understanding function levels in windows server 2003 active directory
Post on 07-Apr-2018
221 Views
Preview:
TRANSCRIPT
-
8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory
1/5
Understanding Function Levels in Windows Server 2003 ActiveDirectoryby Daniel Petri - January 8, 2009
Printer Friendly Version
Recommend 2,240 people recommend this. Be the first of your
friends.
What are the domain and forest function levels in a Windows Server 2003-basedActive Directory?
Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to
activate new Active Directory features after all the domain controllers in the domain or forest are
running the Windows Server 2003 operating system.
When a computer that is running Windows Server 2003 is installed and promoted to a domain
controller, new Active Directory features are activated by the Windows Server 2003 operating
system over its Windows 2000 counterparts. Additional Active Directory features are available when
all domain controllers in a domain or forest are running Windows Server 2003 and the administrator
activates the corresponding functional level in the domain or forest.
To activate the new domain features, all domain controllers in the domain must be running Windows
Server 2003. After this requirement is met, the administrator can raise the domain functional level
to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for
more info).
To activate new forest-wide features, all domain controllers in the forest must be running WindowsServer 2003, and the current forest functional level must be at Windows 2000 native or Windows
Server 2003 domain level. After this requirement is met, the administrator can raise the domain
functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more
info).
Note: Network clients can authenticate or access resources in the domain or forest without being
affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the
way that domain controllers interact with each other.
Important
Raising the domain and forest functional levels to Windows Server 2003 is a
nonreversible task and prohibits the addition of Windows NT 4.0based or
Windows 2000based domain controllers to the environment. Any existing
Windows NT 4.0 or Windows 2000based domain controllers in the
environment will no longer function. Before raising functional levels to take
advantage of advanced Windows Server 2003 features, ensure that you will
never need to install domain controllers running Windows NT 4.0 or Windows
2000 in your environment.
When the first Windows Server 2003based domain controller is deployed in a domain or forest, a
set of default Active Directory features becomes available. The following table summarizes the
Active Directory features that are available by default on any domain controller running Windows
Server 2003:
-
8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory
2/5
Feature Functionality
Multiple selection of user objectsAllows you to modify common attributes of multiple user
objects at one time.
Drag and drop functionality
Allows you to move Active Directory objects from
container to container by dragging one or more objects to
a location in the domain hierarchy. You can also add
objects to group membership lists by dragging one or
more objects (including other group objects) to the target
group.
Efficient search capabilities
Search functionality is object-oriented and provides an
efficient search that minimizes network traffic associated
with browsing objects.
Saved queriesAllows you to save commonly used search parameters for
reuse in Active Directory Users and Computers
Active Directory command-line toolsAllows you to run new directory service commands for
administration scenarios.
InetOrgPerson class
The inetOrgPerson class has been added to the base
schema as a security principal and can be used in the
same manner as the user class.
Application directory partitions
Allows you to configure the replication scope for
application-specific data among domain controllers. For
example, you can control the replication scope of Domain
Name System (DNS) zone data stored in Active Directory
so that only specific domain controllers in the forest
participate in DNS zone replication.
Ability to add additional domain
controllers by using backup media
Reduces the time it takes to add an additional domain
controller in an existing domain by using backup media.
Universal group membership caching
Prevents the need to locate a global catalog across a wide
area network (WAN) when logging on by storing universal
group membership information on an authenticating
domain controller.
Secure Lightweight Directory Access
Protocol (LDAP) traffic
Active Directory administrative tools sign and encrypt all
LDAP traffic by default. Signing LDAP traffic guarantees
that the packaged data comes from a known source and
that it has not been tampered with.
Partial synchronization of the global
catalog
Provides improved replication of the global catalog when
schema changes add attributes to the global catalog
partial attribute set. Only the new attributes arereplicated, not the entire global catalog.
Active Directory quotas
Quotas can be specified in Active Directory to control the
number of objects a user, group, or computer can own in
a given directory partition. Members of the Domain
Administrators and Enterprise Administrators groups are
exempt from quotas.
When the first Windows Server 2003based domain controller is deployed in a domain or forest, the
domain or forest operates by default at the lowest functional level that is possible in that
environment. This allows you to take advantage of the default Active Directory features while
-
8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory
3/5
running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomesavailable. For example, the Windows Server 2003 interim forest functional level supports more
features than the Windows 2000 forest functional level, but fewer features than the Windows Server
2003 forest functional level supports. Windows Server 2003 is the highest functional level that is
available for a domain or forest. The Windows Server 2003 functional level supports the most
advanced Active Directory features; however, only Windows Server 2003 domain controllers can
operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain
controllers that are running versions of Windows earlier than Windows Server 2003 into that
domain. This applies to the forest functional level as well.
Domain Functional LevelDomain functionality activates features that affect the whole domain and that domain only. The four
domain functional levels, their corresponding features, and supported domain controllers are as
follows:
Windows 2000 mixed (Default)
Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server
2003
Activated features: local and global groups, global catalog support
Windows 2000 nativeSupported domain controllers: Windows 2000, Windows Server 2003
Activated features: group nesting, universal groups, SidHistory, converting groups between
security groups and distribution groups, you can raise domain levels by increasing the forest
level settings
Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003
Supported features: There are no domain-wide features activated at this level. All domains in
a forest are automatically raised to this level when the forest level increases to interim. This
Manage Microsoft WindowsStreamline Windows Administration and
Management. Free 30-day Trialwww.systemtools.com
-
8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory
4/5
mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to
Windows Server 2003 domain controllers.
Windows Server 2003
Supported domain controllers: Windows Server 2003
Supported features: domain controller rename, logon timestamp attribute updated and
replicated. User password support on the InetOrgPerson objectClass. Constrained delegation,you can redirect the Users and Computers containers.
Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server
2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains
maintain their current domain functional level when Windows 2000 domain controllers are upgraded
to the Windows Server 2003 operating system. You can raise the domain functional level to either
Windows 2000 native or Windows Server 2003.
After the domain functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the domain. For example, if you raise the domain functional level
to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added
to that domain.
The following describes the domain functional level and the domain-wide features that are activated
for that level. Note that with each successive level increase, the feature set of the previous level is
included.
Forest Functional Level
Forest functionality activates features across all the domains in your forest. Three forest functional
levels, the corresponding features, and their supported domain controllers are listed below.
Windows 2000 (default)
Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003
New features: Partial list includes universal group caching, application partitions, install from
media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access
Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging.
No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain
controller assumes the Intersite Topology Generator (ISTG) role.
Windows Server 2003 interim
Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from
a Windows NT 4.0 Domain" section of this article.
Activated features: Windows 2000 features plus Efficient Group Member Replication usingLinked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer
replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-
Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-
To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,
Print-Rate, Print-Rate-Unit
Windows Server 2003
Supported domain controllers: Windows Server 2003
Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust,
Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application
-
8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory
5/5
Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers
upgraded from Windows 2000
After the forest functional level is raised, domain controllers that are running earlier operating
systems cannot be introduced into the forest. For example, if you raise forest functional levels to
Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server
cannot be added to the forest.
Links
Functional Levels Background Information
Related Articles
Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels
Raising Windows Server 2008 Active Directory Domain and Forest Functional Levels
Raise Domain Function Level in Windows Server 2003 Domains
Raise Forest Fuction Level in Windows Server 2003 Active Directory
AWS Privacy Policy | Site Info | Contact | Advertise 2011 Blue Whale Web Inc. |
top related