Chapter
|
Enabling Advanced Windows Server 2003 Active Directory Features |
|
|
The Microsoft Windows Server 2003 Active Directory directory service enables you to introduce advanced features into your environment by raising the domain or forest functional level. You can raise the functional level when all domain controllers in the domain or forest are running an appropriate version of Windows. Raising the functional level allows you to introduce new features but also limits the versions of Windows that can run on domain controllers in your environment.
Overview of Enabling Advanced Active Directory Features 206
Preparing to Enable Functional Levels 214
Enabling Windows Server 2003 Active Directory Functional Levels 217
Additional Resources 225
For more information about domain and forest functional levels, see the Directory Services Guide of the Microsoft Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at https://www.microsoft.com/reskit).
For more information about enabling functional levels in a new Microsoft Windows Server 2003 environment, see "Deploying the Windows Server 2003 Forest Root Domain" in this book.
For more information about enabling functional levels after upgrading from Microsoft Windows NT 4.0, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory" in this book.
For more information about enabling functional levels after upgrading from Microsoft Windows 2000, see "Upgrading Windows 2000 Domains to Windows Server 2003 Domains" in this book.
Functional levels in Windows Server 2003 Active Directory enable you to implement advanced features - such as efficient group membership replication, deactivation and redefinition of attributes and classes in the schema, and domain rename - that require that domain controllers within a domain or forest be running the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition operating systems. If you want to enable these advanced Windows Server 2003 Active Directory features in your organization, you must raise the domain and/or forest to the appropriate functional level.
Before you can identify and enable the functional level that best meets the needs of your organization, you must identify the Windows operating systems that you are currently running and that you plan to maintain in your environment after 23523v2113x you deploy Windows Server 2003.
If you are currently running Windows NT 4.0 and you do not plan to deploy Windows 2000 in your environment, after you deploy the first Windows Server 2003-based domain controller, raise the forest functional level to Windows Server 2003 interim to take advantage of the advanced features available at that forest functional level.
If you are currently running both Windows 2000 and Windows NT 4.0 in your environment, after you deploy a Windows Server 2003-based domain controller, keep the forest functional level set to Windows 2000. This enables you to take advantage of all advanced features available at that forest functional level.
If you are currently running only Windows 2000 in your environment or you are planning to install any number of Windows 2000-based domain controllers in the future, after you deploy a Windows Server 2003-based domain controller, keep the forest functional level set to Windows 2000. This enables you to take advantage of all advanced features available at that forest functional level.
If you are deploying a new Windows Server 2003 environment and plan to run only Windows Server 2003-based domain controllers, after you deploy the first Windows Server 2003-based domain controller you can raise the forest functional level to Windows Server 2003 to take advantage of all available Windows Server 2003 Active Directory features.
|
|
|
Note For a list of the job aids that are available to assist you in enabling functional levels, see "Additional Resources" later in this chapter. |
Enabling advanced Active Directory features involves identifying the operating systems that are running on the domain controllers in your environment and the functional level that best meets the needs of your organization based on your existing infrastructure, and raising the domain or forest functional level as appropriate. Figure 5.1 shows the process for enabling advanced Active Directory features.
Figure 5. Enabling Advanced Active Directory Features
Windows Server 2003 Active Directory functional levels expand on the mixed and native modes introduced in the Windows 2000 operating system. In Windows 2000, a mixed mode domain supports domain controllers running either Windows 2000 or the Windows NT 4.0 operating system. Domains in native mode only support Windows 2000-based domain controllers. If all domain controllers in a mixed mode domain are upgraded to Windows 2000, the domain administrator can change the mode to native, making additional Windows 2000 features available.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows Server 2003 Active Directory features that are available in that domain or forest. The functional level of a domain or forest also defines the set of Windows operating systems that can run on the domain controllers in that domain or forest.
|
|
|
Note The functional level of a domain or forest defines only the set of Windows operating systems that can run on domain controllers. It does not define the client operating systems that are supported in the forest. |
When the first Windows Server 2003-based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. Table 5.1 summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.
