understanding function levels in windows server 2003 active directory

Upload: anand-lotia

Post on 07-Apr-2018

221 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

    1/5

    Understanding Function Levels in Windows Server 2003 ActiveDirectoryby Daniel Petri - January 8, 2009

    Printer Friendly Version

    Recommend 2,240 people recommend this. Be the first of your

    friends.

    What are the domain and forest function levels in a Windows Server 2003-basedActive Directory?

    Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to

    activate new Active Directory features after all the domain controllers in the domain or forest are

    running the Windows Server 2003 operating system.

    When a computer that is running Windows Server 2003 is installed and promoted to a domain

    controller, new Active Directory features are activated by the Windows Server 2003 operating

    system over its Windows 2000 counterparts. Additional Active Directory features are available when

    all domain controllers in a domain or forest are running Windows Server 2003 and the administrator

    activates the corresponding functional level in the domain or forest.

    To activate the new domain features, all domain controllers in the domain must be running Windows

    Server 2003. After this requirement is met, the administrator can raise the domain functional level

    to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for

    more info).

    To activate new forest-wide features, all domain controllers in the forest must be running WindowsServer 2003, and the current forest functional level must be at Windows 2000 native or Windows

    Server 2003 domain level. After this requirement is met, the administrator can raise the domain

    functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more

    info).

    Note: Network clients can authenticate or access resources in the domain or forest without being

    affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the

    way that domain controllers interact with each other.

    Important

    Raising the domain and forest functional levels to Windows Server 2003 is a

    nonreversible task and prohibits the addition of Windows NT 4.0based or

    Windows 2000based domain controllers to the environment. Any existing

    Windows NT 4.0 or Windows 2000based domain controllers in the

    environment will no longer function. Before raising functional levels to take

    advantage of advanced Windows Server 2003 features, ensure that you will

    never need to install domain controllers running Windows NT 4.0 or Windows

    2000 in your environment.

    When the first Windows Server 2003based domain controller is deployed in a domain or forest, a

    set of default Active Directory features becomes available. The following table summarizes the

    Active Directory features that are available by default on any domain controller running Windows

    Server 2003:

  • 8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

    2/5

    Feature Functionality

    Multiple selection of user objectsAllows you to modify common attributes of multiple user

    objects at one time.

    Drag and drop functionality

    Allows you to move Active Directory objects from

    container to container by dragging one or more objects to

    a location in the domain hierarchy. You can also add

    objects to group membership lists by dragging one or

    more objects (including other group objects) to the target

    group.

    Efficient search capabilities

    Search functionality is object-oriented and provides an

    efficient search that minimizes network traffic associated

    with browsing objects.

    Saved queriesAllows you to save commonly used search parameters for

    reuse in Active Directory Users and Computers

    Active Directory command-line toolsAllows you to run new directory service commands for

    administration scenarios.

    InetOrgPerson class

    The inetOrgPerson class has been added to the base

    schema as a security principal and can be used in the

    same manner as the user class.

    Application directory partitions

    Allows you to configure the replication scope for

    application-specific data among domain controllers. For

    example, you can control the replication scope of Domain

    Name System (DNS) zone data stored in Active Directory

    so that only specific domain controllers in the forest

    participate in DNS zone replication.

    Ability to add additional domain

    controllers by using backup media

    Reduces the time it takes to add an additional domain

    controller in an existing domain by using backup media.

    Universal group membership caching

    Prevents the need to locate a global catalog across a wide

    area network (WAN) when logging on by storing universal

    group membership information on an authenticating

    domain controller.

    Secure Lightweight Directory Access

    Protocol (LDAP) traffic

    Active Directory administrative tools sign and encrypt all

    LDAP traffic by default. Signing LDAP traffic guarantees

    that the packaged data comes from a known source and

    that it has not been tampered with.

    Partial synchronization of the global

    catalog

    Provides improved replication of the global catalog when

    schema changes add attributes to the global catalog

    partial attribute set. Only the new attributes arereplicated, not the entire global catalog.

    Active Directory quotas

    Quotas can be specified in Active Directory to control the

    number of objects a user, group, or computer can own in

    a given directory partition. Members of the Domain

    Administrators and Enterprise Administrators groups are

    exempt from quotas.

