Skip to main content

Forest and Domain Functional Levels



Domain and forest functional levels provide a means of enabling additional domain and forest-wide Active Directory features, remove outdated backward compatibility in an environment, and improve Active Directory performance and security. In Windows 2000, the terminology for domain functional levels was domain modes. Forests in Windows 2000 have one mode and domains can have the domain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came the introduction of the Windows Server 2003 interim functional level and Windows Server 2003 functional level for both domains and forests. The four domain functional levels that can be set for domain controllers are Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000.

When the Windows Server 2003 functional level is enabled in an environment, additional Active Directory domain and forest-wide features are automatically enabled. Windows Server 2003′s functional level is enabled in an environment when all domain controllers are running Windows Server 2003. The Active Directory Domains And Trusts console raises the functional levels of domains and forests in Active Directory.
Domain Functional Levels

When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server 2003 functional level, domain controllers are regarded as peers to each other. What this essentially means is that the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longer exists. Those who are considering raising the domain functional level within their environment to Windows Server 2003 should remember that after the domain functional level is raised, they cannot add any Windows 2000 server to the particular domain.
Windows 2000 Mixed Domain Functional Level

Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domain by default. This makes the Windows 2000 mixed domain functional level the default functional level for all Windows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server 2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers. The only Windows NT domain controllers supported are Windows NT backup domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level is usually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers.

Users can raise Windows 2000 mixed domain functional level to
Windows 2000 native domain functional level
Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000 mixed domain functional level are listed below:
Local and Global groups
Distribution Groups
Distribution Group nesting
Global Catalog support
Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 mixed domain functional level are listed below:
Renaming domain controllers
Universal Groups
Security group nesting
SID History
Update logon time stamp
Group conversion between Security Groups and Distribution Groups
Users/Computers container redirection
Constrained delegation
User password support on the InetOrgPerson object
Windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operate with Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functional level is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functional level. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level.

Users can raise the Windows 2000 native domain functional level to
Windows Server 2003 domain functional level.

The Active Directory domain features that are available in Windows 2000 native domain functional level are listed below:
Local and Global groups
Distribution Groups
Distribution group nesting
Security group nesting
Universal Groups
Group conversion between Security Groups and Distribution Groups
Global Catalog support
SID History
Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 native domain functional level are listed below:
Renaming domain controllers
Update logon time stamp
Users/Computers container redirection
Constrained delegation
User password support on the InetOrgPerson object
Windows Server 2003 Interim Domain Functional Level

Windows Server 2003 interim domain functional level enable domain controllers running Windows Server 2003 to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domain controllers. Domain controllers running Windows 2000 are not supported in this domain functional level. Users can only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact, the Windows Server 2003 interim domain functional level can only be raised to Windows Server 2003 domain functional level. Windows Server 2003 interim domain functional level is also typically used when users are not going to immediately upgrade their Windows NT 4.0 backup domain controllers to Windows Server 2003, and when their existing Windows NT domain has groups consisting of over 5,000 members.

The Active Directory domain features that are available in Windows Server 2003 interim domain functional level are listed below:
Local and Global groups
Distribution groups
Distribution group nesting
Global Catalog support
Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows Server 2003 interim domain functional level are listed below:
Renaming domain controllers
Universal Groups
Security group nesting
SID History
Update logon timestamp
Group conversion between Security Groups and Distribution Groups
Users/Computers container redirection
Constrained delegation
User password support on the InetOrgPerson object
Windows Server 2003 Domain Functional Level

Windows Server 2003 domain functional level is the highest level that can be specified for a domain. All domain controllers in the domain are running Windows Server 2003. This basically means that these domains do not support Windows NT 4 and Windows 2000 domain controllers. Once the domain level is set as Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional levels.

All Active Directory domain features are available in Windows Server 2003 domain functional level:
Local and Global groups
Distribution Groups
Distribution group nesting
Security group nesting
universal Groups
Group conversion between Security Groups and Distribution Groups
Global Catalog support
SID History
Up to 1,000,000 domain objects are supported
Renaming domain controllers
Update logon time stamp
Users/Computers container redirection
Constrained delegation
User password support on the InetOrgPerson object
How to Check which Domain Function Level is Set for the Domain
Open the Active Directory Domains And Trusts console
Right click the particular domain whose functional level will be verified and select Raise Domain Functional Level from the shortcut menu.
The Raise Domain Functional Level dialog box opens
View the existing domain functional level for the domain in Current domain functional level.
How to Raise the Domain Functional Level to the Windows 2000 Native Domain Functional Level or Windows Server 2003 Domain Functional Level

Before raising the domain functional level to Windows Server 2003 domain functional level, each domain controller in the domain has to be running Windows Server 2003.

