Raising the Roof on Domain Functional Levels

By Drew Bird | Jan 13, 2004 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3298531/Raising-the-Roof-on-Domain-Functional-Levels.htm

For many administrators, domain functional levels on Windows Server 2003 are somewhat of an afterthought. Because the default domain functional level works adequately for most environments, the procedure for raising the domain functional level is seen as an unnecessary complication. In reality, the raising procedure is straightforward and the benefits gained can prove to be well worth the minimal investment in time required to perform the raising procedure.

In simple terms, the domain functional level dictates the implementation of Active Directory that is in use on your network. As you would expect, the higher the domain functional level, the more functionality that is available. In some cases, the additional functionality might be in the form of features, such as the ability to deactivate unnecessary attributes from the schema, that may not interest you all that much. In other cases, features like the ability to configure caller ID recognition for remote access users make the justification behind raising the domain functional level much clearer.

Domain functional levels are not a new concept in Active Directory, although in Windows 2000 Server they are referred to as ‛modes,’ and there are only two of them: Native and Mixed. Windows Server 2003 increases the number of domain functional levels available to four: Windows 2000 Mixed, Windows 2000 Native, Windows Server 2003 Interim, and Windows Server 2003.

The default domain functional level for a newly installed Windows Server 2003 system is actually Windows 2000 mixed, even if it is the first and only Windows Server 2003 domain controller on the network. The Windows 2000 Mixed domain functional level is the most versatile, as it supports Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers. However, it also offers the lowest level of functionality.

In comparison, Windows 2000 Native supports Windows 2000 Server and Windows Server 2003 systems, and provides enhancements over the Windows 2000 Mixed domain functional level. You should use the Windows 2000 Native domain functional level if you intend to keep both Windows 2000 Server and Windows Server 2003 domain controllers on the network.

The Windows Server 2003 domain functional level only supports Windows Server 2003 domain controllers and offers the highest level of functionality. The Windows Server 2003 Interim domain functional level is only used when you are in the process of upgrading Windows NT 4.0 domain controllers to Windows Server 2003. One key consideration for the above information is that the domain functional level only affects domain controllers, not member (stand-alone) servers.

Page 2: Why Should You Raise the Domain Functional Level?

Why Should You Raise the Domain Functional Level?

Perhaps the most commonly asked question when discussing the issue of raising the domain functional levels is why? After all, if the Active Directory, and thus the system, is working satisfactorily, why change anything? Before you are able to make this judgment, though, you need to understand what additional features and functions you could have at your disposal by raising the domain functional level.

Some of the additional features gained from raising the domain functional level may not immediately appear to be of value. However, if you like the idea of features such as universal security groups, you should definitely consider the upgrade. Universal security groups, which are only available on Windows 2000 Native or Windows Server 2003 domain functional levels, are very useful in large Active Directory deployments, as they allow you to more efficiently (from a replication viewpoint) nest groups across domains. However, in addition to universal groups, there are other benefits that come from raising the domain functional level, particularly to Windows Server 2003, such as the ability to control remote access via a group policy.

When Should You Raise the Domain Functional Level?

While the actual process of raising the domain functional level is straightforward, a number of factors must be considered before you perform the procedure. Not least of these is that once the domain functional level is raised, you cannot then subsequently lower it.

In addition, you need to be sure that all of the domain controllers on the network will support your chosen domain functional level. This might mean upgrading your Windows 2000 Server systems to Windows Server 2003 if you are looking to raise the domain functional level to Windows Server 2003.

You must also consider what additional servers you might add to the network in the future. For example, if you have four Windows Server 2003 domain controllers and decide to raise the domain functional level to Windows Server 2003, you will not subsequently be able to add a Windows 2000 Server domain controller on the network in the future. Environments where this would happen may be scarce, but it’s worth considering nonetheless.

Forest Functional Levels

To add a twist to the domain functional level discussion, you should also be aware that there are forest functional levels as well. The forest functional level affects forest-wide features such as the ability to rename domains.

There are only three forest functional levels, namely Windows 2000, Windows Server 2003 Interim, and Windows Server 2003. The Windows 2000 forest functional level, like the Windows 2000 mixed domain functional level, supports Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers. The Windows Server 2003 Interim domain functional level is intended for use when you are upgrading Windows NT 4.0 domain controllers.

As you might expect, the Windows Server 2003 forest functional level is the highest level and only supports Windows Server 2003 domain controllers. Put simply, your Active Directory implementation is at its highest level when all of the domains and the forest are running at a Windows Server 2003 functional level.

Page 3: Raising the Domain Functional Level

Raising the Domain Functional Level

The actual process of raising the domain functional level is straightforward. From within the Active Directory Domains and Trusts MMC snap-in, select the domain icon. Then, right-click and select Raise Domain Functional Level. As with anything else Windows related, the process becomes almost self-explanatory after this point.

If you are operating at the default domain functional level (Windows 2000 Mixed), your choices will be either Windows 2000 Native or Windows Server 2003. Once your selection is made, a warning will appear noting that if you raise the domain functional level it cannot then be subsequently lowered.

Aside from acknowledging this one warning and reading a message concerning replication, there is little else for you to do. Of course, it goes without saying that a full backup of the server, Active Directory, and anything else you can put to a tape should be performed before the domain functional level is raised, just in case.

You should also ensure that network connectivity between all domain controllers in the domain is operational. Although any domain controller that is not online for the initial replication will be updated when it comes back online, ideally you want all of the domain controllers in the domain to be raised at the same time.

Raising the Forest Functional Level

Like raising the domain functional level, raising the forest functional level is also straightforward. In Open Active Directory Domains and Trusts, right-click Active Directory Domains and Trusts at the very top of the left pane, and then click Raise Forest Functional Level from the menu. From the Select an Available Forest Functional Level drop-down box, click Windows Server 2003, and then click Raise. As with the process of raising the domain functional level, a warning appears informing you that the raising process cannot be reversed.

If all domain controllers have been raised to the appropriate domain functional level, the forest functional level raising will proceed. If there are domain controllers in the forest that are not at a sufficiently high domain functional level for the forest upgrade, a report is generated so that you know which ones you will need to work on.

Once the raising of the domain functional and forest functional level is complete, there is nothing else to do except take advantage of the new features that your raising efforts will have made available to you.

» See All Articles by Columnist Drew Bird