Table 5. Default Windows Server 2003 Active Directory Features
|
Feature |
Functionality |
|
Multiple selection of user objects |
Allows you to
modify common attributes of multiple user objects |
|
Drag and drop functionality |
Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group. |
|
Efficient search capabilities |
Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. |
|
Saved queries |
Allows you to save commonly used search parameters for reuse in Active Directory Users and Computers |
|
Active Directory command-line tools |
Allows you to run new directory service commands for administration scenarios. |
|
InetOrgPerson class |
The
inetOrgPerson class has been added to the base schema as |
|
Application directory partitions |
Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. |
|
Ability to add additional domain controllers by using backup media |
Reduces the time it takes to add an additional domain controller in an existing domain by using backup media. |
|
Universal group membership caching |
Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. |
(continued)
Table 5.1 Default Windows Server 2003 Active Directory Features (continued)
|
Feature |
Functionality |
|
Secure Lightweight Directory Access Protocol (LDAP) traffic |
Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. |
|
Partial synchronization of the global catalog |
Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog. |
|
Active Directory quotas |
Quotas can be
specified in Active Directory to control the number of objects a user, group,
or computer can own in a given directory partition. Members of the Domain
Administrators and |
For more information about the default Active Directory
features that are available on any Windows Server 2003 domain controller,
see "New features for Active Directory" in Help and
When the first Windows Server 2003-based domain controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.
Table 5.2 lists the Windows Server 2003 domain functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each domain functional level.
Table 5.2 Windows Server 2003 Domain Functional Levels
|
Windows Server 2003 |
Supported Domain
Controller |
Advanced
Features Available at |
|
Windows 2000 mixed |
Windows NT 4.0 Windows 2000 Windows Server 2003 |
All default Active Directory features, and: Universal Groups are enabled for distribution groups, but are disabled for security groups. |
|
Windows 2000 native |
Windows 2000 Windows Server 2003 |
All default Active Directory features, all features from the Windows 2000 mixed domain functional level, and: Universal Groups are enabled for both distribution and security groups. Group conversion is enabled, allowing conversion between security and distribution groups. Group nesting is available, allowing nesting of groups within other groups. Security identifier (SID) history is available, allowing the migration of security principals from one domain to another. |
|
Windows Server 2003 interim |
Windows NT 4.0 Windows Server 2003 |
Same as Windows 2000 mixed. |
(continued)
Table 5.2 Windows Server 2003 Domain Functional Levels (continued)
|
Windows
Server 2003 |
Supported Domain
Controller |
Advanced
Features Available at |
|
Windows Server 2003 |
Windows Server 2003 |
All default Active Directory features, all features from the Windows 2000 native domain functional level, and: Supports new functionality of the netdom.exe tool to prepare domain controllers for rename. It is recommended that you rename a domain controller by using netdom.exe to ensure that all appropriate steps are taken. Enables updates to the logon timestamp attribute. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain. Provides the ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects. Provides the ability to redirect the Users and Computers containers in order to define a new well-known location for user and computer accounts. Allows for authorization manager to store its authorization policies in Active Directory. Includes constrained delegation, which allows applications to take advantage of the secure delegation of user credentials by means of Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services. Supports selective authentication, by which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest. |
Table 5.3 lists the Windows Server 2003 forest functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each forest functional level.
