understanding function levels in windows server 2003 active directory

8/6/2019 Understanding Function Levels in Windows Server 2003 Active Directory

1/5

Understanding Function Levels in Windows Server 2003 ActiveDirectoryby Daniel Petri - January 8, 2009

Printer Friendly Version

Recommend 2,240 people recommend this. Be the first of your

friends.

What are the domain and forest function levels in a Windows Server 2003-basedActive Directory?

Functional levels are an extension of the mixed/native mode concept introduced in Windows 2000 to

activate new Active Directory features after all the domain controllers in the domain or forest are

running the Windows Server 2003 operating system.

When a computer that is running Windows Server 2003 is installed and promoted to a domain

controller, new Active Directory features are activated by the Windows Server 2003 operating

system over its Windows 2000 counterparts. Additional Active Directory features are available when

all domain controllers in a domain or forest are running Windows Server 2003 and the administrator

activates the corresponding functional level in the domain or forest.

To activate the new domain features, all domain controllers in the domain must be running Windows

Server 2003. After this requirement is met, the administrator can raise the domain functional level

to Windows Server 2003 (read Raise Domain Function Level in Windows Server 2003 Domains for

more info).

To activate new forest-wide features, all domain controllers in the forest must be running WindowsServer 2003, and the current forest functional level must be at Windows 2000 native or Windows

Server 2003 domain level. After this requirement is met, the administrator can raise the domain

functional level (read Raise Forest Function Level in Windows Server 2003 Active Directory for more

info).

Note: Network clients can authenticate or access resources in the domain or forest without being

affected by the Windows Server 2003 domain or forest functional levels. These levels only affect the

way that domain controllers interact with each other.

Important

Raising the domain and forest functional levels to Windows Server 2003 is a

nonreversible task and prohibits the addition of Windows NT 4.0based or

Windows 2000based domain controllers to the environment. Any existing

Windows NT 4.0 or Windows 2000based domain controllers in the

environment will no longer function. Before raising functional levels to take

advantage of advanced Windows Server 2003 features, ensure that you will

never need to install domain controllers running Windows NT 4.0 or Windows

2000 in your environment.

When the first Windows Server 2003based domain controller is deployed in a domain or forest, a

set of default Active Directory features becomes available. The following table summarizes the

Active Directory features that are available by default on any domain controller running Windows

Server 2003:


2/5

Feature Functionality

Multiple selection of user objectsAllows you to modify common attributes of multiple user

objects at one time.

Drag and drop functionality

Allows you to move Active Directory objects from

container to container by dragging one or more objects to

a location in the domain hierarchy. You can also add

objects to group membership lists by dragging one or

more objects (including other group objects) to the target

group.

Efficient search capabilities

Search functionality is object-oriented and provides an

efficient search that minimizes network traffic associated

with browsing objects.

Saved queriesAllows you to save commonly used search parameters for

reuse in Active Directory Users and Computers

Active Directory command-line toolsAllows you to run new directory service commands for

administration scenarios.

InetOrgPerson class

The inetOrgPerson class has been added to the base

schema as a security principal and can be used in the

same manner as the user class.

Application directory partitions

Allows you to configure the replication scope for

application-specific data among domain controllers. For

example, you can control the replication scope of Domain

Name System (DNS) zone data stored in Active Directory

so that only specific domain controllers in the forest

participate in DNS zone replication.

Ability to add additional domain

controllers by using backup media

Reduces the time it takes to add an additional domain

controller in an existing domain by using backup media.

Universal group membership caching

Prevents the need to locate a global catalog across a wide

area network (WAN) when logging on by storing universal

group membership information on an authenticating

domain controller.

Secure Lightweight Directory Access

Protocol (LDAP) traffic

Active Directory administrative tools sign and encrypt all

LDAP traffic by default. Signing LDAP traffic guarantees

that the packaged data comes from a known source and

that it has not been tampered with.

Partial synchronization of the global

catalog

Provides improved replication of the global catalog when

schema changes add attributes to the global catalog

partial attribute set. Only the new attributes arereplicated, not the entire global catalog.

Active Directory quotas

Quotas can be specified in Active Directory to control the

number of objects a user, group, or computer can own in

a given directory partition. Members of the Domain

Administrators and Enterprise Administrators groups are

exempt from quotas.

When the first Windows Server 2003based domain controller is deployed in a domain or forest, the

domain or forest operates by default at the lowest functional level that is possible in that

environment. This allows you to take advantage of the default Active Directory features while


3/5

running versions of Windows earlier than Windows Server 2003.

