Enabling Advanced Windows Server 2003 Active Directory Features

Transcription

1 C H A P T E R 5 Enabling Advanced Windows Server 2003 Active Directory Featres The Microsoft Windows Server 2003 Active Directory directory service enables yo to introdce advanced featres into yor environment by raising the domain or forest fnctional level. Yo can raise the fnctional level when all domain controllers in the domain or forest are rnning an appropriate version of Windows. Raising the fnctional level allows yo to introdce new featres bt also limits the versions of Windows that can rn on domain controllers in yor environment. In This Chapter Overview of Enabling Advanced Active Directory Featres Preparing to Enable Fnctional Levels Enabling Windows Server 2003 Active Directory Fnctional Levels Additional Resorces Related Information For more information abot domain and forest fnctional levels, see the Directory Services Gide of the Microsoft Windows Server 2003 Resorce Kit (or see the Directory Services Gide on the Web at For more information abot enabling fnctional levels in a new Microsoft Windows Server 2003 environment, see Deploying the Windows Server 2003 Forest Root Domain in this book. For more information abot enabling fnctional levels after pgrading from Microsoft Windows NT 4.0, see Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book. For more information abot enabling fnctional levels after pgrading from Microsoft Windows 2000, see Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book.

2 206 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Overview of Enabling Advanced Active Directory Featres Fnctional levels in Windows Server 2003 Active Directory enable yo to implement advanced featres sch as efficient grop membership replication, deactivation and redefinition of attribtes and classes in the schema, and domain rename that reqire that domain controllers within a domain or forest be rnning the Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition operating systems. If yo want to enable these advanced Windows Server 2003 Active Directory featres in yor organization, yo mst raise the domain and/or forest to the appropriate fnctional level. Before yo can identify and enable the fnctional level that best meets the needs of yor organization, yo mst identify the Windows operating systems that yo are crrently rnning and that yo plan to maintain in yor environment after yo deploy Windows Server If yo are crrently rnning Windows NT 4.0 and yo do not plan to deploy Windows 2000 in yor environment, after yo deploy the first Windows Server 2003 based domain controller, raise the forest fnctional level to Windows Server 2003 interim to take advantage of the advanced featres available at that forest fnctional level. If yo are crrently rnning both Windows 2000 and Windows NT 4.0 in yor environment, after yo deploy a Windows Server 2003 based domain controller, keep the forest fnctional level set to Windows This enables yo to take advantage of all advanced featres available at that forest fnctional level. If yo are crrently rnning only Windows 2000 in yor environment or yo are planning to install any nmber of Windows 2000 based domain controllers in the ftre, after yo deploy a Windows Server 2003 based domain controller, keep the forest fnctional level set to Windows This enables yo to take advantage of all advanced featres available at that forest fnctional level. If yo are deploying a new Windows Server 2003 environment and plan to rn only Windows Server 2003 based domain controllers, after yo deploy the first Windows Server 2003 based domain controller yo can raise the forest fnctional level to Windows Server 2003 to take advantage of all available Windows Server 2003 Active Directory featres. Note For a list of the job aids that are available to assist yo in enabling fnctional levels, see Additional Resorces later in this chapter.

3 Overview of Enabling Advanced Active Directory Featres 207 Process for Enabling Advanced Active Directory Featres Enabling advanced Active Directory featres involves identifying the operating systems that are rnning on the domain controllers in yor environment and the fnctional level that best meets the needs of yor organization based on yor existing infrastrctre, and raising the domain or forest fnctional level as appropriate. Figre 5.1 shows the process for enabling advanced Active Directory featres. Figre 5.1 Enabling Advanced Active Directory Featres Prepare to enable fnctional levels Enable Windows Server 2003 Active Directory fnctional levels Fnctional Levels Backgrond Information Windows Server 2003 Active Directory fnctional levels expand on the mixed and native modes introdced in the Windows 2000 operating system. In Windows 2000, a mixed mode domain spports domain controllers rnning either Windows 2000 or the Windows NT 4.0 operating system. Domains in native mode only spport Windows 2000 based domain controllers. If all domain controllers in a mixed mode domain are pgraded to Windows 2000, the domain administrator can change the mode to native, making additional Windows 2000 featres available. In Windows Server 2003, the fnctional level of a domain or forest defines the set of advanced Windows Server 2003 Active Directory featres that are available in that domain or forest. The fnctional level of a domain or forest also defines the set of Windows operating systems that can rn on the domain controllers in that domain or forest. Note The fnctional level of a domain or forest defines only the set of Windows operating systems that can rn on domain controllers. It does not define the client operating systems that are spported in the forest.

