Domain and forest functionality
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain and forest functionality
Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to enable domain- or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available depending on your environment.
If all domain controllers in your domain or forest are running Windows Server 2003 and the functional level is set to Windows Server 2003, all domain- and forest-wide features are available. When Windows NT 4.0 or Windows 2000 domain controllers are included in your domain or forest with domain controllers running Windows Server 2003, Active Directory features are limited. For more information about how to enable domain- or forest-wide features, see Raising domain and forest functional levels.
The concept of enabling additional functionality in Active Directory exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security ID (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and SID history capabilities are available. Domain controllers running Windows 2000 Server are not aware of domain and forest functionality.
Domain functionality
Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.
The following table lists the domain functional levels and their corresponding supported domain controllers.
Domain functional level | Domain controllers supported |
---|---|
Windows 2000 mixed (default) |
Windows NT 4.0 Windows 2000 Windows Server 2003 family |
Windows 2000 native |
Windows 2000 Windows Server 2003 family |
Windows Server 2003 interim |
Windows NT 4.0 Windows Server 2003 family |
Windows Server 2003 |
Windows Server 2003 family |
Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
The following table describes the domain-wide features that are enabled for three of the domain functional levels. For information about the Windows Server 2003 interim functional level, see Upgrading from a Windows NT domain.
Domain feature | Windows 2000 mixed | Windows 2000 native | Windows Server 2003 |
---|---|---|---|
Domain controller rename tool For more information, see Renaming domain controllers. |
Disabled |
Disabled |
Enabled |
Different location option for user and computer accounts For more information about how to redirect the default location for user and computer accounts, see Redirect the Users and Computers Containers. |
Disabled |
Disabled |
Enabled |
Update logon timestamp For more information about the lastLogonTimestamp attribute, see User and computer accounts. |
Disabled |
Disabled |
Enabled |
User password on InetOrgPerson object For more information about InetOrgPerson objects, see User and computer accounts. |
Disabled |
Disabled |
Enabled |
Universal Groups For more information, see Group types and Group scope. |
Enabled for distribution groups. Disabled for security groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Group Nesting For more information, see Nesting groups. |
Enabled for distribution groups. Disabled for security groups, except for domain local security groups that can have global groups as members. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Converting Groups For more information, see Converting groups. |
Disabled No group conversions allowed. |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
SID history |
Disabled |
Enabled Allows migration of security principals from one domain to another. |
Enabled Allows migration of security principals from one domain to another. |
Forest functionality
Forest functionality enables features across all the domains within your forest. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003 . By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003 .
The following table lists the forest functional levels and their corresponding supported domain controllers:
Forest functional level | Domain controllers supported |
---|---|
Windows 2000 (default) |
Windows NT 4.0 Windows 2000 Windows Server 2003 family |
Windows Server 2003interim |
Windows NT 4.0 Windows Server 2003 family |
Windows Server 2003 |
Windows Server 2003 family |
Once the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the forest functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to the forest.
If you are upgrading your first Windows NT 4.0 domain so that it becomes the first domain in a new Windows Server 2003 forest, you can set the domain functional level to Windows Server 2003 interim. For more information, see Upgrading from a Windows NT domain.
The following table describes the forest-wide features that are enabled for the Windows 2000 and Windows Server 2003 forest functional levels.
Forest feature | Windows 2000 | Windows Server 2003 |
---|---|---|
Global catalog replication improvements For more information, see Global catalog replication. |
Enabled if both replication partners are running Windows Server 2003. Otherwise, disabled. |
Enabled |
Defunct schema objects For more information, see Deactivating a class or attribute. |
Disabled |
Enabled |
Forest trusts For more information, see Forest trusts. |
Disabled |
Enabled |
Linked value replication For more information, see How replication works. |
Disabled |
Enabled |
Domain rename For more information, see Renaming domains. |
Disabled |
Enabled |
Improved Active Directory replication algorithms For more information, see Replication overview. |
Disabled |
Enabled |
Dynamic auxiliary classes. For more information, see New features for Active Directory. |
Disabled |
Enabled |
InetOrgPerson objectClass change For more information about InetOrgPerson objects, see User and computer accounts. |
Disabled |
Enabled |