Home | Windows | Network | Post Ur Issues | Database | Web Hosting | Knowledge Base | Contact Us

Related Links

Windows 2003 KB

Windows 2008 KB

Network Interview Questions

SQL Interview Questions

Windows Admin Interview Q&A

Windows Forum

Other Links

DNS FAQ's

DHCP FAQ's

Active Directory FAQ's

AD History

Configuring New Domain

Deleted Object Recovery in AD

Global Catalog Server

NetDom Command

Replmon Command

NTDS Utility Guide

FSMO Guide

FSMO Failure

Network KB

Knowledge Base Home

Active Directory Trust

Group Policy Guide

IIS 6.0

RAID Levels

RPC Guide

Domain & Forest Functional Levels

SQL Failover Cluster

Hyper-V

Print Server

BitLocker

PowerShell

Planning Trust

Creating Trust

Forest and Domain Functional Levels

Overview of Domain and Forest Functional levels

Domain and forest functional levels provides the means by which you can enable additional domain-wide and forest-wide Active Directory features, remove outdated backward compatibility within your environment, and improve Active Directory performance and security. In Windows 2000, the terminology used to refer to domain functional levels was domain modes. Forests in Windows 2000 have one mode and domains can have the domain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came the introduction of the Windows Server 2003 interimfunctional level and Windows Server 2003 functional level for both domains and forests. The four domain functional levels that can be set for domain controllers are Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000.

When the Windows Server 2003 functional level is enabled in your environment, additional Active Directory domain-wide and forest-wide features are automatically enabled. Windows Server 2003functional level is enabled in your environment when all domain controllers are running WindowsServer 2003. The Active Directory Domains And Trusts console is used to raise the functional levels of domains and forests in Active Directory.

Domain Functional Levels

When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server 2003 functional level, domain controllers are regarded as peers to each other. What this essentially means is that the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longer exists. If you are considering raising the domain functional level within your environment to Windows Server 2003, you should remember that after the domain functional level is raised, you cannot add any Windows 2000 server to the particular domain.

Windows 2000 Mixed Domain Functional Level

Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domain by default. This makes the Windows 2000 mixed domain functional level the default functional level for all Windows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server 2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. The only Windows NT domain controllers supported are Windows NT backup domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level is usually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers.

You can raise Windows 2000 mixed domain functional level to

  • Windows 2000 native domain functional level
  • Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000 mixed domain functional level are listed below:

  • Local and Global groups
  • Distribution Groups
  • Distribution Group nesting
  • Global Catalog support
  • Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 mixed domain functional level are listed below:

  • Renaming domain controllers
  • Universal Groups
  • Security group nesting
  • SID History
  • Update logon timestamp
  • Group conversion between Security Groups and Distribution Groups
  • Users/Computers container redirection
  • Constrained delegation
  • User password support on the InetOrgPerson object

windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operate with Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functional level is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functional level. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level.

You can raise the Windows 2000 native domain functional level to

  • Windows Server 2003 domain functional level.

The Active Directory domain features that are available in Windows 2000 native domain functional level are listed below:

  • Local and Global groups
  • Distribution Groups
  • Distribution group nesting
  • Security group nesting
  • Universal Groups
  • Group conversion between Security Groups and Distribution Groups
  • Global Catalog support
  • SID History
  • Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 native domain functional level are listed below:

  • Renaming domain controllers
  • Update logon timestamp
  • Users/Computers container redirection
  • Constrained delegation
  • User password support on the InetOrgPerson object

Windows Server 2003 Interim Domain Functional Level

Windows Server 2003 interim domain functional level enable domain controllers running WindowsServer 2003 to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domain controllers. Domain controllers running Windows 2000 are not supported in this domain functional level. You can only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact, the Windows Server 2003 interimdomain functional level can only be raised to Windows Server 2003 domain functional level. WindowsServer 2003 interim domain functional level is also typically used when you are not going to immediately upgrade your Windows NT 4.0 backup domain controllers to Windows Server 2003, and when your existing Windows NT domain has groups consisting of over 5,000 members.

The Active Directory domain features that are available in Windows Server 2003 interim domain functional level are listed below:

  • Local and Global groups
  • Distribution groups
  • Distribution group nesting
  • Global Catalog support
  • Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows Server 2003 interim domain functional level are listed below:

  • Renaming domain controllers
  • Universal Groups
  • Security group nesting
  • SID History
  • Update logon timestamp
  • Group conversion between Security Groups and Distribution Groups
  • Users/Computers container redirection
  • Constrained delegation
  • User password support on the InetOrgPerson object

Windows Server 2003 Domain Functional Level

Windows Server 2003 domain functional level is the highest level that can be specified for a domain.All domain controllers in the domain are running Windows Server 2003. This basically means thatWindows NT 4 and Windows 2000 domain controllers are not supported these domains. Once the domain level is set as Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional levels.