4 208 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres When the first Windows Server 2003 based domain controller is deployed in a domain or forest, a set of defalt Active Directory featres becomes available. Table 5.1 smmarizes the Active Directory featres that are available by defalt on any domain controller rnning Windows Server Table 5.1 Defalt Windows Server 2003 Active Directory Featres Featre Mltiple selection of ser objects Drag and drop fnctionality Efficient search capabilities Saved qeries Active Directory command-line tools InetOrgPerson class Application directory partitions Ability to add additional domain controllers by sing backp media Universal grop membership caching Fnctionality Allows yo to modify common attribtes of mltiple ser objects at one time. Allows yo to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. Yo can also add objects to grop membership lists by dragging one or more objects (inclding other grop objects) to the target grop. Search fnctionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. Allows yo to save commonly sed search parameters for rese in Active Directory Users and Compters Allows yo to rn new directory service commands for administration scenarios. The inetorgperson class has been added to the base schema as a secrity principal and can be sed in the same manner as the ser class. Allows yo to configre the replication scope for application-specific data among domain controllers. For example, yo can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. Redces the time it takes to add an additional domain controller in an existing domain by sing backp media. Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing niversal grop membership information on an athenticating domain controller. (contined)

5 Overview of Enabling Advanced Active Directory Featres 209 Table 5.1 Defalt Windows Server 2003 Active Directory Featres (contined) Featre Secre Lightweight Directory Access Protocol (LDAP) traffic Partial synchronization of the global catalog Active Directory qotas Fnctionality Active Directory administrative tools sign and encrypt all LDAP traffic by defalt. Signing LDAP traffic garantees that the packaged data comes from a known sorce and that it has not been tampered with. Provides improved replication of the global catalog when schema changes add attribtes to the global catalog partial attribte set. Only the new attribtes are replicated, not the entire global catalog. Qotas can be specified in Active Directory to control the nmber of objects a ser, grop, or compter can own in a given directory partition. Members of the Domain Administrators and Enterprise Administrators grops are exempt from qotas. For more information abot the defalt Active Directory featres that are available on any Windows Server 2003 domain controller, see New featres for Active Directory in Help and Spport Center for Windows Server When the first Windows Server 2003 based domain controller is deployed in a domain or forest, the domain or forest operates by defalt at the lowest fnctional level that is possible in that environment. This allows yo to take advantage of the defalt Active Directory featres while rnning versions of Windows earlier than Windows Server When yo raise the fnctional level of a domain or forest, a set of advanced featres becomes available. For example, the Windows Server 2003 interim forest fnctional level spports more featres than the Windows 2000 forest fnctional level, bt fewer featres than the Windows Server 2003 forest fnctional level spports. Windows Server 2003 is the highest fnctional level that is available for a domain or forest. The Windows Server 2003 fnctional level spports the most advanced Active Directory featres; however, only Windows Server 2003 domain controllers can operate in that domain or forest. If yo raise the domain fnctional level to Windows Server 2003, yo cannot introdce any domain controllers that are rnning versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest fnctional level as well.

6 210 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Table 5.2 lists the Windows Server 2003 domain fnctional levels, the operating systems that they spport, and the Windows Server 2003 featres that are available at each domain fnctional level. Table 5.2 Windows Server 2003 Domain Fnctional Levels Windows Server 2003 Domain Fnctional Level Spported Domain Controller Operating Systems Advanced Featres Available at Each Domain Fnctional Level Windows 2000 mixed Windows NT 4.0 Windows 2000 Windows Server 2003 Windows 2000 native Windows 2000 Windows Server 2003 All defalt Active Directory featres, and: Universal Grops are enabled for distribtion grops, bt are disabled for secrity grops. All defalt Active Directory featres, all featres from the Windows 2000 mixed domain fnctional level, and: Universal Grops are enabled for both distribtion and secrity grops. Grop conversion is enabled, allowing conversion between secrity and distribtion grops. Grop nesting is available, allowing nesting of grops within other grops. Secrity identifier (SID) history is available, allowing the migration of secrity principals from one domain to another. Windows Server 2003 interim Windows NT 4.0 Windows Server 2003 Same as Windows 2000 mixed. (contined)

