Professional Documents
Culture Documents
Enabling Advanced
Windows Server 2003
Active Directory
Features
The Microsoft® Windows® Server 2003 Active Directory® directory service enables you to introduce advanced
features into your environment by raising the domain or forest functional level. You can raise the functional
level when all domain controllers in the domain or forest are running an appropriate version of Windows.
Raising the functional level allows you to introduce new features but also limits the versions of Windows that
can run on domain controllers in your environment.
In This Chapter
Overview of Enabling Advanced Active Directory Features.................................206
Preparing to Enable Functional Levels...................................................... ...........214
Enabling Windows Server 2003 Active Directory Functional Levels.....................217
Additional Resources.............................................................................. .............225
Related Information
• For more information about domain and forest functional levels, see the Directory Services
Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services
Guide on the Web at http://www.microsoft.com/reskit).
• For more information about enabling functional levels in a new Microsoft® Windows®
Server 2003 environment, see “Deploying the Windows Server 2003 Forest Root Domain” in
this book.
• For more information about enabling functional levels after upgrading from Microsoft®
Windows NT® 4.0, see “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active
Directory” in this book.
• For more information about enabling functional levels after upgrading from Microsoft®
Windows® 2000, see “Upgrading Windows 2000 Domains to Windows Server 2003 Domains”
in this book.
206 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Features
Note
For a list of the job aids that are available to assist you in enabling
functional levels, see “Additional Resources” later in this chapter.
Additional Resources 207
Note
The functional level of a domain or forest defines only the set of
Windows operating systems that can run on domain controllers. It does
not define the client operating systems that are supported in the forest.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default
Active Directory features becomes available. Table 5.1 summarizes the Active Directory features that are
available by default on any domain controller running Windows Server 2003.
Table 5.1 Default Windows Server 2003 Active Directory Features
Feature Functionality
Multiple selection Allows you to modify common attributes of multiple user
of user objects objects
at one time.
Drag and drop Allows you to move Active Directory objects from container
functionality to container by dragging one or more objects to a location
in the domain hierarchy. You can also add objects to group
membership lists by dragging one or more objects
(including other group objects) to the target group.
Efficient search Search functionality is object-oriented and provides an
capabilities efficient search that minimizes network traffic associated
with browsing objects.
Saved queries Allows you to save commonly used search parameters for
reuse in Active Directory Users and Computers
Active Directory Allows you to run new directory service commands for
command-line administration scenarios.
tools
InetOrgPerson The inetOrgPerson class has been added to the base
class schema as
a security principal and can be used in the same manner as
the user class.
Application Allows you to configure the replication scope for
directory application-specific data among domain controllers. For
partitions example, you can control the replication scope of Domain
Name System (DNS) zone data stored in Active Directory so
that only specific domain controllers in the forest
participate in DNS zone replication.
Ability to add Reduces the time it takes to add an additional domain
additional domain controller in an existing domain by using backup media.
controllers by
using backup
media
Universal group Prevents the need to locate a global catalog across a wide
membership area network (WAN) when logging on by storing universal
caching group membership information on an authenticating
domain controller.
(continued)
Additional Resources 209
Table 5.1 Default Windows Server 2003 Active Directory Features (continued)
Feature Functionality
Secure Active Directory administrative tools sign and encrypt all
Lightweight LDAP traffic by default. Signing LDAP traffic guarantees
Directory Access that the packaged data comes from a known source and
Protocol (LDAP) that it has not been tampered with.
traffic
Partial Provides improved replication of the global catalog when
synchronization schema changes add attributes to the global catalog partial
of the global attribute set. Only the new attributes are replicated, not the
catalog entire global catalog.
Active Directory Quotas can be specified in Active Directory to control the
quotas number of objects a user, group, or computer can own in a
given directory partition. Members of the Domain
Administrators and Enterprise Administrators groups are
exempt from quotas.
For more information about the default Active Directory features that are available on any Windows
Server 2003 domain controller, see “New features for Active Directory” in Help and Support Center for
Windows Server 2003.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the domain or
forest operates by default at the lowest functional level that is possible in that environment. This allows you to
take advantage of the default Active Directory features while running versions of Windows earlier than
Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For
example, the Windows Server 2003 interim forest functional level supports more features than the
Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level
supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The
Windows Server 2003 functional level supports the most advanced Active Directory features; however, only
Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers
that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the
forest functional level as well.
