Enabling Advanced Windows Server 2003 Active Directory Featu

C H A P T E R 5
Enabling Advanced
Windows Server 2003
Active Directory
Features
The Microsoft® Windows® Server 2003 Active Directory® directory service enables you to introduce advanced
features into your environment by raising the domain or forest functional level. You can raise the functional
level when all domain controllers in the domain or forest are running an appropriate version of Windows.
Raising the functional level allows you to introduce new features but also limits the versions of Windows that
can run on domain controllers in your environment.
In This Chapter
Overview of Enabling Advanced Active Directory Features.................................206
Preparing to Enable Functional Levels...................................................... ...........214
Enabling Windows Server 2003 Active Directory Functional Levels.....................217
Additional Resources.............................................................................. .............225
Related Information
• For more information about domain and forest functional levels, see the Directory Services
Guide of the Microsoft® Windows® Server 2003 Resource Kit (or see the Directory Services
Guide on the Web at http://www.microsoft.com/reskit).
• For more information about enabling functional levels in a new Microsoft® Windows®
Server 2003 environment, see “Deploying the Windows Server 2003 Forest Root Domain” in
this book.
• For more information about enabling functional levels after upgrading from Microsoft®
Windows NT® 4.0, see “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active
Directory” in this book.
• For more information about enabling functional levels after upgrading from Microsoft®
Windows® 2000, see “Upgrading Windows 2000 Domains to Windows Server 2003 Domains”
in this book.
206 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Features
Overview of Enabling Advanced

Active Directory Features
Functional levels in Windows Server 2003 Active Directory enable you to implement advanced features — such
as efficient group membership replication, deactivation and redefinition of attributes and classes in the schema,
and domain rename — that require that domain controllers within a domain or forest be running the Microsoft®
Windows® Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; or Windows®
Server 2003, Datacenter Edition operating systems. If you want to enable these advanced Windows Server 2003
Active Directory features in your organization, you must raise the domain and/or forest to the appropriate
functional level.
Before you can identify and enable the functional level that best meets the needs of your organization, you must
identify the Windows operating systems that you are currently running and that you plan to maintain in your
environment after you deploy Windows Server 2003.
If you are currently running Windows NT 4.0 and you do not plan to deploy Windows 2000 in your
environment, after you deploy the first Windows Server 2003–based domain controller, raise the forest
functional level to Windows Server 2003 interim to take advantage of the advanced features available at that
forest functional level.
If you are currently running both Windows 2000 and Windows NT 4.0 in your environment, after you deploy a
Windows Server 2003–based domain controller, keep the forest functional level set to Windows 2000. This
enables you to take advantage of all advanced features available at that forest functional level.
If you are currently running only Windows 2000 in your environment or you are planning to install any number
of Windows 2000–based domain controllers in the future, after you deploy a Windows Server 2003–based
domain controller, keep the forest functional level set to Windows 2000. This enables you to take advantage of
all advanced features available at that forest functional level.
If you are deploying a new Windows Server 2003 environment and plan to run only Windows Server 2003–
based domain controllers, after you deploy the first Windows Server 2003–based domain controller you can
raise the forest functional level to Windows Server 2003 to take advantage of all available Windows
Server 2003 Active Directory features.
Note
For a list of the job aids that are available to assist you in enabling
functional levels, see “Additional Resources” later in this chapter.
Additional Resources 207
Process for Enabling Advanced Active

Directory Features
Enabling advanced Active Directory features involves identifying the operating systems that are
running on the domain controllers in your environment and the functional level that best meets the
needs of your organization based on your existing infrastructure, and raising the domain or forest
functional level as appropriate. Figure 5.1 shows the process for enabling advanced Active
Directory features.
Figure 5.1 Enabling Advanced Active Directory Features
Functional Levels Background Information

