Enabling advanced Active Directory features involves identifying the operating systems that are running on the domain controllers in your environment and the functional level that best meets the needs of your organization based on your existing infrastructure, and raising the domain or forest functional level as appropriate. Figure 5.1 shows the process for enabling advanced Active Directory features.
Figure 5.1 Enabling Advanced Active Directory Features
Functional Levels Background Information
Windows Server 2003 Active Directory functional levels expand on the mixed and native modes introduced in the Windows 2000 operating system. In Windows 2000, a mixed mode domain supports domain controllers running either Windows 2000 or the Windows NT 4.0 operating system. Domains in native mode only support Windows 2000–based domain controllers. If all domain controllers in a mixed mode domain are upgraded to Windows 2000, the domain administrator can change the mode to native, making additional Windows 2000 features available.
In Windows Server 2003, the functional level of a domain or forest defines the set of advanced Windows Server 2003 Active Directory features that are available in that domain or forest. The functional level of a domain or forest also defines the set of Windows operating systems that can run on the domain controllers in that domain or forest.
Note
The functional level of a domain or forest defines only the set of Windows operating systems that can run on domain controllers. It does not define the client operating systems that are supported in the forest.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. Table 5.1 summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.
Table 5.1 Default Windows Server 2003 Active Directory Features
-
Feature
|
Functionality
|
Multiple selection of user objects
|
Allows you to modify common attributes of multiple user objects
at one time.
|
Drag and drop functionality
|
Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.
|
Efficient search capabilities
|
Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.
|
Saved queries
|
Allows you to save commonly used search parameters for reuse in Active Directory Users and Computers
|
Active Directory command-line tools
|
Allows you to run new directory service commands for administration scenarios.
|
InetOrgPerson class
|
The inetOrgPerson class has been added to the base schema as
a security principal and can be used in the same manner as the user class.
|
Application directory partitions
|
Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.
|
Ability to add additional domain controllers by using backup media
|
Reduces the time it takes to add an additional domain controller in an existing domain by using backup media.
|
Universal group membership caching
|
Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller.
|
(continued)
Table 5.1 Default Windows Server 2003 Active Directory Features (continued)
-
Feature
|
Functionality
|
Secure Lightweight Directory Access Protocol (LDAP) traffic
|
Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.
|
Partial synchronization of the global catalog
|
Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog.
|
Active Directory quotas
|
Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the Domain Administrators and Enterprise Administrators groups are exempt from quotas.
|
For more information about the default Active Directory features that are available on any Windows Server 2003 domain controller, see “New features for Active Directory” in Help and Support Center for Windows Server 2003.
When the first Windows Server 2003–based domain controller is deployed in a domain or forest, the domain or forest operates by default at the lowest functional level that is possible in that environment. This allows you to take advantage of the default Active Directory features while running versions of Windows earlier than Windows Server 2003.
When you raise the functional level of a domain or forest, a set of advanced features becomes available. For example, the Windows Server 2003 interim forest functional level supports more features than the Windows 2000 forest functional level, but fewer features than the Windows Server 2003 forest functional level supports. Windows Server 2003 is the highest functional level that is available for a domain or forest. The Windows Server 2003 functional level supports the most advanced Active Directory features; however, only Windows Server 2003 domain controllers can operate in that domain or forest.
If you raise the domain functional level to Windows Server 2003, you cannot introduce any domain controllers that are running versions of Windows earlier than Windows Server 2003 into that domain. This applies to the forest functional level as well.
Table 5.2 lists the Windows Server 2003 domain functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each domain functional level.
Table 5.2 Windows Server 2003 Domain Functional Levels
-
Windows Server 2003
Domain Functional Level
|
Supported Domain Controller
Operating Systems
|
Advanced Features Available at
Each Domain Functional Level
|
Windows 2000 mixed
|
Windows NT 4.0
Windows 2000
Windows Server 2003
|
All default Active Directory features, and:
Universal Groups are enabled for distribution groups, but are disabled for security groups.
|
Windows 2000 native
|
Windows 2000
Windows Server 2003
|
All default Active Directory features, all features from the Windows 2000 mixed domain functional level, and:
Universal Groups are enabled for both distribution and security groups.
