Enhancing Administration with Functional Levels

You are probably familiar with the mixed and native modes of Active Directory in Microsoft Windows 2000. Mixed mode provides backward-compatibility with NT 4.0 environments where Backup Domain Controllers can exist and authenticate user logons . Promoting a Windows 2000 domain to Native mode eliminates the use of backup Domain Controllers and, in turn , provides additional Active Directory features such as Universal Groups.

With Windows Server 2003, the concept of modes is augmented with the introduction of functional levels . Like Windows 2000 Active Directory modes, Functional levels provide levels of backward-compatibility for both Windows NT 4.0 and Windows 2000 domains. In Windows Server 2003, there are four domain functional levels and three forest functional levels. This section will provide an overview of the Windows functional levels and their implications on administrative design and management.

Common Misunderstanding

There is a common misunderstanding that a native mode forest in Windows 2000 requires that all servers and workstations in the network are Windows 2000 or higher configurations and that an organization could not have Windows NT 4 servers or workstations, or Windows 9x workstations. This is a misunderstanding because a native mode forest in Windows 2000 only required that all domain controllers were Windows 2000. A native mode forest in Windows 2000 could have Windows NT 4 member servers, Windows NT4 workstations, and Windows 9x workstations in the domain and still function properly.

Windows 2000 Mixed Domain Functional Level

The Windows 2000 Mixed Domain Functional level provides for backward-compatibility with a Windows 2000 Active Directory running in Mixed Mode. Installed at this level, Windows Server 2003 domain controllers will be able to communicate with both Windows NT 4.0 and Windows 2000 domain controllers throughout the forest. At this level, Windows Server 2003 shares the same limitations present in the Windows 2000 mixed mode domain. Usually, this is a temporary level for most companies that are in the process of migrating to a native mode Active Directory.

Windows 2000 Native Functional Level

The Windows 2000 native functional level is the initial operating level of Windows Server 2003 domain controllers installed into a Windows 2000 native mode domain. At this level there are no NT 4.0 domain controllers. All authentication is performed by Windows 2000 and Windows Server 2003 domain controllers.

Windows Server 2003 Interim Functional Level

The Windows Server 2003 interim functional level is the initial operating level of Windows Server 2003 domain controllers installed into a Windows NT 4.0 domain. This level is provided primarily as a stepping stone during a migration from Windows NT 4.0 to Windows Server 2003. The interim functional level comes into play for those companies that have not upgraded to Windows 2000, but instead migrate directly to Windows Server 2003 Active Directory.

Windows Server 2003 Functional Level

To gain the full functionality of a Windows Server 2003 Active Directory, the Windows Server 2003 functional level is the final goal for domain and forest functional levels. Functionality at this level enables many of the new features available to Windows Server 2003 such as renaming domains and domain controllers, schema deactivation , and cross-forest trusts. For you to promote your Active Directory to the full Windows Server 2003 Functional level, all domain controllers must be upgraded to Windows Server 2003. Individual domains can be promoted to the Windows Server 2003 functional level, but the forest can only be promoted to this functional level after all the domains in the forest are operating at this highest level.

You can use Active Directory Users and Computers or Active Directory Domains and Trusts to elevate domain functional levels. To raise the forest functional level, though, you must use the Active Directory Domains and Trusts tool. If you are ready to perform both operations, follow these steps:

Ensure that all domain controllers in the forest are upgraded to Windows Server 2003.
Open Active Directory Domains and Trusts from the Administrative Tools menu.
In the left scope pane, right-click on the domain name and then click the Raise Domain Functional Level.
In the box labeled Raise Domain Functional Level, shown in Figure 4.5, select Windows Server 2003 and then click Raise.

Figure 4.5. Raising the domain functional level.
Click OK and then click OK again to complete the task.
Repeat steps 1 through 5 for all domains in the forest.
Perform the same steps on the forest root object, except this time choose Raise Forest Functional Level and follow the prompts.

Domain Administrative Functionality

There are new administrative capabilities at each domain functional level that you should be aware of. In part, understanding the new capabilities help in the decision to elevate functional levels. It is also important to keep these capabilities in mind when deciding whether to grant or prevent access to these functions within your IT organization.

Raising Functional Levels Is a One-way Operation

Be sure you will not need to add Windows 2000 domains to your forest before performing this process. When the forest is Windows Server 2003 functional, this applies to child domains as well.

When you elevate your domain from a Windows 2000 mixed to a Windows 2000 Native functional level, you add the following administrative capabilities:

SID History. This feature enables you to migrate security principles from one domain to another while preserving associated access control lists (ACLs).
Converting Groups. This feature gives you the capability to change distribution groups and security groups.
Nesting Groups. In mixed mode, you can nest distribution groups, but not security groups. Windows 2000 Native mode allows you full nesting of security groups.
Universal Groups. Universal groups can contain accounts, global groups, and universal groups from any domain in the forest.

Elevating your domain from Windows 2000 Native functional level to Windows Server 2003 functional level gives you the capability to rename domain controllers within that domain.

Forest Administrative Functionality

When you raise your forest functionality from Windows 2000 to Windows Server 2003, you enable the following administrative capabilities:

Deactivation of schema objects. Although you cannot delete classes or attributes, you can deactivate them if they are no longer needed or if there was an error in the original definition.
Forest trusts. With this functionality, you can link two disjoined Windows Server 2003 forests to form one-way or two-way transitive trust relationships. A two-way forest trust creates a transitive trust between every domain in both forests.
Domain rename. Within a Windows Server 2003 native level forest, you have the ability to rename domains. This functionality also permits the restructuring of domains within the forest.

The Senior Administrator Should Limit the Access of Who Can Raise the Functional Level of a Domain

Rather than leaving the privilege to all Domain Admins, the right should be blocked to all Domain Admins and assigned to specific administrators. Although it is unlikely an individual would maliciously raise the functional level of a domain and effectively cause non-compliant domain controllers to be dropped from the network, there is a very common possibility of an inexperienced administrator accidentally changing the functionality level, and thus creating authentication problems on the network.

Be Very Careful in Designing Your Administrative Framework...

so that only individuals who understand and are responsible for the implications of forestwide changes have access to make them.

The forestwide capabilities of Windows Server 2003 each have an enormous impact on the stability of your enterprise network.