Raising the Roof on Domain Functional Levels - Page 2
Why Should You Raise the Domain Functional Level?
Perhaps the most commonly asked question when discussing the issue of raising the domain functional levels is why? After all, if the Active Directory, and thus the system, is working satisfactorily, why change anything? Before you are able to make this judgment, though, you need to understand what additional features and functions you could have at your disposal by raising the domain functional level.
Some of the additional features gained from raising the domain functional level may not immediately appear to be of value. However, if you like the idea of features such as universal security groups, you should definitely consider the upgrade. Universal security groups, which are only available on Windows 2000 Native or Windows Server 2003 domain functional levels, are very useful in large Active Directory deployments, as they allow you to more efficiently (from a replication viewpoint) nest groups across domains. However, in addition to universal groups, there are other benefits that come from raising the domain functional level, particularly to Windows Server 2003, such as the ability to control remote access via a group policy.
When Should You Raise the Domain Functional Level?
While the actual process of raising the domain functional level is straightforward, a number of factors must be considered before you perform the procedure. Not least of these is that once the domain functional level is raised, you cannot then subsequently lower it.
In addition, you need to be sure that all of the domain controllers on the network will support your chosen domain functional level. This might mean upgrading your Windows 2000 Server systems to Windows Server 2003 if you are looking to raise the domain functional level to Windows Server 2003.
You must also consider what additional servers you might add to the network in the future. For example, if you have four Windows Server 2003 domain controllers and decide to raise the domain functional level to Windows Server 2003, you will not subsequently be able to add a Windows 2000 Server domain controller on the network in the future. Environments where this would happen may be scarce, but it’s worth considering nonetheless.
Forest Functional Levels
To add a twist to the domain functional level discussion, you should also be aware that there are forest functional levels as well. The forest functional level affects forest-wide features such as the ability to rename domains.
There are only three forest functional levels, namely Windows 2000, Windows Server 2003 Interim, and Windows Server 2003. The Windows 2000 forest functional level, like the Windows 2000 mixed domain functional level, supports Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers. The Windows Server 2003 Interim domain functional level is intended for use when you are upgrading Windows NT 4.0 domain controllers.
As you might expect, the Windows Server 2003 forest functional level is the highest level and only supports Windows Server 2003 domain controllers. Put simply, your Active Directory implementation is at its highest level when all of the domains and the forest are running at a Windows Server 2003 functional level.