All Active Directory domain features are available in Windows Server 2003 domain functional level:

  • Local and Global groups
  • Distribution Groups
  • Distribution group nesting
  • Security group nesting
  • universal Groups
  • Group conversion between Security Groups and Distribution Groups
  • Global Catalog support
  • SID History
  • Up to 1,000,000 domain objects are supported
  • Renaming domain controllers
  • Update logon timestamp
  • Users/Computers container redirection
  • Constrained delegation
  • User password support on the InetOrgPerson object

How to check which domain function level is set for the domain

  1. Open the Active Directory Domains And Trusts console
  2. Right-click the particular domain whose functional level you want verify, and select Raise Domain Functional Level from the shortcut menu.
  3. The Raise Domain Functional Level dialog box opens
  4. You can view the existing domain functional level for the domain in Current domain functional level.

How to raise the domain functional level to the Windows 2000 native domain functional level or Windows Server 2003 domain functional level

Before you can raise the domain functional level to Windows Server 2003 domain functional level, each domain controller in the domain has to running Windows Server 2003.

To raise the domain functional level for a domain,

  1. Open the Active Directory Domains And Trusts console
  2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain Functional Level from the shortcut menu.
  3. The Raise Domain Functional Level dialog box opens.
  4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain.
  5. Click Raise
  6. Click OK

Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functional levels. Through the forest functional levels, you can enable forest-wide Active Directory features in your Active Directory environment. The forest functional levels are actually very much like the domain functional levels.

Windows 2000 Forest Functional Level

This is the default forest functional level, which means that all newly created Windows Server 2003 forests have this level when initially created. The Windows 2000 forest functional level supports Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers.

The Active Directory forest features that are available in Windows 2000 forest functional level are listed below:

  • Universal Group caching
  • Application directory partitions
  • Global Catalog replication enhancements
  • Installations from backups
  • The Active Directory quota feature
  • SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed below:

  • Domain renaming
  • Forest Trust
  • Defunct schema objects
  • Linked value replication
  • Dynamic auxiliary classes
  • Improved Knowledge Consistency Checker (KCC) replication algorithms
  • Application groups
  • InetOrgPerson objectClass
  • NTDS.DIT size reduction

Windows Server 2003 Interim Forest Functional Level

Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in the Windows Server 2003 interim forest functional level. This level is used to when upgrading from Windows NT 4 to Windows Server 2003. The functional level is also configured when you are not planning to immediately upgrade your existing Windows NT 4 backup domain controllers, or your existing Windows NT 4.0 domain has groups consisting of over 5,000 members. No Windows 2000 domain controllers can exist if the Windows Server 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forest functional level can only be raised to the Windows Server 2003 forest functional level.

The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functional level are listed below:

  • Universal Group caching
  • Application directory partitions
  • Global Catalog replication enhancements
  • Installations from backups
  • The Active Directory quota feature
  • SIS for system access control lists (SACL)
  • Improved Knowledge Consistency Checker (KCC) replication algorithms
  • Linked value replication

The Active Directory forest features that are not supported in Windows Server 2003 interim forest functional level are listed below:

  • Domain renaming
  • Forest Trust
  • Defunct schema objects
  • Dynamic auxiliary classes
  • Application groups
  • InetOrgPerson objectClass
  • NTDS.DIT size reduction

Windows Server 2003 Forest Functional Level

All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functional level to be raised to the Windows Server 2003 forest functional level. What this means is that no domain controllers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the Windows Server 2003 forest functional level, all forest-wide Active Directory features are available, including the following:

  • Domain renaming
  • Forest Trust
  • Defunct schema objects
  • Dynamic auxiliary classes
  • Application groups
  • Universal Group caching
  • Application directory partitions
  • Global Catalog replication enhancements
  • Installations from backups
  • The Active Directory quota feature
  • SIS for system access control lists (SACL)
  • Improved Knowledge Consistency Checker (KCC) replication algorithms
  • Linked value replication
  • InetOrgPerson objectClass
  • NTDS.DIT size reduction

How to check which forest functional level is set for the forest

  1. Open the Active Directory Domains And Trusts console
  2. Right-click Active Directory Domains and Trusts in the console tree, and select Raise Forest Functional Level from the shortcut menu.
  3. The Raise Forest Functional Level dialog box opens
  4. You can view the existing domain functional level for the domain in Current forest functional level.

How to raise the forest functional level to Windows Server 2003 forest functional level

Each domain controller in the forest has to be running Windows Server 2003 before you can change the forest functional level to Windows Server 2003. When you raise the forest functional level, all domains in the forest will automatically have their domain functional level raised to Windows Server 2003.

To raise the forest functional level for a forest,

  1. Open the Active Directory Domains And Trusts console
  2. Right-click Active Directory Domains And Trusts in the console tree, and select Raise forest Functional Level from the shortcut menu.
  3. The Raise Domain Functional Level dialog box opens
  4. Click Raise
  5. Click OK

Approaches for Raising Functional Levels

You can use one of the following approaches to move from Windows 2000 mixed and Windows 2000 native functional levels to the Windows Server 2003 functional level for the entire forest. These are:

  • Windows 2000 native route: This approach involves raising the domain functional level to Windows native, and then raising the forest functional level to Windows Server 2003.
  • Windows Server 2003 route: This approach involves raising the domain functional level to Windows native, and then to the Windows Server 2003 functional level. The forest functional level has to lastly be changed to Windows Server 2003.
HTML Comment Box is loading comments...

Home | Windows | Network | Post Ur Issues | Database| Knowledge Base | Contact Us

Designed by Techiebird