7 Overview of Enabling Advanced Active Directory Featres 211 Table 5.2 Windows Server 2003 Domain Fnctional Levels (contined) Windows Server 2003 Domain Fnctional Level Spported Domain Controller Operating Systems Advanced Featres Available at Each Domain Fnctional Level Windows Server 2003 Windows Server 2003 All defalt Active Directory featres, all featres from the Windows 2000 native domain fnctional level, and: Spports new fnctionality of the netdom.exe tool to prepare domain controllers for rename. It is recommended that yo rename a domain controller by sing netdom.exe to ensre that all appropriate steps are taken. Enables pdates to the logon timestamp attribte. The lastlogontimestamp attribte is pdated with the last logon time of the ser or compter. This attribte is replicated within the domain. Provides the ability to set the serpassword attribte as the effective password on inetorgperson and ser objects. Provides the ability to redirect the Users and Compters containers in order to define a new well-known location for ser and compter acconts. Allows for athorization manager to store its athorization policies in Active Directory. Incldes constrained delegation, which allows applications to take advantage of the secre delegation of ser credentials by means of Kerberos athentication protocol. Delegation can be configred to be allowed only to specific destination services. Spports selective athentication, by which it is possible to specify the sers and grops from a trsted forest who are allowed to athenticate to resorce servers in a trsting forest.

8 212 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Table 5.3 lists the Windows Server 2003 forest fnctional levels, the operating systems that they spport, and the Windows Server 2003 featres that are available at each forest fnctional level. Table 5.3 Windows Server 2003 Forest Fnctional Levels Windows Server 2003 Forest Fnctional Level Spported Domain Controller Operating Systems Advanced Featres Available at Each Forest Fnctional Level Windows 2000 Windows NT 4.0 Windows 2000 Windows Server 2003 All defalt Active Directory featres. Windows Server 2003 interim Windows NT 4.0 Windows Server 2003 All defalt Active Directory featres, and: Linked vale replication. Improved KCC algorithms and scalability. The following attribtes inclded in the global catalog: Ms-DS-Trst-Forest-Trst-Info Trst-Direction Trst-Attribtes Trst-Type Trst-Partner Secrity-Identifier Ms-DS-Entry-Time-To-Die MSMQ-Secred-Sorce MSMQ-Mlticast-Address Print-Memory Print-Rate Print-Rate-Unit MS-DRM-Identity-Certificate (contined)

9 Overview of Enabling Advanced Active Directory Featres 213 Table 5.3 Windows Server 2003 Forest Fnctional Levels (contined) Windows Server 2003 Forest Fnctional Level Spported Domain Controller Operating Systems Advanced Featres Available at Each Forest Fnctional Level Windows Server 2003 Windows Server 2003 All Active Directory featres available at the Windows Server 2003 interim level, and: The ability to create instances of the dynamic axiliary class called dynamicobject in a domain naming context. The ability to convert an inetorgperson object instance into a User object instance and vice versa. The ability to create instances of the new grop types basic and qery based, sed by the role based Athorization Manager. Deactivation and redefinition of attribtes and classes in the schema. Forest trst. Domain rename. Gidelines for Raising Domain Fnctional Levels The following gidelines apply to raising the domain fnctional level: Yo mst be a member of the Domain Admins grop to raise the domain fnctional level. Yo can raise the domain fnctional level on the primary domain controller (PDC) emlator operations master only. The Active Directory administrative tools sed to raise the domain fnctional level (Active Directory Domains and Trsts and Active Directory Users and Compters) atomatically target the PDC emlator when yo raise the domain fnctional level. Yo can raise the fnctional level of a domain only if all domain controllers in the domain are rnning the version or versions of Windows that the new fnctional level spports. Yo cannot lower the fnctional level of a domain after it has been raised.