Windows Server 2003 Active Directory functional levels expand on the mixed and native modes introduced in
the Windows 2000 operating system. In Windows 2000, a mixed mode domain supports domain controllers
running either Windows 2000 or the Windows NT 4.0 operating system. Domains in native mode only support
Windows 2000–based domain controllers. If all domain controllers in a mixed mode domain are upgraded to
Windows 2000, the domain administrator can change the mode to native, making additional Windows 2000
features available.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows
Server 2003 Active Directory features that are available in that domain or forest. The functional level of a
domain or forest also defines the set of Windows operating systems that can run on the domain controllers in
that domain or forest.
Note
The functional level of a domain or forest defines only the set of
Windows operating systems that can run on domain controllers. It does
not define the client operating systems that are supported in the forest.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default
Active Directory features becomes available. Table 5.1 summarizes the Active Directory features that are
available by default on any domain controller running Windows Server 2003.
Table 5.1 Default Windows Server 2003 Active Directory Features
Feature Functionality
Multiple selection Allows you to modify common attributes of multiple user
of user objects objects
at one time.
Drag and drop Allows you to move Active Directory objects from container
functionality to container by dragging one or more objects to a location
in the domain hierarchy. You can also add objects to group
membership lists by dragging one or more objects
(including other group objects) to the target group.
Efficient search Search functionality is object-oriented and provides an
capabilities efficient search that minimizes network traffic associated
with browsing objects.
Saved queries Allows you to save commonly used search parameters for
reuse in Active Directory Users and Computers
Active Directory Allows you to run new directory service commands for
command-line administration scenarios.
tools
InetOrgPerson The inetOrgPerson class has been added to the base
class schema as
a security principal and can be used in the same manner as
the user class.
Application Allows you to configure the replication scope for
directory application-specific data among domain controllers. For
partitions example, you can control the replication scope of Domain
Name System (DNS) zone data stored in Active Directory so
that only specific domain controllers in the forest
participate in DNS zone replication.
Ability to add Reduces the time it takes to add an additional domain
additional domain controller in an existing domain by using backup media.
controllers by
using backup
media
Universal group Prevents the need to locate a global catalog across a wide
membership area network (WAN) when logging on by storing universal
caching group membership information on an authenticating
domain controller.
(continued)
Table 5.1 Default Windows Server 2003 Active Directory Features (continued)
Feature Functionality
Secure Active Directory administrative tools sign and encrypt all
Lightweight LDAP traffic by default. Signing LDAP traffic guarantees
Directory Access that the packaged data comes from a known source and
Protocol (LDAP) that it has not been tampered with.
traffic
Partial Provides improved replication of the global catalog when
synchronization schema changes add attributes to the global catalog partial
of the global attribute set. Only the new attributes are replicated, not the
catalog entire global catalog.
Active Directory Quotas can be specified in Active Directory to control the
quotas number of objects a user, group, or computer can own in a
given directory partition. Members of the Domain
Administrators and Enterprise Administrators groups are
exempt from quotas.
For more information about the default Active Directory features that are available on any Windows
Server 2003 domain controller, see “New features for Active Directory” in Help and Support Center for
Windows Server 2003.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the domain or
forest operates by default at the lowest functional level that is possible in that environment. This allows you to
take advantage of the default Active Directory features while running versions of Windows earlier than
Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For
example, the Windows Server 2003 interim forest functional level supports more features than the
Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level
supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The
Windows Server 2003 functional level supports the most advanced Active Directory features; however, only
Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers
that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the
forest functional level as well.
Table 5.2 lists the Windows Server 2003 domain functional levels, the operating systems that they support, and
the Windows Server 2003 features that are available at each domain functional level.
Table 5.2 Windows Server 2003 Domain Functional Levels
Windows
Supported Domain
Server 2003 Advanced Features Available at
Controller
Domain Functional Each Domain Functional Level
Operating Systems
Level
Windows 2000 Windows NT 4.0 All default Active Directory
mixed Windows 2000 features, and:
Windows Server 2003 • Universal Groups are enabled
for distribution groups, but are
disabled for security groups.
Windows 2000 Windows 2000 All default Active Directory
native Windows Server 2003 features, all features from the
Windows 2000 mixed domain
functional level, and:
• Universal Groups are enabled
for both distribution and
security groups.
• Group conversion is enabled,
allowing conversion between
security and distribution
groups.
• Group nesting is available,
allowing nesting of groups
within other groups.
• Security identifier (SID) history
is available, allowing the
migration of security principals
from one domain to another.
Windows Windows NT 4.0 Same as Windows 2000 mixed.
Server 2003 interim Windows Server 2003
(continued)
Table 5.2 Windows Server 2003 Domain Functional Levels (continued)