Table 5.3 Windows Server 2003 Forest Functional Levels
|
Windows Server 2003 Forest Functional Level |
Supported Domain
Controller |
Advanced
Features Available at |
|
Windows 2000 |
Windows NT 4.0 Windows 2000 Windows Server 2003 |
All default Active Directory features. |
|
Windows Server 2003 interim |
Windows NT 4.0 Windows Server 2003 |
All default Active Directory features, and: Linked value replication. Improved KCC algorithms and scalability. The following attributes included in the global catalog: Ms-DS-Trust-Forest-Trust-Info Trust-Direction Trust-Attributes Trust-Type Trust-Partner Security-Identifier Ms-DS-Entry-Time-To-Die MSMQ-Secured-Source MSMQ-Multicast-Address Print-Memory Print-Rate Print-Rate-Unit MS-DRM-Identity-Certificate |
(continued)
Table 5.3 Windows
Server 2003
|
Windows Server 2003 Forest Functional Level |
Supported Domain
Controller |
Advanced
Features Available at |
|
Windows Server 2003 |
Windows Server 2003 |
All Active Directory features available at the Windows Server 2003 interim level, and: The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain naming context. The ability to convert an inetOrgPerson object instance into a User object instance and vice versa. The ability to create instances of the new group types basic and query based, used by the role-based Authorization Manager. Deactivation and redefinition of attributes and classes in the schema. Domain rename. |
The following guidelines apply to raising the domain functional level:
You must be a member of the Domain Admins group to raise the domain functional level.
You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The Active Directory administrative tools used to raise the domain functional level (Active Directory Domains and Trusts and Active Directory Users and Computers) automatically target the PDC emulator when you raise the domain functional level.
You can raise the functional level of a domain only if all domain controllers in the domain are running the version or versions of Windows that the new functional level supports.
You cannot lower the functional level of a domain after it has been raised.
The following guidelines apply to raising the forest functional level:
You must be a member of the Enterprise Admins group to raise the forest functional level.
You can raise the forest functional level on the schema operations master only. The Active Directory Domains and Trusts console automatically targets the schema operations master when you raise the forest functional level.
You can raise the functional level of a forest only if all domain controllers in the forest are running the version or versions of Windows that the new functional level supports.
You can raise the forest to the Windows Server 2003 functional level only if all domains are at either the Windows 2000 native or Windows Server 2003 functional level.
You cannot lower the functional level of a forest after it has been raised.
|
|
|
Important Raising the domain and forest functional levels are one-way operations that cannot be reversed. In the event that you need to revert to a lower functional level, you need to rebuild the domain or forest or restore it from a backup. For more information about domain and forest recovery, see the Best Practices: Active Directory Forest Recovery link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources. |
When you raise the forest functional level to Windows Server 2003, Active Directory automatically raises all domains that are operating at the Windows 2000 native domain functional level to the Windows Server 2003 domain functional level. However, if any domains in your environment are operating at the Windows 2000 mixed domain functional level, you cannot raise the forest functional level to Windows Server 2003.
For more information about raising functional levels, see "Raising domain and forest functional levels" in Help and
Before you can enable domain and forest functional levels, you need to evaluate your current environment and identify the functional level scenario that best meets the needs of your organization. For a worksheet to assist you in preparing to enable functional levels, see "Assess Your Current Environment" later in this chapter.
Figure 5.2 shows the process for preparing to enable functional levels.
Figure 5.2 Preparing to Enable Functional Levels
Assess your current environment by identifying the domains in your forest, the domain controllers that are located in each domain, the operating system that each domain controller is running, and the date that you plan to upgrade the domain controller. If you plan to retire a domain controller, document the reasons for this decision.
Circumstances that might prevent you from upgrading an earlier version of the Windows operating system and enabling the Windows Server 2003 functional level include:
Insufficient hardware
A domain controller running an antivirus program that is incompatible with Windows Server 2003
Use of a version-specific program that does not run on Windows Server 2003
The need to perform a Service Pack upgrade
Documenting this information will help you identify the steps that are required for you to achieve a fully functional Windows Server 2003 environment.
For a worksheet to assist you in assessing your current environment, see "Domain Controller Assessment" (DSSPFL_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see "Domain Controller Assessment" on the Web at https://www.microsoft.com/reskit). Complete a separate worksheet for each domain, regardless of your forest structure.
Figure 5.3 shows an example of a completed worksheet for a domain assessment.