210 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Features
Table 5.2 lists the Windows Server 2003 domain functional levels, the operating systems that they support, and
the Windows Server 2003 features that are available at each domain functional level.
Table 5.2 Windows Server 2003 Domain Functional Levels
Windows
Supported Domain
Server 2003 Advanced Features Available at
Controller
Domain Functional Each Domain Functional Level
Operating Systems
Level
Windows 2000 Windows NT 4.0 All default Active Directory
mixed Windows 2000 features, and:
Windows Server 2003 • Universal Groups are enabled
for distribution groups, but are
disabled for security groups.
Windows 2000 Windows 2000 All default Active Directory
native Windows Server 2003 features, all features from the
Windows 2000 mixed domain
functional level, and:
• Universal Groups are enabled
for both distribution and
security groups.
• Group conversion is enabled,
allowing conversion between
security and distribution
groups.
• Group nesting is available,
allowing nesting of groups
within other groups.
• Security identifier (SID) history
is available, allowing the
migration of security principals
from one domain to another.
Windows Windows NT 4.0 Same as Windows 2000 mixed.
Server 2003 interim Windows Server 2003
(continued)
Additional Resources 211
Table 5.3 lists the Windows Server 2003 forest functional levels, the operating systems that they support, and
the Windows Server 2003 features that are available at each forest functional level.
Table 5.3 Windows Server 2003 Forest Functional Levels
Windows Supported Domain
Advanced Features Available at
Server 2003 Forest Controller
Each Forest Functional Level
Functional Level Operating Systems
Windows 2000 Windows NT 4.0 All default Active Directory
Windows 2000 features.
Windows Server 2003
Windows Windows NT 4.0 All default Active Directory
Server 2003 interim Windows Server 2003 features, and:
• Linked value replication.
• Improved KCC algorithms and
scalability.
• The following attributes
included in the global catalog:
• Ms-DS-Trust-Forest-Trust-
Info
• Trust-Direction
• Trust-Attributes
• Trust-Type
• Trust-Partner
• Security-Identifier
• Ms-DS-Entry-Time-To-Die
• MSMQ-Secured-Source
• MSMQ-Multicast-Address
• Print-Memory
• Print-Rate
• Print-Rate-Unit
• MS-DRM-Identity-
Certificate
(continued)
Additional Resources 213
Important
Raising the domain and forest functional levels are one-way operations
that cannot be reversed. In the event that you need to revert to a lower
functional level, you need to rebuild the domain or forest or restore it
from a backup. For more information about domain and forest recovery,
see the Best Practices: Active Directory Forest Recovery link on the
Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
When you raise the forest functional level to Windows Server 2003, Active Directory automatically raises all
domains that are operating at the Windows 2000 native domain functional level to the Windows Server 2003
domain functional level. However, if any domains in your environment are operating at the Windows 2000
mixed domain functional level, you cannot raise the forest functional level to Windows Server 2003.
For more information about raising functional levels, see “Raising domain and forest functional levels” in Help
and Support Center for Windows Server 2003.
Important
If you choose to raise the forest and domain functional level to
Windows Server 2003 interim, you cannot return to the Windows 2000
mixed domain functional level or the Windows 2000 forest functional
level, and therefore you cannot add Windows 2000–based domain
controllers to the forest.
For more information about deploying Windows Server 2003 in a Windows NT 4.0 environment, see
“Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
If you intend to add one or more Windows 2000–based domain controllers instead of having only domain
controllers running Windows Server 2003 in your environment, see “Enabling Windows Server 2003 Functional
Levels in a Mixed Windows 2000 Forest” later in this chapter.
Important
If you are running Windows NT 4.0 or Windows 2000 domain
controllers in your environment, do not raise the functional level of your
domain or forest to Windows Server 2003. You cannot operate at the
Windows Server 2003 functional level until all of your domain
controllers are running Windows Server 2003.
Windows 2000 Active Directory group replication limits the size of groups in a Windows 2000 forest. You must
divide groups that include more than 5,000 members into smaller groups when you upgrade to Windows 2000.