    When the first Windows Server 2003based domain controller is deployed in a domain or forest, the

    domain or forest operates by default at the lowest functional level that is possible in that

    environment. This allows you to take advantage of the default Active Directory features while

  • 8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

    3/5

    running versions of Windows earlier than Windows Server 2003.

    When you raise the functional level of a domain or forest, a set of advanced features becomesavailable. For example, the Windows Server 2003 interim forest functional level supports more

    features than the Windows 2000 forest functional level, but fewer features than the Windows Server

    2003 forest functional level supports. Windows Server 2003 is the highest functional level that is

    available for a domain or forest. The Windows Server 2003 functional level supports the most

    advanced Active Directory features; however, only Windows Server 2003 domain controllers can

    operate in that domain or forest.

    If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain

    controllers that are running versions of Windows earlier than Windows Server 2003 into that

    domain. This applies to the forest functional level as well.

    Domain Functional LevelDomain functionality activates features that affect the whole domain and that domain only. The four

    domain functional levels, their corresponding features, and supported domain controllers are as

    follows:

    Windows 2000 mixed (Default)

    Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server

    2003

    Activated features: local and global groups, global catalog support

    Windows 2000 nativeSupported domain controllers: Windows 2000, Windows Server 2003

    Activated features: group nesting, universal groups, SidHistory, converting groups between

    security groups and distribution groups, you can raise domain levels by increasing the forest

    level settings

    Windows Server 2003 interim

    Supported domain controllers: Windows NT 4.0, Windows Server 2003

    Supported features: There are no domain-wide features activated at this level. All domains in

    a forest are automatically raised to this level when the forest level increases to interim. This

    Manage Microsoft WindowsStreamline Windows Administration and

    Management. Free 30-day Trialwww.systemtools.com

  • 8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

    4/5

    mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to

    Windows Server 2003 domain controllers.

    Windows Server 2003

    Supported domain controllers: Windows Server 2003

    Supported features: domain controller rename, logon timestamp attribute updated and

    replicated. User password support on the InetOrgPerson objectClass. Constrained delegation,you can redirect the Users and Computers containers.

    Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server

    2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains

    maintain their current domain functional level when Windows 2000 domain controllers are upgraded

    to the Windows Server 2003 operating system. You can raise the domain functional level to either

    Windows 2000 native or Windows Server 2003.

    After the domain functional level is raised, domain controllers that are running earlier operating

    systems cannot be introduced into the domain. For example, if you raise the domain functional level

    to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added

    to that domain.

    The following describes the domain functional level and the domain-wide features that are activated

    for that level. Note that with each successive level increase, the feature set of the previous level is

    included.

    Forest Functional Level

    Forest functionality activates features across all the domains in your forest. Three forest functional

    levels, the corresponding features, and their supported domain controllers are listed below.

    Windows 2000 (default)

    Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003

    New features: Partial list includes universal group caching, application partitions, install from

    media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access

    Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging.

    No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain

    controller assumes the Intersite Topology Generator (ISTG) role.

    Windows Server 2003 interim

    Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from

    a Windows NT 4.0 Domain" section of this article.

    Activated features: Windows 2000 features plus Efficient Group Member Replication usingLinked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer

    replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-

    Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-

    To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,

    Print-Rate, Print-Rate-Unit

    Windows Server 2003

    Supported domain controllers: Windows Server 2003

    Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust,

    Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application

  • 8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

    5/5

    Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers

    upgraded from Windows 2000

    After the forest functional level is raised, domain controllers that are running earlier operating

    systems cannot be introduced into the forest. For example, if you raise forest functional levels to

    Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server

    cannot be added to the forest.

    Links

    Functional Levels Background Information

    Related Articles

    Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels

    Raising Windows Server 2008 Active Directory Domain and Forest Functional Levels

    Raise Domain Function Level in Windows Server 2003 Domains

    Raise Forest Fuction Level in Windows Server 2003 Active Directory

    AWS Privacy Policy | Site Info | Contact | Advertise 2011 Blue Whale Web Inc. |