Figure 5.3 Example of a Domain Controller Assessment Worksheet
After you assess your current environment, identify the functional level scenario - Windows NT 4.0 environment, Windows 2000 mixed-mode environment, Windows 2000 native-mode environment, or new Windows Server 2003 forest - that applies to your organization.
Windows NT 4.0 environment |
You have a pure Windows NT 4.0 environment consisting of one or more Windows NT 4.0 PDCs and backup domain controllers (BDCs). You want to upgrade directly to Windows Server 2003 and take advantage of all Windows Server 2003 forest- and domain-level features without deploying any Windows 2000 domain controllers in the environment.
Windows 2000 mixed mode environment |
You have a mixed mode Windows 2000 domain that includes both Windows 2000 and Windows NT 4.0-based domain controllers. You want to upgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level features.
Windows 2000 native mode environment |
You have a native mode Windows 2000 domain consisting of only Windows 2000-based domain controllers. You want to upgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level features.
New Windows Server 2003 forest |
You are creating a new Windows Server 2003 forest by installing Active Directory on a Windows Server 2003-based member server. You want to take advantage of all Windows Server 2003 forest- and domain-level features.
Enabling advanced Windows Server 2003 Active Directory features in your environment involves installing Windows Server 2003 Active Directory, determining the functional level that is appropriate for your environment, and then raising domain and forest functional levels to meet your requirements. If you choose to raise your existing infrastructure to the Windows Server 2003 functional level, you can take advantage of all the Windows Server 2003 Active Directory features that are available.
You can determine the current domain functional level by viewing the properties of the domain object in either Active Directory Users and Computers or Active Directory Domains and Trusts. You can determine the current forest functional level by using Active Directory Domains and Trusts to view the properties of the Active Directory Domains and Trusts node.
To raise the forest functional level to Windows
Server 2003, use Active Directory Domains and Trusts. To raise the domain
functional level to Windows Server 2003 or Windows 2000 native, use
Active Directory Domains and Trusts or Active Directory Users and Computers.
For more information about how to view and raise domain and forest functional
levels, see "Raise the domain functional level" and "Raise the forest
functional level" in Help and
Figure 5. Enabling Windows Server 2003 Active Directory Functional Levels
If all of the domain controllers in your environment are running Windows NT 4.0, and you plan to upgrade them to Windows Server 2003 without ever upgrading to Windows 2000 or installing a new Windows 2000-based domain controller, maintain the Windows Server 2003 interim functional level in your domains and forest until you upgrade all Windows NT 4.0 domain controllers to Windows Server 2003.
|
|
|
Important If you choose to raise the forest and domain functional level to Windows Server 2003 interim, you cannot return to the Windows 2000 mixed domain functional level or the Windows 2000 forest functional level, and therefore you cannot add Windows 2000-based domain controllers to the forest. |
For more information about deploying Windows Server 2003 in a Windows NT 4.0 environment, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory" in this book.
If you intend to add one or more Windows 2000-based
domain controllers instead of having only domain controllers running Windows
Server 2003 in your environment, see "Enabling
Windows Server 2003 Functional Levels in a Mixed Windows 2000
|
|
|
Important If you are running Windows NT 4.0 or Windows 2000 domain controllers in your environment, do not raise the functional level of your domain or forest to Windows Server 2003. You cannot operate at the Windows Server 2003 functional level until all of your domain controllers are running Windows Server 2003. |
Windows 2000 Active Directory group replication limits the size of groups in a Windows 2000 forest. You must divide groups that include more than 5,000 members into smaller groups when you upgrade to Windows 2000. The Windows Server 2003 interim forest functional level is ideal if the groups in any domains in your existing Windows NT 4.0 environment include more than 5,000 members. When you are operating at the Windows Server 2003 interim functional level, you can take advantage of group membership replication improvements, which support large groups of more than 5,000 members.
When upgrading your Windows NT 4.0 environment to Windows Server 2003, you can choose to do one of the following:
Upgrade to a regional domain in an existing Windows Server 2003 forest.
Upgrade to a single domain forest.
