Functional Levels Background Information
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows Server 2003 Active Directory functional levels expand on the mixed and native modes introduced in the Windows 2000 operating system. In Windows 2000, a mixed mode domain supports domain controllers running either Windows 2000 or the Windows NT 4.0 operating system. Domains in native mode only support Windows 2000–based domain controllers. If all domain controllers in a mixed mode domain are upgraded to Windows 2000, the domain administrator can change the mode to native, making additional Windows 2000 features available.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows Server 2003 Active Directory features that are available in that domain or forest. The functional level of a domain or forest also defines the set of Windows operating systems that can run on the domain controllers in that domain or forest.
Note
- The functional level of a domain or forest defines only the set of Windows operating systems that can run on domain controllers. It does not define the client operating systems that are supported in the forest.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. Table 5.1 summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.
Table 5.1 Default Windows Server 2003 Active Directory Features
Feature | Functionality |
---|---|
Multiple selection of user objects |
Allows you to modify common attributes of multiple user objects at one time. |
Drag and drop functionality |
Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group. |
Efficient search capabilities |
Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. |
Saved queries |
Allows you to save commonly used search parameters for reuse in Active Directory Users and Computers |
Active Directory command-line tools |
Allows you to run new directory service commands for administration scenarios. |
InetOrgPerson class |
The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. |
Application directory partitions |
Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. |
Ability to add additional domain controllers by using backup media |
Reduces the time it takes to add an additional domain controller in an existing domain by using backup media. |
Universal group membership caching |
Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. |
Secure Lightweight Directory Access Protocol (LDAP) traffic |
Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. |
Partial synchronization of the global catalog |
Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog. |
Active Directory quotas |
Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the Domain Administrators and Enterprise Administrators groups are exempt from quotas. |
For more information about the default Active Directory features that are available on any Windows Server 2003 domain controller, see "New features for Active Directory" in Help and Support Center for Windows Server 2003.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.
Table 5.2 lists the Windows Server 2003 domain functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each domain functional level.
Table 5.2 Windows Server 2003 Domain Functional Levels
Windows Server 2003 Domain Functional Level | Supported Domain Controller Operating Systems | Advanced Features Available at Each Domain Functional Level |
---|---|---|
Windows 2000 mixed |
Windows NT 4.0 Windows 2000 Windows Server 2003 |
All default Active Directory features, and:
|
Windows 2000 native |
Windows 2000 Windows Server 2003 |
All default Active Directory features, all features from the Windows 2000 mixed domain functional level, and:
|
Windows Server 2003 interim |
Windows NT 4.0 Windows Server 2003 |
Same as Windows 2000 mixed. |
Windows Server 2003 |
Windows Server 2003 |
All default Active Directory features, all features from the Windows 2000 native domain functional level, and:
|
Table 5.3 lists the Windows Server 2003 forest functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each forest functional level.
Table 5.3 Windows Server 2003 Forest Functional Levels
Windows Server 2003 Forest Functional Level | Supported Domain Controller Operating Systems | Advanced Features Available at Each Forest Functional Level |
---|---|---|
Windows 2000 |
Windows NT 4.0 Windows 2000 Windows Server 2003 |
All default Active Directory features. |
Windows Server 2003 interim |
Windows NT 4.0 Windows Server 2003 |
All default Active Directory features, and:
|
Windows Server 2003 |
Windows Server 2003 |
All Active Directory features available at the Windows Server 2003 interim level, and:
|
Guidelines for Raising Domain Functional Levels
The following guidelines apply to raising the domain functional level:
You must be a member of the Domain Admins group to raise the domain functional level.
You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The Active Directory administrative tools used to raise the domain functional level (Active Directory Domains and Trusts and Active Directory Users and Computers) automatically target the PDC emulator when you raise the domain functional level.
You can raise the functional level of a domain only if all domain controllers in the domain are running the version or versions of Windows that the new functional level supports.
You cannot lower the functional level of a domain after it has been raised.
Guidelines for Raising Forest Functional Levels
The following guidelines apply to raising the forest functional level:
You must be a member of the Enterprise Admins group to raise the forest functional level.
You can raise the forest functional level on the schema operations master only. The Active Directory Domains and Trusts console automatically targets the schema operations master when you raise the forest functional level.
You can raise the functional level of a forest only if all domain controllers in the forest are running the version or versions of Windows that the new functional level supports.
You can raise the forest to the Windows Server 2003 functional level only if all domains are at either the Windows 2000 native or Windows Server 2003 functional level.
You cannot lower the functional level of a forest after it has been raised.
Important
- Raising the domain and forest functional levels are one-way operations that cannot be reversed. In the event that you need to revert to a lower functional level, you need to rebuild the domain or forest or restore it from a backup. For more information about domain and forest recovery, see the Best Practices: Active Directory Forest Recovery link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
When you raise the forest functional level to Windows Server 2003, Active Directory automatically raises all domains that are operating at the Windows 2000 native domain functional level to the Windows Server 2003 domain functional level. However, if any domains in your environment are operating at the Windows 2000 mixed domain functional level, you cannot raise the forest functional level to Windows Server 2003.
For more information about raising functional levels, see "Raising domain and forest functional levels" in Help and Support Center for Windows Server 2003.