When you raise the functional level of a domain or forest, a set of advanced features becomesavailable. For example, the Windows Server 2003 interim forest functional level supports more

features than the Windows 2000 forest functional level, but fewer features than the Windows Server

2003 forest functional level supports. Windows Server 2003 is the highest functional level that is

available for a domain or forest. The Windows Server 2003 functional level supports the most

advanced Active Directory features; however, only Windows Server 2003 domain controllers can

operate in that domain or forest.

If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain

controllers that are running versions of Windows earlier than Windows Server 2003 into that

domain. This applies to the forest functional level as well.

Domain Functional LevelDomain functionality activates features that affect the whole domain and that domain only. The four

domain functional levels, their corresponding features, and supported domain controllers are as

follows:

Windows 2000 mixed (Default)

Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000, Windows Server

2003

Activated features: local and global groups, global catalog support

Windows 2000 nativeSupported domain controllers: Windows 2000, Windows Server 2003

Activated features: group nesting, universal groups, SidHistory, converting groups between

security groups and distribution groups, you can raise domain levels by increasing the forest

level settings

Windows Server 2003 interim

Supported domain controllers: Windows NT 4.0, Windows Server 2003

Supported features: There are no domain-wide features activated at this level. All domains in

a forest are automatically raised to this level when the forest level increases to interim. This

Manage Microsoft WindowsStreamline Windows Administration and

Management. Free 30-day Trialwww.systemtools.com


4/5

mode is only used when you upgrade domain controllers in Windows NT 4.0 domains to

Windows Server 2003 domain controllers.

Windows Server 2003

Supported domain controllers: Windows Server 2003

Supported features: domain controller rename, logon timestamp attribute updated and

replicated. User password support on the InetOrgPerson objectClass. Constrained delegation,you can redirect the Users and Computers containers.

Domains that are upgraded from Windows NT 4.0 or created by the promotion of a Windows Server

2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 domains

maintain their current domain functional level when Windows 2000 domain controllers are upgraded

to the Windows Server 2003 operating system. You can raise the domain functional level to either

Windows 2000 native or Windows Server 2003.

After the domain functional level is raised, domain controllers that are running earlier operating

systems cannot be introduced into the domain. For example, if you raise the domain functional level

to Windows Server 2003, domain controllers that are running Windows 2000 Server cannot be added

to that domain.

The following describes the domain functional level and the domain-wide features that are activated

for that level. Note that with each successive level increase, the feature set of the previous level is

included.

Forest Functional Level

Forest functionality activates features across all the domains in your forest. Three forest functional

levels, the corresponding features, and their supported domain controllers are listed below.

Windows 2000 (default)

Supported domain controllers: Windows NT 4.0, Windows 2000, Windows Server 2003

New features: Partial list includes universal group caching, application partitions, install from

media, quotas, rapid global catalog demotion, Single Instance Store (SIS) for System Access

Control Lists (SACL) in the Jet Database Engine, Improved topology generation event logging.

No global catalog full sync when attributes are added to the PAS Windows Server 2003 domain

controller assumes the Intersite Topology Generator (ISTG) role.

Windows Server 2003 interim

Supported domain controllers: Windows NT 4.0, Windows Server 2003. See the "Upgrade from

a Windows NT 4.0 Domain" section of this article.

Activated features: Windows 2000 features plus Efficient Group Member Replication usingLinked Value Replication, Improved Replication Topology Generation. ISTG Aliveness no longer

replicated. Attributes added to the global catalog. ms-DS-Trust-Forest-Trust-Info. Trust-

Direction, Trust-Attributes, Trust-Type, Trust-Partner, Security-Identifier, ms-DS-Entry-Time-

To-Die, Message Queuing-Secured-Source, Message Queuing-Multicast-Address, Print-Memory,

Print-Rate, Print-Rate-Unit

Windows Server 2003

Supported domain controllers: Windows Server 2003

Activated features: all features in Interim Level, Defunct schema objects, Cross Forest Trust,

Domain Rename, Dynamic auxiliary classes, InetOrgPerson objectClass change, Application


5/5

Groups, 15-second intrasite replication frequency for Windows Server 2003 domain controllers

upgraded from Windows 2000

After the forest functional level is raised, domain controllers that are running earlier operating

systems cannot be introduced into the forest. For example, if you raise forest functional levels to

Windows Server 2003, domain controllers that are running Windows NT 4.0 or Windows 2000 Server

cannot be added to the forest.

Links

Functional Levels Background Information

Related Articles

Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels

Raising Windows Server 2008 Active Directory Domain and Forest Functional Levels

Raise Domain Function Level in Windows Server 2003 Domains

Raise Forest Fuction Level in Windows Server 2003 Active Directory

AWS Privacy Policy | Site Info | Contact | Advertise 2011 Blue Whale Web Inc. |

understanding function levels in windows server 2003 active directory

Documents