Windows
Supported Domain
Server 2003 Advanced Features Available at
Controller
Domain Functional Each Domain Functional Level
Operating Systems
Level
Windows Windows Server 2003 All default Active Directory
Server 2003 features, all features from the
Windows 2000 native domain
functional level, and:
• Supports new functionality of
the netdom.exe tool to
prepare domain controllers for
rename. It is recommended
that you rename a domain
controller by using
netdom.exe to ensure that all
appropriate steps are taken.
• Enables updates to the logon
timestamp attribute. The
lastLogonTimestamp attribute
is updated with the last
logon time of the user or
computer. This attribute is
replicated within the domain.
• Provides the ability to set the
userPassword attribute as the
effective password on
inetOrgPerson and user
objects.
• Provides the ability to redirect
the Users and Computers
containers in order to define a
new well-known location for
user and computer accounts.
• Allows for authorization
manager to store its
authorization policies in Active
Directory.
• Includes constrained
delegation, which allows
applications to take advantage
of the secure delegation of
user credentials by means of
Kerberos authentication
protocol. Delegation can be
configured to be allowed only
to specific destination
services.
• Supports selective
authentication, by which it is
possible to specify the users
and groups from a trusted
forest who are allowed to
authenticate to resource
servers in a trusting forest.
Table 5.3 lists the Windows Server 2003 forest functional levels, the operating systems that they support, and
the Windows Server 2003 features that are available at each forest functional level.
Table 5.3 Windows Server 2003 Forest Functional Levels
Windows Supported Domain
Advanced Features Available at
Server 2003 Forest Controller
Each Forest Functional Level
Functional Level Operating Systems
Windows 2000 Windows NT 4.0 All default Active Directory
Windows 2000 features.
Windows Server 2003
Windows Windows NT 4.0 All default Active Directory
Server 2003 interim Windows Server 2003 features, and:
• Linked value replication.
• Improved KCC algorithms and
scalability.
• The following attributes
included in the global catalog:
• Ms-DS-Trust-Forest-Trust-
Info
• Trust-Direction
• Trust-Attributes
• Trust-Type
• Trust-Partner
• Security-Identifier
• Ms-DS-Entry-Time-To-Die
• MSMQ-Secured-Source
• MSMQ-Multicast-Address
• Print-Memory
• Print-Rate
• Print-Rate-Unit
• MS-DRM-Identity-
Certificate
(continued)
Table 5.3 Windows Server 2003 Forest Functional Levels (continued)

Windows Supported Domain
Advanced Features Available at
Server 2003 Forest Controller
Each Forest Functional Level
Functional Level Operating Systems
Windows Windows Server 2003 All Active Directory features
Server 2003 available at the Windows
Server 2003 interim level, and:
• The ability to create instances
of the dynamic auxiliary class
called dynamicObject in a
domain naming context.
• The ability to convert an
inetOrgPerson object instance
into a User object instance
and vice versa.
• The ability to create instances
of the new group types basic
and query based, used by the
role–based Authorization
Manager.
• Deactivation and redefinition
of attributes and classes in the
schema.
• Forest trust.
• Domain rename.
Guidelines for Raising Domain Functional Levels

The following guidelines apply to raising the domain functional level:
• You must be a member of the Domain Admins group to raise the domain functional level.
• You can raise the domain functional level on the primary domain controller (PDC) emulator
operations master only. The Active Directory administrative tools used to raise the domain
functional level (Active Directory Domains and Trusts and Active Directory Users and
Computers) automatically target the PDC emulator when you raise the domain functional level.
• You can raise the functional level of a domain only if all domain controllers in the domain are
running the version or versions of Windows that the new functional level supports.
• You cannot lower the functional level of a domain after it has been raised.
Guidelines for Raising Forest Functional Levels

