You are probably familiar with the mixed and native modes of Active Directory in Microsoft Windows 2000. Mixed mode provides backward-compatibility with NT 4.0 environments where Backup Domain Controllers can exist and authenticate user logons . Promoting a Windows 2000 domain to Native mode eliminates the use of backup Domain Controllers and, in turn , provides additional Active Directory features such as Universal Groups. With Windows Server 2003, the concept of modes is augmented with the introduction of functional levels . Like Windows 2000 Active Directory modes, Functional levels provide levels of backward-compatibility for both Windows NT 4.0 and Windows 2000 domains. In Windows Server 2003, there are four domain functional levels and three forest functional levels. This section will provide an overview of the Windows functional levels and their implications on administrative design and management. Common Misunderstanding There is a common misunderstanding that a native mode forest in Windows 2000 requires that all servers and workstations in the network are Windows 2000 or higher configurations and that an organization could not have Windows NT 4 servers or workstations, or Windows 9x workstations. This is a misunderstanding because a native mode forest in Windows 2000 only required that all domain controllers were Windows 2000. A native mode forest in Windows 2000 could have Windows NT 4 member servers, Windows NT4 workstations, and Windows 9x workstations in the domain and still function properly. Windows 2000 Mixed Domain Functional LevelThe Windows 2000 Mixed Domain Functional level provides for backward-compatibility with a Windows 2000 Active Directory running in Mixed Mode. Installed at this level, Windows Server 2003 domain controllers will be able to communicate with both Windows NT 4.0 and Windows 2000 domain controllers throughout the forest. At this level, Windows Server 2003 shares the same limitations present in the Windows 2000 mixed mode domain. Usually, this is a temporary level for most companies that are in the process of migrating to a native mode Active Directory. Windows 2000 Native Functional LevelThe Windows 2000 native functional level is the initial operating level of Windows Server 2003 domain controllers installed into a Windows 2000 native mode domain. At this level there are no NT 4.0 domain controllers. All authentication is performed by Windows 2000 and Windows Server 2003 domain controllers. Windows Server 2003 Interim Functional LevelThe Windows Server 2003 interim functional level is the initial operating level of Windows Server 2003 domain controllers installed into a Windows NT 4.0 domain. This level is provided primarily as a stepping stone during a migration from Windows NT 4.0 to Windows Server 2003. The interim functional level comes into play for those companies that have not upgraded to Windows 2000, but instead migrate directly to Windows Server 2003 Active Directory. Windows Server 2003 Functional LevelTo gain the full functionality of a Windows Server 2003 Active Directory, the Windows Server 2003 functional level is the final goal for domain and forest functional levels. Functionality at this level enables many of the new features available to Windows Server 2003 such as renaming domains and domain controllers, schema deactivation , and cross-forest trusts. For you to promote your Active Directory to the full Windows Server 2003 Functional level, all domain controllers must be upgraded to Windows Server 2003. Individual domains can be promoted to the Windows Server 2003 functional level, but the forest can only be promoted to this functional level after all the domains in the forest are operating at this highest level. You can use Active Directory Users and Computers or Active Directory Domains and Trusts to elevate domain functional levels. To raise the forest functional level, though, you must use the Active Directory Domains and Trusts tool. If you are ready to perform both operations, follow these steps:
Domain Administrative FunctionalityThere are new administrative capabilities at each domain functional level that you should be aware of. In part, understanding the new capabilities help in the decision to elevate functional levels. It is also important to keep these capabilities in mind when deciding whether to grant or prevent access to these functions within your IT organization. Raising Functional Levels Is a One-way Operation Be sure you will not need to add Windows 2000 domains to your forest before performing this process. When the forest is Windows Server 2003 functional, this applies to child domains as well. When you elevate your domain from a Windows 2000 mixed to a Windows 2000 Native functional level, you add the following administrative capabilities:
Elevating your domain from Windows 2000 Native functional level to Windows Server 2003 functional level gives you the capability to rename domain controllers within that domain. Forest Administrative FunctionalityWhen you raise your forest functionality from Windows 2000 to Windows Server 2003, you enable the following administrative capabilities:
The Senior Administrator Should Limit the Access of Who Can Raise the Functional Level of a Domain Rather than leaving the privilege to all Domain Admins, the right should be blocked to all Domain Admins and assigned to specific administrators. Although it is unlikely an individual would maliciously raise the functional level of a domain and effectively cause non-compliant domain controllers to be dropped from the network, there is a very common possibility of an inexperienced administrator accidentally changing the functionality level, and thus creating authentication problems on the network. Be Very Careful in Designing Your Administrative Framework... so that only individuals who understand and are responsible for the implications of forestwide changes have access to make them. The forestwide capabilities of Windows Server 2003 each have an enormous impact on the stability of your enterprise network. |