot add any Windows 2000 server to the particular domain.
Windows 2000 Mixed Domain Functional Level
Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domain by default. This makes the Windows 2000 mixed domain functional level the default functional level for all Windows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server 2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. The only Windows NT domain controllers supported are Windows NT backup domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level is usually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers.
Users can raise Windows 2000 mixed domain functional level to
- Windows 2000 native domain functional level
- Windows Server 2003 domain functional level
The Active Directory domain features that are available in Windows 2000 mixed domain functional level are listed below:
- Local and Global groups
- Distribution Groups
- Distribution Group nesting
- Global Catalog support
- Up to 40,000 domain objects are supported
The Active Directory domain features that are not supported in Windows 2000 mixed domain functional level are listed below:
- Renaming domain controllers
- Universal Groups
- Security group nesting
- SID History
- Update logon time stamp
- Group conversion between Security Groups and Distribution Groups
- Users/Computers container redirection
- Constrained delegation
- User password support on the InetOrgPerson object
Windows 2000 Native Domain Functional Level
The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operate with Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functional level is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functional level. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level.
Users can raise the Windows 2000 native domain functional level to
- Windows Server 2003 domain functional level.
The Active Directory domain features that are available in Windows 2000 native domain functional level are listed below:
- Local and Global groups
- Distribution Groups
- Distribution group nesting
- Security group nesting
- Universal Groups
- Group conversion between Security Groups and Distribution Groups
- Global Catalog support
- SID History
- Up to 1,000,000 domain objects are supported
The Active Directory domain features that are not supported in Windows 2000 native domain functional level are listed below:
- Renaming domain controllers
- Update logon time stamp
- Users/Computers container redirection
- Constrained delegation
- User password support on the InetOrgPerson object
Windows Server 2003 Interim Domain Functional Level
Windows Server 2003 interim domain functional level enable domain controllers running Windows Server 2003 to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domain controllers. Domain controllers running Windows 2000 are not supported in this domain functional level. Users can only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact, the Windows Server 2003 interim domain functional level can only be raised to Windows Server 2003 domain functional level. Windows Server 2003 interim domain functional level is also typically used when users are not going to immediately upgrade their Windows NT 4.0 backup domain controllers to Windows Server 2003, and when their existing Windows NT domain has groups consisting of over 5,000 members.
The Active Directory domain features that are available in Windows Server 2003 interim domain functional level are listed below:
- Local and Global groups
- Distribution groups
- Distribution group nesting
- Global Catalog support
- Up to 40,000 domain objects are supported
The Active Directory domain features that are not supported in Windows Server 2003 interim domain functional level are listed below:
- Renaming domain controllers
- Universal Groups
- Security group nesting
- SID History
- Update logon timestamp
- Group conversion between Security Groups and Distribution Groups
- Users/Computers container redirection
- Constrained delegation
- User password support on the InetOrgPerson object
Windows Server 2003 Domain Functional Level
Windows Server 2003 domain functional level is the highest level that can be specified for a domain. All domain controllers in the domain are running Windows Server 2003. This basically means that these domains do not support Windows NT 4 and Windows 2000 domain controllers. Once the domain level is set as Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional levels.
All Active Directory domain features are available in Windows Server 2003 domain functional level:
- Local and Global groups
- Distribution Groups
- Distribution group nesting
- Security group nesting
- universal Groups
- Group conversion between Security Groups and Distribution Groups
- Global Catalog support
- SID History
- Up to 1,000,000 domain objects are supported
- Renaming domain controllers
- Update logon time stamp
- Users/Computers container redirection
- Constrained delegation
- User password support on the InetOrgPerson object
How to Check which Domain Function Level is Set for the Domain
- Open the Active Directory Domains And Trusts console
- Right click the particular domain whose functional level will be verified and select Raise Domain Functional Level from the shortcut menu.
- The Raise Domain Functional Level dialog box opens
- View the existing domain functional level for the domain in Current domain functional level.
How to Raise the Domain Functional Level to the Windows 2000 Native Domain Functional Level or Windows Server 2003 Domain Functional Level
Before raising the domain functional level to Windows Server 2003 domain functional level, each domain controller in the domain has to be running Windows Server 2003.
To raise the domain functional level for a domain:
- Open the Active Directory Domains And Trusts console
- Right click the particular domain whose functional level will be raised and select Raise Domain Functional Level from the shortcut menu.