The following guidelines apply to raising the forest functional level:
• You must be a member of the Enterprise Admins group to raise the forest functional level.
• You can raise the forest functional level on the schema operations master only. The Active
Directory Domains and Trusts console automatically targets the schema operations master when
you raise the forest functional level.
• You can raise the functional level of a forest only if all domain controllers in the forest are
running the version or versions of Windows that the new functional level supports.
• You can raise the forest to the Windows Server 2003 functional level only if all domains are at
either the Windows 2000 native or Windows Server 2003 functional level.
• You cannot lower the functional level of a forest after it has been raised.
Important
Raising the domain and forest functional levels are one-way operations
that cannot be reversed. In the event that you need to revert to a lower
functional level, you need to rebuild the domain or forest or restore it
from a backup. For more information about domain and forest recovery,
see the Best Practices: Active Directory Forest Recovery link on the
Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
When you raise the forest functional level to Windows Server 2003, Active Directory automatically raises all
domains that are operating at the Windows 2000 native domain functional level to the Windows Server 2003
domain functional level. However, if any domains in your environment are operating at the Windows 2000
mixed domain functional level, you cannot raise the forest functional level to Windows Server 2003.
For more information about raising functional levels, see “Raising domain and forest functional levels” in Help
and Support Center for Windows Server 2003.
Preparing to Enable Functional

Levels
Before you can enable domain and forest functional levels, you need to evaluate your current environment and
identify the functional level scenario that best meets the needs of your organization. For a worksheet to assist
you in preparing to enable functional levels, see “Assess Your Current Environment” later in this chapter.
Figure 5.2 shows the process for preparing to enable functional levels.
Figure 5.2 Preparing to Enable Functional Levels
Assess Your Current Environment

Assess your current environment by identifying the domains in your forest, the domain controllers that are
located in each domain, the operating system that each domain controller is running, and the date that you plan
to upgrade the domain controller. If you plan to retire a domain controller, document the reasons for this
decision.
Circumstances that might prevent you from upgrading an earlier version of the Windows operating system and
enabling the Windows Server 2003 functional level include:
• Insufficient hardware
• A domain controller running an antivirus program that is incompatible with Windows
Server 2003
• Use of a version-specific program that does not run on Windows Server 2003
• The need to perform a Service Pack upgrade
Documenting this information will help you identify the steps that are required for you to achieve a fully
functional Windows Server 2003 environment.
For a worksheet to assist you in assessing your current environment, see “Domain Controller Assessment”
(DSSPFL_1.doc) on the Microsoft® Windows® Server 2003 Deployment Kit companion CD (or see “Domain
Controller Assessment” on the Web at http://www.microsoft.com/reskit). Complete a separate worksheet for
each domain, regardless of your forest structure.
Figure 5.3 shows an example of a completed worksheet for a domain assessment.
Figure 5.3 Example of a Domain Controller Assessment Worksheet
Identify Your Functional Level Scenario

After you assess your current environment, identify the functional level scenario — Windows NT 4.0
environment, Windows 2000 mixed-mode environment, Windows 2000 native-mode environment, or new
Windows Server 2003 forest — that applies to your organization.
Windows NT 4.0 environment You have a pure Windows NT 4.0 environment consisting of one or
more Windows NT 4.0 PDCs and backup domain controllers (BDCs). You want to upgrade directly to Windows
Server 2003 and take advantage of all Windows Server 2003 forest- and domain-level features without
deploying any Windows 2000 domain controllers in the environment.
Windows 2000 mixed mode environment You have a mixed mode Windows 2000 domain that
includes both Windows 2000 and Windows NT 4.0–based domain controllers. You want to upgrade to Windows
Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level features.
Windows 2000 native mode environment You have a native mode Windows 2000 domain
consisting of only Windows 2000–based domain controllers. You want to upgrade to Windows Server 2003 to
take advantage of all Windows Server 2003 forest- and domain-level features.
New Windows Server 2003 forest You are creating a new Windows Server 2003 forest by installing
Active Directory on a Windows Server 2003–based member server. You want to take advantage of all Windows
Server 2003 forest- and domain-level features.
Enabling Windows Server 2003