The Windows Server 2003 interim forest functional level is ideal if the groups in any domains in your existing
Windows NT 4.0 environment include more than 5,000 members. When you are operating at the Windows
Server 2003 interim functional level, you can take advantage of group membership replication improvements,
which support large groups of more than 5,000 members.
When upgrading your Windows NT 4.0 environment to Windows Server 2003, you can choose to do one of the
following:
• Upgrade to a regional domain in an existing Windows Server 2003 forest.
• Upgrade to a single domain forest.
Additional Resources 219
Whether you decide to upgrade to a regional domain in an existing Windows Server 2003 forest or upgrade to a
single domain forest, if you choose to raise the forest functional level to Windows Server 2003 interim, you
must remain at the Windows Server 2003 interim functional level until you upgrade all other Windows NT 4.0–
based domain controllers to Windows Server 2003 or retire them from service. The Windows Server 2003
interim functional level supports both Windows NT 4.0–based domain controllers and Windows Server 2003–
based domain controllers.
If you are deploying a new Windows Server 2003 forest root domain and are planning to upgrade a
Windows NT 4.0 domain to a regional domain in this new environment, after you raise the forest functional
level to Windows Server 2003 interim, upgrade the Windows NT 4.0 domain to Windows Server 2003. Select
Child domain in an existing domain tree when prompted by the Active Directory Installation Wizard.
For more information about deploying a Windows Server 2003 forest root domain, see “Deploying the Windows
Server 2003 Forest Root Domain” in this book.
Important
If you do not set the functional level to Windows Server 2003 interim
during the Active Directory installation process, functional levels are set
by default to the following:
• Windows 2000 forest functional level
• Windows 2000 mixed domain functional level
Use the preceding procedure to use ADSI Edit to manually raise the
forest functional level to Windows Server 2003 interim after the Active
Directory installation process is complete and the computer is
restarted.
WARNING
If Windows NT 4.0–based domain controllers are running in a domain
when you raise the domain functional level to Windows Server 2003,
they will no longer be able to communicate with the new Windows
Server 2003 domain controllers and will not receive necessary
updates.
Additional Resources 221
Use the following LDAP query to identify any Windows NT 4.0 domain controllers remaining in the domain.
Run the LDAP query against the Domain container in Active Directory Users and Computers. If you have not
manually changed the value of the operatingSystemVersion attribute of the computer object, this query is
conclusive for domain controllers running Windows NT 4.0. You must be a member of the Domain Admins
group to run the following query.
To identify Windows NT 4.0–based domain controllers in a domain
1. From any Windows Server 2003–based domain controller, open Active Directory Users and
Computers.
2. If the domain controller is not already connected to the appropriate domain, connect it to the
domain as follows:
a. Right-click the current domain object, and then click Connect to domain.
b. In the Domain dialog box, type the DNS name of the domain that you want to connect to,
or click Browse to select the domain from the domain tree, and then click OK.
3. Right-click the domain object, and then click Find.
4. In the Find dialog box, click Custom Search.
5. Click the domain for which you want to change the functional level.
6. Click the Advanced tab.
7. In the Enter LDAP query box, type the following, leaving no spaces between any characters
(the query is not case-sensitive):
(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.84
0.113556.1.4.803:=8192))
8. Click Find Now. This produces a list of the computers in the domain that are running
Windows NT 4.0 and functioning as domain controllers.
A domain controller might appear in the list for any of the following reasons:
• The domain controller is running Windows NT 4.0 and must be upgraded.
• The domain controller has been upgraded to Windows Server 2003, but the change has not
replicated to the target domain controller.
• The domain controller is no longer in service, but its computer object has not been removed
from the domain.
Before you can change the domain functional level to Windows Server 2003, you must physically locate any
domain controller in the list, determine its current status, and either upgrade or remove the domain controller as
appropriate.
For more information about LDAP queries, see the Directory Services Guide of the Windows Server 2003
Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).
222 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Features
If the domain functional level is set to Windows 2000 native after the initial upgrade, the domain must remain at
that level for as long as Windows 2000–based domain controllers are operating in the domain.
Note
This also applies to Windows NT 4.0 environments in which you intend
to deploy one or more Windows 2000 domain controllers in the future.
