Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which includes domain controllers running Windows 2000, Windows NT 4.0, and Windows Server 2003); Windows 2000 native (which includes domain controllers running Windows 2000 and Windows Server 2003); and Windows Server 2003 (which includes only domain controllers running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the domain and forest functionality to Windows Server 2003 by opening Active Directory Domains And Trusts, right-clicking the domain for which you want to raise functionality, and then clicking Raise Domain Functional Level.
Note that once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
Table 16-1 describes the domainwide features that are enabled for the corresponding domain functional level.
Domain Feature | Windows 2000 Mixed | Windows 2000 Native | Windows Server 2003 |
---|---|---|---|
Domain controller rename tool | Disabled | Disabled | Enabled |
Update logon time stamp | Disabled | Disabled | Enabled |
Kerberos KDC key version numbers | Disabled | Disabled | Enabled |
User password on InetOrgPerson object | Disabled | Disabled | Enabled |
Universal groups | Enabled for distribution groups. Disabled for security groups. | Enabled Allows both security and distribution groups. | Enabled Allows both security and distribution groups. |
Group nesting | Enabled for distribution groups. Disabled for security groups except for domain local security groups that can have global groups as members . | Enabled Allows full group nesting. | Enabled Allows full group nesting. |
Converting groups | Disabled No group conversions allowed. | Enabled Allows conversion between security groups and distribution groups. | Enabled Allows conversion between security groups and distribution groups. |
SID history | Disabled | Enabled Allows migration of security principals from one domain to another. | Enabled Allows migration of security principals from one domain to another. |
Top |