Active Directory Functional Levels
Enabling advanced Windows Server 2003 Active Directory features in your environment involves installing
Windows Server 2003 Active Directory, determining the functional level that is appropriate for your
environment, and then raising domain and forest functional levels to meet your requirements. If you choose to
raise your existing infrastructure to the Windows Server 2003 functional level, you can take advantage of all the
Windows Server 2003 Active Directory features that are available.
You can determine the current domain functional level by viewing the properties of the domain object in either
Active Directory Users and Computers or Active Directory Domains and Trusts. You can determine the current
forest functional level by using Active Directory Domains and Trusts to view the properties of the Active
Directory Domains and Trusts node.
To raise the forest functional level to Windows Server 2003, use Active Directory Domains and Trusts. To raise
the domain functional level to Windows Server 2003 or Windows 2000 native, use Active Directory Domains
and Trusts or Active Directory Users and Computers. For more information about how to view and raise domain
and forest functional levels, see “Raise the domain functional level” and “Raise the forest functional level” in
Help and Support Center for Windows Server 2003.
Figure 5.4 Enabling Windows Server 2003 Active Directory Functional Levels
Enabling Windows Server 2003 Functional

Levels in a Windows NT 4.0 Environment
If all of the domain controllers in your environment are running Windows NT 4.0, and you plan to upgrade them
to Windows Server 2003 without ever upgrading to Windows 2000 or installing a new Windows 2000–based
domain controller, maintain the Windows Server 2003 interim functional level in your domains and forest until
you upgrade all Windows NT 4.0 domain controllers to Windows Server 2003.
Important
If you choose to raise the forest and domain functional level to
Windows Server 2003 interim, you cannot return to the Windows 2000
mixed domain functional level or the Windows 2000 forest functional
level, and therefore you cannot add Windows 2000–based domain
controllers to the forest.
For more information about deploying Windows Server 2003 in a Windows NT 4.0 environment, see
“Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
If you intend to add one or more Windows 2000–based domain controllers instead of having only domain
controllers running Windows Server 2003 in your environment, see “Enabling Windows Server 2003 Functional
Levels in a Mixed Windows 2000 Forest” later in this chapter.
Important
If you are running Windows NT 4.0 or Windows 2000 domain
controllers in your environment, do not raise the functional level of your
domain or forest to Windows Server 2003. You cannot operate at the
Windows Server 2003 functional level until all of your domain
controllers are running Windows Server 2003.
Windows 2000 Active Directory group replication limits the size of groups in a Windows 2000 forest. You must
divide groups that include more than 5,000 members into smaller groups when you upgrade to Windows 2000.
The Windows Server 2003 interim forest functional level is ideal if the groups in any domains in your existing
Windows NT 4.0 environment include more than 5,000 members. When you are operating at the Windows
Server 2003 interim functional level, you can take advantage of group membership replication improvements,
which support large groups of more than 5,000 members.
When upgrading your Windows NT 4.0 environment to Windows Server 2003, you can choose to do one of the
following:
• Upgrade to a regional domain in an existing Windows Server 2003 forest.
• Upgrade to a single domain forest.
Whether you decide to upgrade to a regional domain in an existing Windows Server 2003 forest or upgrade to a
single domain forest, if you choose to raise the forest functional level to Windows Server 2003 interim, you
must remain at the Windows Server 2003 interim functional level until you upgrade all other Windows NT 4.0–
based domain controllers to Windows Server 2003 or retire them from service. The Windows Server 2003
interim functional level supports both Windows NT 4.0–based domain controllers and Windows Server 2003–
based domain controllers.
Upgrading to a Regional Domain in an Existing Windows Server 2003

Forest
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest,
it is recommended that you raise the forest functional level of the existing forest to Windows Server 2003
interim before upgrading the Windows NT 4.0 PDC to take advantage of the added features of the Windows
Server 2003 interim functional level. After you raise the forest functional level of the existing forest to Windows
Server 2003 interim, the domain functional level of the forest root domain and all subsequent regional domains
is set by default to Windows Server 2003 interim.
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest,
where the forest functional level is set to Windows 2000, functional levels are set in the new regional domain to
the following by default, and they remain in effect until you raise them manually:
• Windows 2000 mixed domain functional level
• Windows 2000 forest functional level
You cannot use Active Directory administrative consoles to raise the forest functional level of the existing
Windows Server 2003 forest root domain to Windows Server 2003 interim. Instead, use a Lightweight Directory
Access Protocol (LDAP) application such as ADSI Edit or LDP in Windows Support Tools to edit the value of
the msDS-Behavior-Version attribute.
To raise the forest functional level of the existing forest to Windows Server 2003
interim by using ADSI Edit
1. In ADSI Edit, expand the Configuration partition, and expand
CN=Configuration,DC=forestname,DC=domainname,DC=com.
2. Right-click CN=Partitions, and then click Properties.
3. Select the msDS-Behavior-Version attribute.
4. Click Edit.
5. In the Value field, type 1 to raise the forest functional level to Windows Server 2003 interim.
6. Click OK.
After you raise the forest functional level to Windows Server 2003 interim forest, you cannot add
Windows 2000–based domain controllers to the forest.
If you are deploying a new Windows Server 2003 forest root domain and are planning to upgrade a
Windows NT 4.0 domain to a regional domain in this new environment, after you raise the forest functional
level to Windows Server 2003 interim, upgrade the Windows NT 4.0 domain to Windows Server 2003. Select
Child domain in an existing domain tree when prompted by the Active Directory Installation Wizard.
For more information about deploying a Windows Server 2003 forest root domain, see “Deploying the Windows
Server 2003 Forest Root Domain” in this book.
Upgrading to a Single Domain Forest