- The Raise Domain Functional Level dialog box opens.
- Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain.
- Click Raise
- Click OK
Forest Functional Levels
While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functional levels. Through the forest functional levels, users can enable forest-wide Active Directory features in their Active Directory environment. The forest functional levels are actually very much like the domain functional levels.
Windows 2000 Forest Functional Level
This is the default forest functional level, which means that all newly created Windows Server 2003 forests have this level when initially created. The Windows 2000 forest functional level supports Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers.
The Active Directory forest features that are available in Windows 2000 forest functional level are listed below:
- Universal Group caching
- Application directory partitions
- Global Catalog replication enhancements
- Installations from backups
- The Active Directory quota feature
- SIS for system access control lists (SACL)
The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed below:
- Domain renaming
- Forest Trust
- Defunct schema objects
- Linked value replication
- Dynamic auxiliary classes
- Improved Knowledge Consistency Checker (KCC) replication algorithms
- Application groups
- InetOrgPerson objectClass
- NTDS.DIT size reduction
Windows Server 2003 Interim Forest Functional Level
Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in the Windows Server 2003 interim forest functional level. This level is used when upgrading from Windows NT 4 to Windows Server 2003. The functional level is also configured when users are not planning to immediately upgrade their existing Windows NT 4 backup domain controllers or their existing Windows NT 4.0 domain has groups consisting of over 5,000 members. No Windows 2000 domain controllers can exist if the Windows Server 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forest functional level can only be raised to the Windows Server 2003 forest functional level.
The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functional level are listed below:
- Universal Group caching
- Application directory partitions
- Global Catalog replication enhancements
- Installations from backups
- The Active Directory quota feature
- SIS for system access control lists (SACL)
- Improved Knowledge Consistency Checker (KCC) replication algorithms
- Linked value replication
The Active Directory forest features that are not supported in Windows Server 2003 interim forest functional level are listed below:
- Domain renaming
- Forest Trust
- Defunct schema objects
- Dynamic auxiliary classes
- Application groups
- InetOrgPerson objectClass
- NTDS.DIT size reduction
Windows Server 2003 Forest Functional Level
All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functional level to be raised to the Windows Server 2003 forest functional level. What this means is that no domain controllers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the Windows Server 2003 forest functional level, all forest-wide Active Directory features are available, including the following:
- Domain renaming
- Forest Trust
- Defunct schema objects
- Dynamic auxiliary classes
- Application groups
- Universal Group caching
- Application directory partitions
- Global Catalog replication enhancements
- Installations from backups
- The Active Directory quota feature
- SIS for system access control lists (SACL)
- Improved Knowledge Consistency Checker (KCC) replication algorithms
- Linked value replication
- InetOrgPerson objectClass
- NTDS.DIT size reduction
How to Check which Forest Functional Level is Set for the Forest
- Open the Active Directory Domains And Trusts console
- Right click Active Directory Domains and Trusts in the console tree and select Raise Forest Functional Level from the shortcut menu.
- The Raise Forest Functional Level dialog box opens
- View the existing domain functional level for the domain in Current forest functional level.
How to Raise the Forest Functional Level to Windows Server 2003 Forest Functional Level
Each domain controller in the forest has to be running Windows Server 2003 before the forest functional level can be changed to Windows Server 2003. When the forest functional level is raised, all domains in the forest will automatically have their domain functional level raised to Windows Server 2003.
To raise the forest functional level for a forest:
- Open the Active Directory Domains And Trusts console
- Right click Active Directory Domains And Trusts in the console tree and select Raise forest Functional Level from the shortcut menu.
- Then Raise Domain Functional Level dialog box opens
- Click Raise
- Click OK
Approaches for Raising Functional Levels
Users can use one of the following approaches to move from Windows 2000 mixed and Windows 2000 native functional levels to the Windows Server 2003 functional level for the entire forest. These are:
- Windows 2000 native route: This approach involves raising the domain functional level to Windows native, then raising the forest functional level to Windows Server 2003.
- Windows Server 2003 route: This approach involves raising the domain functional level to Windows native, then to the Windows Server 2003 functional level. The forest functional level has to lastly be changed to Windows Server 2003.
Comments - 6 Responses to “Forest and Domain Functional Levels”
Sorry but comments are closed at this time.