After the initial upgrade, the domain must remain at a functional level of
Windows 2000 mixed.
After you upgrade all Windows 2000–based domain controllers to Windows Server 2003, you can raise the
functional levels of the domains in the forest to Windows Server 2003. Before you raise the domain functional
level, you must verify that no Windows NT 4.0–based domain controllers remain in the domain. For more
information about identifying Windows NT 4.0–based domain controllers in a domain, see “Enabling Windows
Server 2003 Functional Levels in a Windows NT 4.0 Environment” earlier in this chapter.
If all domain controllers in the domain are running Windows Server 2003, you can raise the domain functional
level from Windows 2000 mixed to Windows Server 2003 directly. Alternatively, you can raise the functional
level step by step — from Windows 2000 mixed to Windows 2000 native and then to Windows Server 2003.
After you upgrade all domain controllers in the forest to Windows Server 2003 and raise all domains to the
Windows 2000 native or Windows Server 2003 functional level, you can raise the forest functional level to
Windows Server 2003. This automatically raises the functional level of any remaining domains that are
operating at the Windows 2000 native functional level to Windows Server 2003.
Functional levels are set by default to the following levels, and they remain at these levels until they are raised
manually:
• Windows 2000 native domain functional level
• Windows 2000 forest functional level
Note
If your Windows 2000 forest consists solely of Windows 2000–based
domain controllers, but one or more of your domains are operating in
mixed mode, see “Enabling Windows Server 2003 Functional Levels in
a Mixed Windows 2000 Environment” earlier in this chapter.
To take advantage of the Windows Server 2003 domain-level features without waiting to complete the upgrade
of your Windows 2000 forest to Windows Server 2003, raise only the domain functional level to Windows
Server 2003. Before you raise the domain functional level, you must upgrade all Windows 2000–based domain
controllers in the domain to Windows Server 2003.
After you upgrade all Windows 2000–based domain controllers in the forest to Windows Server 2003, make
sure that the domain functional level of each domain is set to Windows 2000 native or higher. Then raise the
forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003
automatically raises the functional level of all domains in the forest that are set to Windows 2000 native or
higher to Windows Server 2003.
After you create a forest root domain, the domain functional level for each additional domain that you add to the
Windows Server 2003 forest is set to Windows 2000 mixed.
Important
If the forest is operating at the Windows Server 2003 functional level,
and you attempt to install Active Directory on a Windows 2000–based
member server, the installation will fail. If you install Active Directory on
a Windows Server 2003–based member server in order to create a
new regional domain, the domain functional level is set to Windows
Server 2003.
After you deploy the new Windows Server 2003 forest and the domain functional level is set in all domains,
raise the domain functional level and then the forest functional level to Windows Server 2003. This enables you
to take advantage of all Windows Server 2003 forest- and domain-level features. Thereafter, all new domains
that you create are set at the Windows Server 2003 domain functional level.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Deploying the Windows Server 2003 Forest Root Domain” in this book.
• “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
• “Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
• The Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory
Services Guide on the Web at http://www.microsoft.com/reskit) for more information about
Active Directory functional levels.
• Article 322692, “HOW TO: Raise the domain functional level in Windows Server 2003,” in the
Microsoft Knowledge Base for more information about raising functional levels. To find this
article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
226 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Features
Related Tools
• ADSI Edit
The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that you can use
to edit objects in the Active Directory database. For more information about Adsiedit.exe, in
Help and Support Center for Windows Server 2003, click Tools, and then click Windows
Support Tools.
• LDP
LDP provides an interface to perform LDAP operations against Active Directory. For more
information about LDP, in Help and Support Center for Windows Server 2003, click Tools, and
then click Windows Support Tools.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only check box.
• “New features for Active Directory” in Help and Support Center for Windows Server 2003 for
more information about the default Active Directory features that are available on any Windows
Server 2003 domain controller.
• “Raising domain and forest functional levels” in Help and Support Center for Windows
Server 2003 for more information about raising functional levels.
Related Job Aids
• “Domain Controller Assessment” (DSSPFL_1.doc) on the Windows Server 2003 Deployment
Kit companion CD (or see “Domain Controller Assessment” on the Web at
http://microsoft.com/reskit).