When upgrading to a new Windows Server 2003 single domain forest by upgrading an existing
Windows NT 4.0 PDC to Windows Server 2003, you are prompted to use the Active Directory Installation
Wizard to install Active Directory. The wizard gives you the option of setting the forest functional level to
Windows Server 2003 interim during the Active Directory installation process.
If you set the functional level during the Active Directory installation, both the domain and forest will be set at
Windows Server 2003 interim after the installation process is complete and the computer is restarted.
Important
If you do not set the functional level to Windows Server 2003 interim
during the Active Directory installation process, functional levels are set
by default to the following:
Use the preceding procedure to use ADSI Edit to manually raise the
forest functional level to Windows Server 2003 interim after the Active
Directory installation process is complete and the computer is
restarted.
Raise the Domain Functional Level to Windows Server 2003

After you upgrade all Windows NT 4.0–based domain controllers in a domain to Windows Server 2003, you can
raise the functional level of each domain in the forest to Windows Server 2003. Before you raise the domain
functional level, however, you must ensure that no Windows NT 4.0–based domain controllers remain in the
domain.
WARNING
If Windows NT 4.0–based domain controllers are running in a domain
when you raise the domain functional level to Windows Server 2003,
they will no longer be able to communicate with the new Windows
Server 2003 domain controllers and will not receive necessary
updates.
Use the following LDAP query to identify any Windows NT 4.0 domain controllers remaining in the domain.
Run the LDAP query against the Domain container in Active Directory Users and Computers. If you have not
manually changed the value of the operatingSystemVersion attribute of the computer object, this query is
conclusive for domain controllers running Windows NT 4.0. You must be a member of the Domain Admins
group to run the following query.
To identify Windows NT 4.0–based domain controllers in a domain
1. From any Windows Server 2003–based domain controller, open Active Directory Users and
Computers.
2. If the domain controller is not already connected to the appropriate domain, connect it to the
domain as follows:
a. Right-click the current domain object, and then click Connect to domain.
b. In the Domain dialog box, type the DNS name of the domain that you want to connect to,
or click Browse to select the domain from the domain tree, and then click OK.
3. Right-click the domain object, and then click Find.
4. In the Find dialog box, click Custom Search.
5. Click the domain for which you want to change the functional level.
6. Click the Advanced tab.
7. In the Enter LDAP query box, type the following, leaving no spaces between any characters
(the query is not case-sensitive):
(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.84
0.113556.1.4.803:=8192))
8. Click Find Now. This produces a list of the computers in the domain that are running
Windows NT 4.0 and functioning as domain controllers.
A domain controller might appear in the list for any of the following reasons:
• The domain controller is running Windows NT 4.0 and must be upgraded.
• The domain controller has been upgraded to Windows Server 2003, but the change has not
replicated to the target domain controller.
• The domain controller is no longer in service, but its computer object has not been removed
from the domain.
Before you can change the domain functional level to Windows Server 2003, you must physically locate any
domain controller in the list, determine its current status, and either upgrade or remove the domain controller as
appropriate.
For more information about LDAP queries, see the Directory Services Guide of the Windows Server 2003
Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).
Raise the Forest Functional Level to Windows Server 2003

After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to
Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest-level features.
If any domains in the forest are still operating at the Windows Server 2003 interim functional level, you will be
unable to raise the forest functional level to Windows Server 2003. Ensure that all domains are operating at the
Windows Server 2003 functional level before you raise the forest functional level.