Whether you decide to upgrade to a regional domain in an existing Windows Server 2003 forest or upgrade to a single domain forest, if you choose to raise the forest functional level to Windows Server 2003 interim, you must remain at the Windows Server 2003 interim functional level until you upgrade all other Windows NT 4.0-based domain controllers to Windows Server 2003 or retire them from service. The Windows Server 2003 interim functional level supports both Windows NT 4.0-based domain controllers and Windows Server 2003-based domain controllers.
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, it is recommended that you raise the forest functional level of the existing forest to Windows Server 2003 interim before upgrading the Windows NT 4.0 PDC to take advantage of the added features of the Windows Server 2003 interim functional level. After you raise the forest functional level of the existing forest to Windows Server 2003 interim, the domain functional level of the forest root domain and all subsequent regional domains is set by default to Windows Server 2003 interim.
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, where the forest functional level is set to Windows 2000, functional levels are set in the new regional domain to the following by default, and they remain in effect until you raise them manually:
Windows 2000 mixed domain functional level
Windows 2000 forest functional level
You cannot use Active Directory administrative consoles to raise the forest functional level of the existing Windows Server 2003 forest root domain to Windows Server 2003 interim. Instead, use a Lightweight Directory Access Protocol (LDAP) application such as ADSI Edit or LDP in Windows Support Tools to edit the value of the msDS-Behavior-Version attribute.
|
|
To raise the forest functional level of the existing forest to Windows Server 2003 interim by using ADSI Edit
In ADSI Edit, expand the Configuration partition, and expand CN=Configuration,DC=forestname,DC=domainname,DC=com.
Right-click CN=Partitions, and then click Properties.
Select the msDS-Behavior-Version attribute.
Click Edit.
In the Value field, type 1 to raise the forest functional level to Windows Server 2003 interim.
Click OK.
After you raise the forest functional level to Windows Server 2003 interim forest, you cannot add Windows 2000-based domain controllers to the forest.
If you are deploying a new Windows Server 2003 forest root domain and are planning to upgrade a Windows NT 4.0 domain to a regional domain in this new environment, after you raise the forest functional level to Windows Server 2003 interim, upgrade the Windows NT 4.0 domain to Windows Server 2003. Select Child domain in an existing domain tree when prompted by the Active Directory Installation Wizard.
For more information about deploying a Windows Server 2003 forest root domain, see "Deploying the Windows Server 2003 Forest Root Domain" in this book.
When upgrading to a new Windows Server 2003 single domain forest by upgrading an existing Windows NT 4.0 PDC to Windows Server 2003, you are prompted to use the Active Directory Installation Wizard to install Active Directory. The wizard gives you the option of setting the forest functional level to Windows Server 2003 interim during the Active Directory installation process.
If you set the functional level during the Active Directory installation, both the domain and forest will be set at Windows Server 2003 interim after the installation process is complete and the computer is restarted.
|
|
|
Important If you do not set the functional level to Windows Server 2003 interim during the Active Directory installation process, functional levels are set by default to the following: Windows 2000 forest functional level Windows 2000 mixed domain functional level Use the preceding procedure to use ADSI Edit to manually raise the forest functional level to Windows Server 2003 interim after the Active Directory installation process is complete and the computer is restarted. |
After you upgrade all Windows NT 4.0-based domain controllers in a domain to Windows Server 2003, you can raise the functional level of each domain in the forest to Windows Server 2003. Before you raise the domain functional level, however, you must ensure that no Windows NT 4.0-based domain controllers remain in the domain.
|
|
|
WARNING If Windows NT 4.0-based domain controllers are running in a domain when you raise the domain functional level to Windows Server 2003, they will no longer be able to communicate with the new Windows Server 2003 domain controllers and will not receive necessary updates. |
Use the following LDAP query to identify any Windows NT 4.0 domain controllers remaining in the domain. Run the LDAP query against the Domain container in Active Directory Users and Computers. If you have not manually changed the value of the operatingSystemVersion attribute of the computer object, this query is conclusive for domain controllers running Windows NT 4.0. You must be a member of the Domain Admins group to run the following query.
|
|
To identify Windows NT 4.0-based domain controllers in a domain
From any Windows Server 2003-based domain controller, open Active Directory Users and Computers.