10 214 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Gidelines for Raising Forest Fnctional Levels The following gidelines apply to raising the forest fnctional level: Yo mst be a member of the Enterprise Admins grop to raise the forest fnctional level. Yo can raise the forest fnctional level on the schema operations master only. The Active Directory Domains and Trsts console atomatically targets the schema operations master when yo raise the forest fnctional level. Yo can raise the fnctional level of a forest only if all domain controllers in the forest are rnning the version or versions of Windows that the new fnctional level spports. Yo can raise the forest to the Windows Server 2003 fnctional level only if all domains are at either the Windows 2000 native or Windows Server 2003 fnctional level. Yo cannot lower the fnctional level of a forest after it has been raised. Important Raising the domain and forest fnctional levels are one-way operations that cannot be reversed. In the event that yo need to revert to a lower fnctional level, yo need to rebild the domain or forest or restore it from a backp. For more information abot domain and forest recovery, see the Best Practices: Active Directory Forest Recovery link on the Web Resorces page at When yo raise the forest fnctional level to Windows Server 2003, Active Directory atomatically raises all domains that are operating at the Windows 2000 native domain fnctional level to the Windows Server 2003 domain fnctional level. However, if any domains in yor environment are operating at the Windows 2000 mixed domain fnctional level, yo cannot raise the forest fnctional level to Windows Server For more information abot raising fnctional levels, see Raising domain and forest fnctional levels in Help and Spport Center for Windows Server Preparing to Enable Fnctional Levels Before yo can enable domain and forest fnctional levels, yo need to evalate yor crrent environment and identify the fnctional level scenario that best meets the needs of yor organization. For a worksheet to assist yo in preparing to enable fnctional levels, see Assess Yor Crrent Environment later in this chapter. Figre 5.2 shows the process for preparing to enable fnctional levels.

11 Preparing to Enable Fnctional Levels 215 Figre 5.2 Preparing to Enable Fnctional Levels Prepare to enable fnctional levels Enable Windows Server 2003 Active Directory fnctional levels Assess yor crrent environment Identify yor fnctional level scenario Assess Yor Crrent Environment Assess yor crrent environment by identifying the domains in yor forest, the domain controllers that are located in each domain, the operating system that each domain controller is rnning, and the date that yo plan to pgrade the domain controller. If yo plan to retire a domain controller, docment the reasons for this decision. Circmstances that might prevent yo from pgrading an earlier version of the Windows operating system and enabling the Windows Server 2003 fnctional level inclde: Insfficient hardware A domain controller rnning an antivirs program that is incompatible with Windows Server 2003 Use of a version-specific program that does not rn on Windows Server 2003 The need to perform a Service Pack pgrade Docmenting this information will help yo identify the steps that are reqired for yo to achieve a flly fnctional Windows Server 2003 environment. For a worksheet to assist yo in assessing yor crrent environment, see Domain Controller Assessment (DSSPFL_1.doc) on the Microsoft Windows Server 2003 Deployment Kit companion CD (or see Domain Controller Assessment on the Web at Complete a separate worksheet for each domain, regardless of yor forest strctre. Figre 5.3 shows an example of a completed worksheet for a domain assessment.

12 216 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Figre 5.3 Example of a Domain Controller Assessment Worksheet Identify Yor Fnctional Level Scenario After yo assess yor crrent environment, identify the fnctional level scenario Windows NT 4.0 environment, Windows 2000 mixed-mode environment, Windows 2000 nativemode environment, or new Windows Server 2003 forest that applies to yor organization. Windows NT 4.0 environment Yo have a pre Windows NT 4.0 environment consisting of one or more Windows NT 4.0 PDCs and backp domain controllers (BDCs). Yo want to pgrade directly to Windows Server 2003 and take advantage of all Windows Server 2003 forest- and domain-level featres withot deploying any Windows 2000 domain controllers in the environment. Windows 2000 mixed mode environment Yo have a mixed mode Windows 2000 domain that incldes both Windows 2000 and Windows NT 4.0 based domain controllers. Yo want to pgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level featres. Windows 2000 native mode environment Yo have a native mode Windows 2000 domain consisting of only Windows 2000 based domain controllers. Yo want to pgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level featres. New Windows Server 2003 forest Yo are creating a new Windows Server 2003 forest by installing Active Directory on a Windows Server 2003 based member server. Yo want to take advantage of all Windows Server 2003 forest- and domain-level featres.