Levels in a Mixed Windows 2000
Environment
If your Windows 2000 forest includes one or more domains that contain Windows NT 4.0–based domain
controllers, those domains are in Windows 2000 mixed mode. Domains that include only Windows 2000–based
domain controllers might be in Windows 2000 mixed mode or native mode. Functional levels in a mixed
Windows 2000 forest are set by default when you deploy the first Windows Server 2003–based domain
controller.
For more information about deploying Windows Server 2003 in a mixed Windows 2000 environment, see
“Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
You can introduce a Windows Server 2003–based domain controller in a mixed environment in one of two
ways:
• By installing a new Windows Server 2003–based domain controller.
• By upgrading an existing Windows 2000 domain controller in the forest to Windows
Server 2003.
Functional levels are set at the following levels by default, and remain at these levels until they are raised
manually:
• Windows 2000 mixed or Windows 2000 native domain functional level, depending on whether
the domain was in mixed mode or native mode prior to the upgrade.
• Windows 2000 forest functional level.
If the domain functional level is set to Windows 2000 mixed after the initial upgrade, the domain must remain at
that level for as long as Windows NT 4.0–based domain controllers are in the domain. If you upgrade all
Windows NT 4.0–based domain controllers to either Windows 2000 or Windows Server 2003 and
decommission the Windows NT 4.0–based domain controllers that you do not intend to upgrade, you can raise
the domain functional level to Windows 2000 native.
If the domain functional level is set to Windows 2000 native after the initial upgrade, the domain must remain at
that level for as long as Windows 2000–based domain controllers are operating in the domain.
Note
This also applies to Windows NT 4.0 environments in which you intend
to deploy one or more Windows 2000 domain controllers in the future.
After the initial upgrade, the domain must remain at a functional level of
Windows 2000 mixed.
After you upgrade all Windows 2000–based domain controllers to Windows Server 2003, you can raise the
functional levels of the domains in the forest to Windows Server 2003. Before you raise the domain functional
level, you must verify that no Windows NT 4.0–based domain controllers remain in the domain. For more
information about identifying Windows NT 4.0–based domain controllers in a domain, see “Enabling Windows
Server 2003 Functional Levels in a Windows NT 4.0 Environment” earlier in this chapter.
If all domain controllers in the domain are running Windows Server 2003, you can raise the domain functional
level from Windows 2000 mixed to Windows Server 2003 directly. Alternatively, you can raise the functional
level step by step — from Windows 2000 mixed to Windows 2000 native and then to Windows Server 2003.
After you upgrade all domain controllers in the forest to Windows Server 2003 and raise all domains to the
Windows 2000 native or Windows Server 2003 functional level, you can raise the forest functional level to
Windows Server 2003. This automatically raises the functional level of any remaining domains that are
operating at the Windows 2000 native functional level to Windows Server 2003.

Levels in a Native Windows 2000
Environment
If the domains in your Windows 2000 forest include only Windows 2000 domain controllers and are in
Windows 2000 native mode, deploy a Windows Server 2003–based domain controller to enable functional
levels.
For more information about deploying Windows Server 2003 in a Windows 2000 environment, see “Upgrading
Windows 2000 Domains to Windows Server 2003 Domains” in this book.
In an environment that contains only domain controllers running Windows 2000, you can introduce a Windows
Server 2003–based domain controller in one of two ways:
• By installing a new Windows Server 2003–based domain controller.
• By upgrading an existing Windows 2000 domain controller in the forest to Windows
Server 2003.
Functional levels are set by default to the following levels, and they remain at these levels until they are raised
manually:
• Windows 2000 native domain functional level
Note
If your Windows 2000 forest consists solely of Windows 2000–based
domain controllers, but one or more of your domains are operating in
mixed mode, see “Enabling Windows Server 2003 Functional Levels in
a Mixed Windows 2000 Environment” earlier in this chapter.
To take advantage of the Windows Server 2003 domain-level features without waiting to complete the upgrade
of your Windows 2000 forest to Windows Server 2003, raise only the domain functional level to Windows
Server 2003. Before you raise the domain functional level, you must upgrade all Windows 2000–based domain
controllers in the domain to Windows Server 2003.
After you upgrade all Windows 2000–based domain controllers in the forest to Windows Server 2003, make
sure that the domain functional level of each domain is set to Windows 2000 native or higher. Then raise the
forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003
automatically raises the functional level of all domains in the forest that are set to Windows 2000 native or
higher to Windows Server 2003.