If the domain controller is not already connected to the appropriate domain, connect it to the domain as follows:
a. Right-click the current domain object, and then click Connect to domain.
b. In the Domain dialog box, type the DNS name of the domain that you want to connect to, or click Browse to select the domain from the domain tree, and then click OK.
Right-click the domain object, and then click Find.
In the Find dialog box, click Custom Search.
Click the domain for which you want to change the functional level.
Click the Advanced tab.
In the Enter LDAP query box, type the following, leaving no spaces between any characters (the query is not case-sensitive):
(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))
Click Find Now. This produces a list of the computers in the domain that are running Windows NT 4.0 and functioning as domain controllers.
A domain controller might appear in the list for any of the following reasons:
The domain controller is running Windows NT 4.0 and must be upgraded.
The domain controller has been upgraded to Windows Server 2003, but the change has not replicated to the target domain controller.
The domain controller is no longer in service, but its computer object has not been removed from the domain.
Before you can change the domain functional level to Windows Server 2003, you must physically locate any domain controller in the list, determine its current status, and either upgrade or remove the domain controller as appropriate.
For more information about LDAP queries, see the Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at https://www.microsoft.com/reskit).
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest-level features.
If any domains in the forest are still operating at the Windows Server 2003 interim functional level, you will be unable to raise the forest functional level to Windows Server 2003. Ensure that all domains are operating at the Windows Server 2003 functional level before you raise the forest functional level.
If your Windows 2000 forest includes one or more domains that contain Windows NT 4.0-based domain controllers, those domains are in Windows 2000 mixed mode. Domains that include only Windows 2000-based domain controllers might be in Windows 2000 mixed mode or native mode. Functional levels in a mixed Windows 2000 forest are set by default when you deploy the first Windows Server 2003-based domain controller.
For more information about deploying Windows Server 2003 in a mixed Windows 2000 environment, see "Upgrading Windows 2000 Domains to Windows Server 2003 Domains" in this book.
You can introduce a Windows Server 2003-based domain controller in a mixed environment in one of two ways:
By installing a new Windows Server 2003-based domain controller.
By upgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.
Functional levels are set at the following levels by default, and remain at these levels until they are raised manually:
Windows 2000 mixed or Windows 2000 native domain functional level, depending on whether the domain was in mixed mode or native mode prior to the upgrade.
Windows 2000 forest functional level.
If the domain functional level is set to Windows 2000 mixed after the initial upgrade, the domain must remain at that level for as long as Windows NT 4.0-based domain controllers are in the domain. If you upgrade all Windows NT 4.0-based domain controllers to either Windows 2000 or Windows Server 2003 and decommission the Windows NT 4.0-based domain controllers that you do not intend to upgrade, you can raise the domain functional level to Windows 2000 native.
If the domain functional level is set to Windows 2000 native after the initial upgrade, the domain must remain at that level for as long as Windows 2000-based domain controllers are operating in the domain.
|
|
|
Note This also applies to Windows NT 4.0 environments in which you intend to deploy one or more Windows 2000 domain controllers in the future. After the initial upgrade, the domain must remain at a functional level of Windows 2000 mixed. |
After you upgrade all Windows 2000-based domain controllers to Windows Server 2003, you can raise the functional levels of the domains in the forest to Windows Server 2003. Before you raise the domain functional level, you must verify that no Windows NT 4.0-based domain controllers remain in the domain. For more information about identifying Windows NT 4.0-based domain controllers in a domain, see "Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0 Environment" earlier in this chapter.
If all domain controllers in the domain are running Windows Server 2003, you can raise the domain functional level from Windows 2000 mixed to Windows Server 2003 directly. Alternatively, you can raise the functional level step by step - from Windows 2000 mixed to Windows 2000 native and then to Windows Server 2003.