13 Enabling Windows Server 2003 Active Directory Fnctional Levels 217 Enabling Windows Server 2003 Active Directory Fnctional Levels Enabling advanced Windows Server 2003 Active Directory featres in yor environment involves installing Windows Server 2003 Active Directory, determining the fnctional level that is appropriate for yor environment, and then raising domain and forest fnctional levels to meet yor reqirements. If yo choose to raise yor existing infrastrctre to the Windows Server 2003 fnctional level, yo can take advantage of all the Windows Server 2003 Active Directory featres that are available. Yo can determine the crrent domain fnctional level by viewing the properties of the domain object in either Active Directory Users and Compters or Active Directory Domains and Trsts. Yo can determine the crrent forest fnctional level by sing Active Directory Domains and Trsts to view the properties of the Active Directory Domains and Trsts node. To raise the forest fnctional level to Windows Server 2003, se Active Directory Domains and Trsts. To raise the domain fnctional level to Windows Server 2003 or Windows 2000 native, se Active Directory Domains and Trsts or Active Directory Users and Compters. For more information abot how to view and raise domain and forest fnctional levels, see Raise the domain fnctional level and Raise the forest fnctional level in Help and Spport Center for Windows Server Figre 5.4 Enabling Windows Server 2003 Active Directory Fnctional Levels Prepare to enable fnctional levels Enable Windows Server 2003 Active Directory fnctional levels

14 218 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Enabling Windows Server 2003 Fnctional Levels in a Windows NT 4.0 Environment If all of the domain controllers in yor environment are rnning Windows NT 4.0, and yo plan to pgrade them to Windows Server 2003 withot ever pgrading to Windows 2000 or installing a new Windows 2000 based domain controller, maintain the Windows Server 2003 interim fnctional level in yor domains and forest ntil yo pgrade all Windows NT 4.0 domain controllers to Windows Server Important If yo choose to raise the forest and domain fnctional level to Windows Server 2003 interim, yo cannot retrn to the Windows 2000 mixed domain fnctional level or the Windows 2000 forest fnctional level, and therefore yo cannot add Windows 2000 based domain controllers to the forest. For more information abot deploying Windows Server 2003 in a Windows NT 4.0 environment, see Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book. If yo intend to add one or more Windows 2000 based domain controllers instead of having only domain controllers rnning Windows Server 2003 in yor environment, see Enabling Windows Server 2003 Fnctional Levels in a Mixed Windows 2000 Forest later in this chapter. Important If yo are rnning Windows NT 4.0 or Windows 2000 domain controllers in yor environment, do not raise the fnctional level of yor domain or forest to Windows Server Yo cannot operate at the Windows Server 2003 fnctional level ntil all of yor domain controllers are rnning Windows Server Windows 2000 Active Directory grop replication limits the size of grops in a Windows 2000 forest. Yo mst divide grops that inclde more than 5,000 members into smaller grops when yo pgrade to Windows The Windows Server 2003 interim forest fnctional level is ideal if the grops in any domains in yor existing Windows NT 4.0 environment inclde more than 5,000 members. When yo are operating at the Windows Server 2003 interim fnctional level, yo can take advantage of grop membership replication improvements, which spport large grops of more than 5,000 members. When pgrading yor Windows NT 4.0 environment to Windows Server 2003, yo can choose to do one of the following: Upgrade to a regional domain in an existing Windows Server 2003 forest. Upgrade to a single domain forest.

15 Enabling Windows Server 2003 Active Directory Fnctional Levels 219 Whether yo decide to pgrade to a regional domain in an existing Windows Server 2003 forest or pgrade to a single domain forest, if yo choose to raise the forest fnctional level to Windows Server 2003 interim, yo mst remain at the Windows Server 2003 interim fnctional level ntil yo pgrade all other Windows NT 4.0 based domain controllers to Windows Server 2003 or retire them from service. The Windows Server 2003 interim fnctional level spports both Windows NT 4.0 based domain controllers and Windows Server 2003 based domain controllers. Upgrading to a Regional Domain in an Existing Windows Server 2003 Forest When yo pgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, it is recommended that yo raise the forest fnctional level of the existing forest to Windows Server 2003 interim before pgrading the Windows NT 4.0 PDC to take advantage of the added featres of the Windows Server 2003 interim fnctional level. After yo raise the forest fnctional level of the existing forest to Windows Server 2003 interim, the domain fnctional level of the forest root domain and all sbseqent regional domains is set by defalt to Windows Server 2003 interim. When yo pgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, where the forest fnctional level is set to Windows 2000, fnctional levels are set in the new regional domain to the following by defalt, and they remain in effect ntil yo raise them manally: Windows 2000 mixed domain fnctional level Windows 2000 forest fnctional level Yo cannot se Active Directory administrative consoles to raise the forest fnctional level of the existing Windows Server 2003 forest root domain to Windows Server 2003 interim. Instead, se a Lightweight Directory Access Protocol (LDAP) application sch as ADSI Edit or LDP in Windows Spport Tools to edit the vale of the msds-behavior-version attribte. To raise the forest fnctional level of the existing forest to Windows Server 2003 interim by sing ADSI Edit 1. In ADSI Edit, expand the Configration partition, and expand CN=Configration,DC=forestname,DC=domainname,DC=com. 2. Right-click CN=Partitions, and then click Properties. 3. Select the msds-behavior-version attribte. 4. Click Edit. 5. In the Vale field, type 1 to raise the forest fnctional level to Windows Server 2003 interim. 6. Click OK. After yo raise the forest fnctional level to Windows Server 2003 interim forest, yo cannot add Windows 2000 based domain controllers to the forest.

