Recipe15.5.Raising the Functional Level


Recipe 15.5. Raising the Functional Level

Problem

You want to raise the functional level of a Windows Server 2003 domain or forest. You should raise the functional level of a domain as soon as possible after installing a new Windows Server 2003 domain or upgrading from Windows 2000 to take advantage of the new features and enhancements. Once all the domains in a forest are at the Windows Server 2003 functional level, you can raise the forest functional level.

Solution

Do the following to raise the functional level of a domain:

Using a graphical user interface

  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, browse to the domain you want to raise, right-click it, and select Raise Domain Functional Level.

  3. Select the new functional level you want to set and click OK.

  4. After a few seconds you should see a message stating whether the operation was successful.

Using a command-line interface

To retrieve the current functional level of a domain, use the following command:

> dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version

Or use the enumprop command found in the Windows 2000 Resource Kit:

> enumprop /ATTR:msDS-Behavior-Version "LDAP://<DomainDN>"

To change the functional level to Windows Server 2003, create an LDIF file called raise_domain_func_level.ldf with the following contents:

dn: <DomainDN> changetype: modify replace: msDS-Behavior-Version msDS-Behavior-Version: 2 -

Next, run the ldifde command to import the change:

> ldifde -i -f raise_domain_func_level.ldf

Using VBScript
' This code changes the functional level of the specified domain to  ' the Windows Server 2003 domain functional level ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>"   ' e.g., amer.rallencorp.com ' ------ END CONFIGURATION ---------     set objDomain = GetObject("LDAP://" & strDomain) objDomain.GetInfo if objDomain.Get("msDS-Behavior-Version") <> 2 then    Wscript.Echo "Changing domain to Windows Server 2003 functional level..."    objDomain.Put "msDS-Behavior-Version", 2    objDomain.SetInfo else    Wscript.Echo "Domain already at Windows Server 2003 functional level " end if

Do the following to raise the functional level of a forest:

Using a graphical user interface

  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right-click on Active Directory Domains and Trusts and select Raise Forest Functional Level.

  3. Select Windows Server 2003 Functional Level and click OK.

  4. After a few seconds you should see a message stating whether the operation was successful.

Using a command-line interface

To retrieve the current forest functional level, use the following command:

> dsquery * <ForestRootDN> -scope base -attr msDS-Behavior-Version

Or use the enumprop command found in the Windows 2000 Resource Kit:

> enumprop /ATTR:msDS-Behavior-Version "LDAP://<ForestRootDN>"

To change the functional level to Windows Server 2003, create an LDIF file called raise_forest_func_level.ldf with the following contents:

dn: cn=partitions,cn=configuration,<ForestRootDN> changetype: modify replace: msDS-Behavior-Version msDS-Behavior-Version: 2 -

Next, run the ldifde command to import the change:

> ldifde -i -f raise_forest_func_level.ldf

Using VBScript
' This code changes the functional level of the forest the ' user running the script is logged into to Windows Server 2003.     set objRootDSE = GetObject("LDAP://RootDSE") set objDomain = GetObject("LDAP://cn=partitions," & _                            objRootDSE.Get("configurationNamingContext") ) if objDomain.Get("msDS-Behavior-Version") <> 2 then    Wscript.Echo "Attempting to change forest to " & _                 "Windows Server 2003 functional level..."    objDomain.Put "msDS-Behavior-Version", 2    objDomain.SetInfo else    Wscript.Echo "Forest already at Windows Server 2003 functional level" end if

Discussion

In Windows Server 2003 Active Directory, functional levels have replaced the domain mode that was used in Windows 2000 to signify what operating systems are allowed to run on the domain controllers in the domain. With Windows Server 2003, there are functional levels for both domains and forests, whereas with Windows 2000 the domain mode applied only to domains. But just as with domain modes, changing a functional level is a one-way operation. After you make the change, there is no reverting back (i.e., unless you restore the entire domain or forest).

The msDS-Behavior-Version attribute of the domainDNS object (e.g., dc=amer,dc=ral-lencorp,dc=com) holds the current domain functional level. Table 15-1 shows the three functional levels, their associated msDS-Behavior-Version values, and the operating systems that can be used on each's domain controllers.

Table 15-1. Windows Server 2003 functional levels

Functional level

msDS-Behavior-Version

Valid operating systems

Windows 2000

0

Windows 2000Windows NT (when in mixed mode)Windows Server 2003

Windows Server 2003 Interim

1

Windows NT 4.0Windows Server 2003

Windows Server 2003

2

Windows Server 2003


When a domain is at the Windows 2000 functional level, the domain can be in mixed mode or native mode. Various new features of Windows Server 2003 Active Directory are enabled with each domain functional level. See Chapter 1 of Active Directory (O'Reilly) for more details.

The value contained in msDS-Behavior-Version is mirrored in the domainFunctionality attribute of the RootDSE. That means you can perform anonymous queries against the RootDSE of a domain to quickly determine its current functional level.

One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log generated from the snap-in, which will contain information on any errors that were encountered.


Windows Server 2003 forest functional levels are very similar to domain functional levels. In fact, Table 15-1 also applies to forest functional levels, except that the list of available operating systems applies to all domain controllers in the forest, not just a single domain. So even if just one of the domains in the forest is at the Windows 2000 domain functional level, you cannot raise the forest above the Windows 2000 forest functional level. If you attempt to do so, you will receive an error that the operation cannot be completed. After you raise the last Windows 2000 domain functional level to Windows Server 2003, you can then raise the forest functional level.

You may wonder why there is a need to differentiate between forest and domain functional levels. The primary reason is new features. Some new Windows Server 2003 Active Directory features require all domain controllers in the forest to run Windows Server 2003. To ensure all domain controllers are running a certain operating system throughout a forest, Microsoft had to apply the functional level concept to forests as well as domains. For more information on the new features that are available with each functional level, see Chapter 1 of Active Directory (O'Reilly).

The forest functional level is stored in the msDS-Behavior-Version attribute of the Partitions container in the Configuration NC. For example, in the rallencorp.com forest it would be stored in cn=partitions,cn=configuration,dc=rallencorp,dc=com. The value contained in msDS-Behavior-Version is mirrored to the forestFunctionality attribute of the RootDSE, which means you can find the functional level of the forest by querying the RootDSE.

See Also

Chapter 1 of Active Directory (O'Reilly), Recipe 15.14, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net