After you upgrade all domain controllers in the forest to Windows Server 2003 and raise all domains to the Windows 2000 native or Windows Server 2003 functional level, you can raise the forest functional level to Windows Server 2003. This automatically raises the functional level of any remaining domains that are operating at the Windows 2000 native functional level to Windows Server 2003.
If the domains in your Windows 2000 forest include only Windows 2000 domain controllers and are in Windows 2000 native mode, deploy a Windows Server 2003-based domain controller to enable functional levels.
For more information about deploying Windows Server 2003 in a Windows 2000 environment, see "Upgrading Windows 2000 Domains to Windows Server 2003 Domains" in this book.
In an environment that contains only domain controllers running Windows 2000, you can introduce a Windows Server 2003-based domain controller in one of two ways:
By installing a new Windows Server 2003-based domain controller.
By upgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.
Functional levels are set by default to the following levels, and they remain at these levels until they are raised manually:
Windows 2000 native domain functional level
Windows 2000 forest functional level
|
|
|
Note If your Windows 2000 forest consists solely of Windows 2000-based domain controllers, but one or more of your domains are operating in mixed mode, see "Enabling Windows Server 2003 Functional Levels in a Mixed Windows 2000 Environment" earlier in this chapter. |
To take advantage of the Windows Server 2003 domain-level features without waiting to complete the upgrade of your Windows 2000 forest to Windows Server 2003, raise only the domain functional level to Windows Server 2003. Before you raise the domain functional level, you must upgrade all Windows 2000-based domain controllers in the domain to Windows Server 2003.
After you upgrade all Windows 2000-based domain controllers in the forest to Windows Server 2003, make sure that the domain functional level of each domain is set to Windows 2000 native or higher. Then raise the forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003 automatically raises the functional level of all domains in the forest that are set to Windows 2000 native or higher to Windows Server 2003.
After you have installed the first domain controller in a new Windows Server 2003 forest, functional levels are set by default to the following levels, and remain at these levels until they are raised manually:
Windows 2000 mixed domain functional level
Windows 2000 forest functional level
Functional levels are set at these levels to allow you the option of adding Windows 2000 or Windows NT 4.0-based domain controllers to your new Windows Server 2003 forest.
After you create a forest root domain, the domain functional level for each additional domain that you add to the Windows Server 2003 forest is set to Windows 2000 mixed.
|
|
|
Important If the forest is operating at the Windows Server 2003 functional level, and you attempt to install Active Directory on a Windows 2000-based member server, the installation will fail. If you install Active Directory on a Windows Server 2003-based member server in order to create a new regional domain, the domain functional level is set to Windows Server 2003. |
After you deploy the new Windows Server 2003 forest and the domain functional level is set in all domains, raise the domain functional level and then the forest functional level to Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest- and domain-level features. Thereafter, all new domains that you create are set at the Windows Server 2003 domain functional level.
These resources contain additional information and tools related to this chapter.
"Deploying the Windows Server 2003 Forest Root Domain" in this book.
"Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory" in this book.
"Upgrading Windows 2000 Domains to Windows Server 2003 Domains" in this book.
The Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at https://www.microsoft.com/reskit) for more information about Active Directory functional levels.
Article 322692, "HOW TO: Raise the domain functional level in Windows Server 2003," in the Microsoft Knowledge Base for more information about raising functional levels. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
ADSI Edit
The ADSI Edit tool (Adsiedit.exe) is a Microsoft
Management Console snap-in that you can use to edit objects in the Active
Directory database. For more information about Adsiedit.exe in Help and
LDP
LDP provides an interface to perform LDAP operations
against Active Directory. For more information about LDP in Help and
For best results in
identifying Help topics by title, in Help and
"New features for Active Directory" in Help and
"Raising domain and forest functional levels" in Help and
"Domain Controller Assessment" (DSSPFL_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Domain Controller Assessment" on the Web at https://microsoft.com/reskit).
|