Levels in a New Windows Server 2003
Forest
After you have installed the first domain controller in a new Windows Server 2003 forest, functional levels are
set by default to the following levels, and remain at these levels until they are raised manually:
Functional levels are set at these levels to allow you the option of adding Windows 2000 or Windows NT 4.0–
based domain controllers to your new Windows Server 2003 forest.
After you create a forest root domain, the domain functional level for each additional domain that you add to the
Windows Server 2003 forest is set to Windows 2000 mixed.
Important
If the forest is operating at the Windows Server 2003 functional level,
and you attempt to install Active Directory on a Windows 2000–based
member server, the installation will fail. If you install Active Directory on
a Windows Server 2003–based member server in order to create a
new regional domain, the domain functional level is set to Windows
Server 2003.
After you deploy the new Windows Server 2003 forest and the domain functional level is set in all domains,
raise the domain functional level and then the forest functional level to Windows Server 2003. This enables you
to take advantage of all Windows Server 2003 forest- and domain-level features. Thereafter, all new domains
that you create are set at the Windows Server 2003 domain functional level.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
• “Deploying the Windows Server 2003 Forest Root Domain” in this book.
• “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
• “Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
• The Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory
Services Guide on the Web at http://www.microsoft.com/reskit) for more information about
Active Directory functional levels.
• Article 322692, “HOW TO: Raise the domain functional level in Windows Server 2003,” in the
Microsoft Knowledge Base for more information about raising functional levels. To find this
article, see the Microsoft Knowledge Base link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources.
Related Tools
• ADSI Edit
The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that you can use
to edit objects in the Active Directory database. For more information about Adsiedit.exe, in
Help and Support Center for Windows Server 2003, click Tools, and then click Windows
Support Tools.
• LDP
LDP provides an interface to perform LDAP operations against Active Directory. For more
information about LDP, in Help and Support Center for Windows Server 2003, click Tools, and
then click Windows Support Tools.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set
search options. Under Help Topics, select the Search in title only check box.
• “New features for Active Directory” in Help and Support Center for Windows Server 2003 for
more information about the default Active Directory features that are available on any Windows
Server 2003 domain controller.
• “Raising domain and forest functional levels” in Help and Support Center for Windows
Server 2003 for more information about raising functional levels.
Related Job Aids
• “Domain Controller Assessment” (DSSPFL_1.doc) on the Windows Server 2003 Deployment
Kit companion CD (or see “Domain Controller Assessment” on the Web at
http://microsoft.com/reskit).

Enabling Advanced Windows Server 2003 Active Directory Featu

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Enabling Advanced Windows Server 2003 Active Directory Featu

Diunggah oleh

Hak Cipta:

Format Tersedia

C H A P T E R 5

Overview of Enabling Advanced

Process for Enabling Advanced Active

Functional Levels Background Information

Table 5.2 Windows Server 2003 Domain Functional Levels (continued)

Table 5.3 Windows Server 2003 Forest Functional Levels (continued)

Guidelines for Raising Domain Functional Levels

Guidelines for Raising Forest Functional Levels

Preparing to Enable Functional

Figure 5.2 Preparing to Enable Functional Levels

Assess Your Current Environment

Figure 5.3 Example of a Domain Controller Assessment Worksheet

Identify Your Functional Level Scenario

Enabling Windows Server 2003

Enabling Windows Server 2003 Functional

Upgrading to a Regional Domain in an Existing Windows Server 2003

Upgrading to a Single Domain Forest

Raise the Domain Functional Level to Windows Server 2003

Raise the Forest Functional Level to Windows Server 2003

Enabling Windows Server 2003 Functional

Enabling Windows Server 2003 Functional

Enabling Windows Server 2003 Functional

Anda mungkin juga menyukai