16 220 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres If yo are deploying a new Windows Server 2003 forest root domain and are planning to pgrade a Windows NT 4.0 domain to a regional domain in this new environment, after yo raise the forest fnctional level to Windows Server 2003 interim, pgrade the Windows NT 4.0 domain to Windows Server Select Child domain in an existing domain tree when prompted by the Active Directory Installation Wizard. For more information abot deploying a Windows Server 2003 forest root domain, see Deploying the Windows Server 2003 Forest Root Domain in this book. Upgrading to a Single Domain Forest When pgrading to a new Windows Server 2003 single domain forest by pgrading an existing Windows NT 4.0 PDC to Windows Server 2003, yo are prompted to se the Active Directory Installation Wizard to install Active Directory. The wizard gives yo the option of setting the forest fnctional level to Windows Server 2003 interim dring the Active Directory installation process. If yo set the fnctional level dring the Active Directory installation, both the domain and forest will be set at Windows Server 2003 interim after the installation process is complete and the compter is restarted. Important If yo do not set the fnctional level to Windows Server 2003 interim dring the Active Directory installation process, fnctional levels are set by defalt to the following: Windows 2000 forest fnctional level Windows 2000 mixed domain fnctional level Use the preceding procedre to se ADSI Edit to manally raise the forest fnctional level to Windows Server 2003 interim after the Active Directory installation process is complete and the compter is restarted. Raise the Domain Fnctional Level to Windows Server 2003 After yo pgrade all Windows NT 4.0 based domain controllers in a domain to Windows Server 2003, yo can raise the fnctional level of each domain in the forest to Windows Server Before yo raise the domain fnctional level, however, yo mst ensre that no Windows NT 4.0 based domain controllers remain in the domain. WARNING If Windows NT 4.0 based domain controllers are rnning in a domain when yo raise the domain fnctional level to Windows Server 2003, they will no longer be able to commnicate with the new Windows Server 2003 domain controllers and will not receive necessary pdates.

17 Enabling Windows Server 2003 Active Directory Fnctional Levels 221 Use the following LDAP qery to identify any Windows NT 4.0 domain controllers remaining in the domain. Rn the LDAP qery against the Domain container in Active Directory Users and Compters. If yo have not manally changed the vale of the operatingsystemversion attribte of the compter object, this qery is conclsive for domain controllers rnning Windows NT 4.0. Yo mst be a member of the Domain Admins grop to rn the following qery. To identify Windows NT 4.0 based domain controllers in a domain 1. From any Windows Server 2003 based domain controller, open Active Directory Users and Compters. 2. If the domain controller is not already connected to the appropriate domain, connect it to the domain as follows: a. Right-click the crrent domain object, and then click Connect to domain. b. In the Domain dialog box, type the DNS name of the domain that yo want to connect to, or click Browse to select the domain from the domain tree, and then click OK. 3. Right-click the domain object, and then click Find. 4. In the Find dialog box, click Cstom Search. 5. Click the domain for which yo want to change the fnctional level. 6. Click the Advanced tab. 7. In the Enter LDAP qery box, type the following, leaving no spaces between any characters (the qery is not case-sensitive): (&(objectcategory=compter)(operatingsystemversion=4*)(seraccontcontrol: :=8192)) 8. Click Find Now. This prodces a list of the compters in the domain that are rnning Windows NT 4.0 and fnctioning as domain controllers. A domain controller might appear in the list for any of the following reasons: The domain controller is rnning Windows NT 4.0 and mst be pgraded. The domain controller has been pgraded to Windows Server 2003, bt the change has not replicated to the target domain controller. The domain controller is no longer in service, bt its compter object has not been removed from the domain. Before yo can change the domain fnctional level to Windows Server 2003, yo mst physically locate any domain controller in the list, determine its crrent stats, and either pgrade or remove the domain controller as appropriate. For more information abot LDAP qeries, see the Directory Services Gide of the Windows Server 2003 Resorce Kit (or see the Directory Services Gide on the Web at