To raise the domain functional level for a domain:
Open the Active Directory Domains And Trusts console
Right click the particular domain whose functional level will be raised and select Raise Domain Functional Level from the shortcut menu.
The Raise Domain Functional Level dialog box opens.
Use the Select An Available Domain Functional Level list to choose the domain functional level for the domain.
Click Raise
Click OK
Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functional levels. Through the forest functional levels, users can enable forest-wide Active Directory features in their Active Directory environment. The forest functional levels are actually very much like the domain functional levels.
Windows 2000 Forest Functional Level

This is the default forest functional level, which means that all newly created Windows Server 2003 forests have this level when initially created. The Windows 2000 forest functional level supports Windows NT 4, Windows 2000, and Windows Server 2003 domain controllers.

The Active Directory forest features that are available in Windows 2000 forest functional level are listed below:
Universal Group caching
Application directory partitions
Global Catalog replication enhancements
Installations from backups
The Active Directory quota feature
SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed below:
Domain renaming
Forest Trust
Defunct schema objects
Linked value replication
Dynamic auxiliary classes
Improved Knowledge Consistency Checker (KCC) replication algorithms
Application groups
InetOrgPerson objectClass
NTDS.DIT size reduction
Windows Server 2003 Interim Forest Functional Level

Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in the Windows Server 2003 interim forest functional level. This level is used when upgrading from Windows NT 4 to Windows Server 2003. The functional level is also configured when users are not planning to immediately upgrade their existing Windows NT 4 backup domain controllers or their existing Windows NT 4.0 domain has groups consisting of over 5,000 members. No Windows 2000 domain controllers can exist if the Windows Server 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forest functional level can only be raised to the Windows Server 2003 forest functional level.

The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functional level are listed below:
Universal Group caching
Application directory partitions
Global Catalog replication enhancements
Installations from backups
The Active Directory quota feature
SIS for system access control lists (SACL)
Improved Knowledge Consistency Checker (KCC) replication algorithms
Linked value replication

The Active Directory forest features that are not supported in Windows Server 2003 interim forest functional level are listed below:
Domain renaming
Forest Trust
Defunct schema objects
Dynamic auxiliary classes
Application groups
InetOrgPerson objectClass
NTDS.DIT size reduction
Windows Server 2003 Forest Functional Level

All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functional level to be raised to the Windows Server 2003 forest functional level. What this means is that no domain controllers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the Windows Server 2003 forest functional level, all forest-wide Active Directory features are available, including the following:
Domain renaming
Forest Trust
Defunct schema objects
Dynamic auxiliary classes
Application groups
Universal Group caching
Application directory partitions
Global Catalog replication enhancements
Installations from backups
The Active Directory quota feature
SIS for system access control lists (SACL)
Improved Knowledge Consistency Checker (KCC) replication algorithms
Linked value replication
InetOrgPerson objectClass
NTDS.DIT size reduction
How to Check which Forest Functional Level is Set for the Forest
Open the Active Directory Domains And Trusts console
Right click Active Directory Domains and Trusts in the console tree and select Raise Forest Functional Level from the shortcut menu.
The Raise Forest Functional Level dialog box opens
View the existing domain functional level for the domain in Current forest functional level.
How to Raise the Forest Functional Level to Windows Server 2003 Forest Functional Level

Each domain controller in the forest has to be running Windows Server 2003 before the forest functional level can be changed to Windows Server 2003. When the forest functional level is raised, all domains in the forest will automatically have their domain functional level raised to Windows Server 2003.

To raise the forest functional level for a forest:
Open the Active Directory Domains And Trusts console
Right click Active Directory Domains And Trusts in the console tree and select Raise forest Functional Level from the shortcut menu.
Then Raise Domain Functional Level dialog box opens
Click Raise
Click OK
Approaches for Raising Functional Levels

Users can use one of the following approaches to move from Windows 2000 mixed and Windows 2000 native functional levels to the Windows Server 2003 functional level for the entire forest. These are:
Windows 2000 native route: This approach involves raising the domain functional level to Windows native, then raising the forest functional level to Windows Server 2003.
Windows Server 2003 route: This approach involves raising the domain functional level to Windows native, then to the Windows Server 2003 functional level. The forest functional level has to lastly be changed to Windows Server 2003.

Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N