18 222 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Raise the Forest Fnctional Level to Windows Server 2003 After all domains are operating at the Windows Server 2003 fnctional level, raise the forest fnctional level to Windows Server This enables yo to take advantage of all Windows Server 2003 forest-level featres. If any domains in the forest are still operating at the Windows Server 2003 interim fnctional level, yo will be nable to raise the forest fnctional level to Windows Server Ensre that all domains are operating at the Windows Server 2003 fnctional level before yo raise the forest fnctional level. Enabling Windows Server 2003 Fnctional Levels in a Mixed Windows 2000 Environment If yor Windows 2000 forest incldes one or more domains that contain Windows NT 4.0 based domain controllers, those domains are in Windows 2000 mixed mode. Domains that inclde only Windows 2000 based domain controllers might be in Windows 2000 mixed mode or native mode. Fnctional levels in a mixed Windows 2000 forest are set by defalt when yo deploy the first Windows Server 2003 based domain controller. For more information abot deploying Windows Server 2003 in a mixed Windows 2000 environment, see Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book. Yo can introdce a Windows Server 2003 based domain controller in a mixed environment in one of two ways: By installing a new Windows Server 2003 based domain controller. By pgrading an existing Windows 2000 domain controller in the forest to Windows Server Fnctional levels are set at the following levels by defalt, and remain at these levels ntil they are raised manally: Windows 2000 mixed or Windows 2000 native domain fnctional level, depending on whether the domain was in mixed mode or native mode prior to the pgrade. Windows 2000 forest fnctional level. If the domain fnctional level is set to Windows 2000 mixed after the initial pgrade, the domain mst remain at that level for as long as Windows NT 4.0 based domain controllers are in the domain. If yo pgrade all Windows NT 4.0 based domain controllers to either Windows 2000 or Windows Server 2003 and decommission the Windows NT 4.0 based domain controllers that yo do not intend to pgrade, yo can raise the domain fnctional level to Windows 2000 native.

19 Enabling Windows Server 2003 Active Directory Fnctional Levels 223 If the domain fnctional level is set to Windows 2000 native after the initial pgrade, the domain mst remain at that level for as long as Windows 2000 based domain controllers are operating in the domain. After yo pgrade all Windows 2000 based domain controllers to Windows Server 2003, yo can raise the fnctional levels of the domains in the forest to Windows Server Before yo raise the domain fnctional level, yo mst verify that no Windows NT 4.0 based domain controllers remain in the domain. For more information abot identifying Windows NT 4.0 based domain controllers in a domain, see Enabling Windows Server 2003 Fnctional Levels in a Windows NT 4.0 Environment earlier in this chapter. If all domain controllers in the domain are rnning Windows Server 2003, yo can raise the domain fnctional level from Windows 2000 mixed to Windows Server 2003 directly. Alternatively, yo can raise the fnctional level step by step from Windows 2000 mixed to Windows 2000 native and then to Windows Server After yo pgrade all domain controllers in the forest to Windows Server 2003 and raise all domains to the Windows 2000 native or Windows Server 2003 fnctional level, yo can raise the forest fnctional level to Windows Server This atomatically raises the fnctional level of any remaining domains that are operating at the Windows 2000 native fnctional level to Windows Server Enabling Windows Server 2003 Fnctional Levels in a Native Windows 2000 Environment If the domains in yor Windows 2000 forest inclde only Windows 2000 domain controllers and are in Windows 2000 native mode, deploy a Windows Server 2003 based domain controller to enable fnctional levels. For more information abot deploying Windows Server 2003 in a Windows 2000 environment, see Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book. In an environment that contains only domain controllers rnning Windows 2000, yo can introdce a Windows Server 2003 based domain controller in one of two ways: By installing a new Windows Server 2003 based domain controller. Note This also applies to Windows NT 4.0 environments in which yo intend to deploy one or more Windows 2000 domain controllers in the ftre. After the initial pgrade, the domain mst remain at a fnctional level of Windows 2000 mixed. By pgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.

20 224 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Fnctional levels are set by defalt to the following levels, and they remain at these levels ntil they are raised manally: Windows 2000 native domain fnctional level Windows 2000 forest fnctional level Note If yor Windows 2000 forest consists solely of Windows 2000 based domain controllers, bt one or more of yor domains are operating in mixed mode, see Enabling Windows Server 2003 Fnctional Levels in a Mixed Windows 2000 Environment earlier in this chapter. To take advantage of the Windows Server 2003 domain-level featres withot waiting to complete the pgrade of yor Windows 2000 forest to Windows Server 2003, raise only the domain fnctional level to Windows Server Before yo raise the domain fnctional level, yo mst pgrade all Windows 2000 based domain controllers in the domain to Windows Server After yo pgrade all Windows 2000 based domain controllers in the forest to Windows Server 2003, make sre that the domain fnctional level of each domain is set to Windows 2000 native or higher. Then raise the forest fnctional level to Windows Server Raising the forest fnctional level to Windows Server 2003 atomatically raises the fnctional level of all domains in the forest that are set to Windows 2000 native or higher to Windows Server Enabling Windows Server 2003 Fnctional Levels in a New Windows Server 2003 Forest After yo have installed the first domain controller in a new Windows Server 2003 forest, fnctional levels are set by defalt to the following levels, and remain at these levels ntil they are raised manally: Windows 2000 mixed domain fnctional level Windows 2000 forest fnctional level Fnctional levels are set at these levels to allow yo the option of adding Windows 2000 or Windows NT 4.0 based domain controllers to yor new Windows Server 2003 forest.

21 Additional Resorces 225 After yo create a forest root domain, the domain fnctional level for each additional domain that yo add to the Windows Server 2003 forest is set to Windows 2000 mixed. After yo deploy the new Windows Server 2003 forest and the domain fnctional level is set in all domains, raise the domain fnctional level and then the forest fnctional level to Windows Server This enables yo to take advantage of all Windows Server 2003 forest- and domainlevel featres. Thereafter, all new domains that yo create are set at the Windows Server 2003 domain fnctional level. Additional Resorces These resorces contain additional information and tools related to this chapter. Related Information Deploying the Windows Server 2003 Forest Root Domain in this book. Important If the forest is operating at the Windows Server 2003 fnctional level, and yo attempt to install Active Directory on a Windows 2000 based member server, the installation will fail. If yo install Active Directory on a Windows Server 2003 based member server in order to create a new regional domain, the domain fnctional level is set to Windows Server Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory in this book. Upgrading Windows 2000 Domains to Windows Server 2003 Domains in this book. The Directory Services Gide of the Windows Server 2003 Resorce Kit (or see the Directory Services Gide on the Web at for more information abot Active Directory fnctional levels. Article , HOW TO: Raise the domain fnctional level in Windows Server 2003, in the Microsoft Knowledge Base for more information abot raising fnctional levels. To find this article, see the Microsoft Knowledge Base link on the Web Resorces page at

22 226 Chapter 5 Enabling Advanced Windows Server 2003 Active Directory Featres Related Tools ADSI Edit The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that yo can se to edit objects in the Active Directory database. For more information abot Adsiedit.exe, in Help and Spport Center for Windows Server 2003, click Tools, and then click Windows Spport Tools. LDP LDP provides an interface to perform LDAP operations against Active Directory. For more information abot LDP, in Help and Spport Center for Windows Server 2003, click Tools, and then click Windows Spport Tools. Related Help Topics For best reslts in identifying Help topics by title, in Help and Spport Center, nder the Search box, click Set search options. Under Help Topics, select the Search in title only check box. New featres for Active Directory in Help and Spport Center for Windows Server 2003 for more information abot the defalt Active Directory featres that are available on any Windows Server 2003 domain controller. Raising domain and forest fnctional levels in Help and Spport Center for Windows Server 2003 for more information abot raising fnctional levels. Related Job Aids Domain Controller Assessment (DSSPFL_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see Domain Controller Assessment on the Web at