Group conversion is enabled, allowing conversion between security and distribution groups.
Group nesting is available, allowing nesting of groups within other groups.
Security identifier (SID) history is available, allowing the migration of security principals from one domain to another.
|
Windows Server 2003 interim
|
Windows NT 4.0
Windows Server 2003
|
Same as Windows 2000 mixed.
|
(continued)
Table 5.2 Windows Server 2003 Domain Functional Levels (continued)
-
Windows Server 2003
Domain Functional Level
|
Supported Domain Controller
Operating Systems
|
Advanced Features Available at
Each Domain Functional Level
|
Windows Server 2003
|
Windows Server 2003
|
All default Active Directory features, all features from the Windows 2000 native domain functional level, and:
Supports new functionality of the netdom.exe tool to prepare domain controllers for rename. It is recommended that you rename a domain controller by using netdom.exe to ensure that all appropriate steps are taken.
Enables updates to the logon timestamp attribute. The lastLogonTimestamp attribute is updated with the last logon time of the user or computer. This attribute is replicated within the domain.
Provides the ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.
Provides the ability to redirect the Users and Computers containers in order to define a new well-known location for user and computer accounts.
Allows for authorization manager to store its authorization policies in Active Directory.
Includes constrained delegation, which allows applications to take advantage of the secure delegation of user credentials by means of Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.
Supports selective authentication, by which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.
|
Table 5.3 lists the Windows Server 2003 forest functional levels, the operating systems that they support, and the Windows Server 2003 features that are available at each forest functional level.
Table 5.3 Windows Server 2003 Forest Functional Levels
-
Windows Server 2003 Forest Functional Level
|
Supported Domain Controller
Operating Systems
|
Advanced Features Available at
Each Forest Functional Level
|
Windows 2000
|
Windows NT 4.0
Windows 2000
Windows Server 2003
|
All default Active Directory features.
|
Windows Server 2003 interim
|
Windows NT 4.0
Windows Server 2003
|
All default Active Directory features, and:
Linked value replication.
Improved KCC algorithms and scalability.
The following attributes included in the global catalog:
Ms-DS-Trust-Forest-Trust-Info
Trust-Direction
Trust-Attributes
Trust-Type
Trust-Partner
Security-Identifier
Ms-DS-Entry-Time-To-Die
MSMQ-Secured-Source
MSMQ-Multicast-Address
Print-Memory
Print-Rate
Print-Rate-Unit
MS-DRM-Identity-Certificate
|
(continued)
Table 5.3 Windows Server 2003 Forest Functional Levels (continued)
-
Windows Server 2003 Forest Functional Level
|
Supported Domain Controller
Operating Systems
|
Advanced Features Available at
Each Forest Functional Level
|
Windows Server 2003
|
Windows Server 2003
|
All Active Directory features available at the Windows Server 2003 interim level, and:
The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain naming context.
The ability to convert an inetOrgPerson object instance into a User object instance and vice versa.
The ability to create instances of the new group types basic and query based, used by the role–based Authorization Manager.
Deactivation and redefinition of attributes and classes in the schema.
Forest trust.
Domain rename.
|
Guidelines for Raising Domain Functional Levels
The following guidelines apply to raising the domain functional level:
You must be a member of the Domain Admins group to raise the domain functional level.
You can raise the domain functional level on the primary domain controller (PDC) emulator operations master only. The Active Directory administrative tools used to raise the domain functional level (Active Directory Domains and Trusts and Active Directory Users and Computers) automatically target the PDC emulator when you raise the domain functional level.
You can raise the functional level of a domain only if all domain controllers in the domain are running the version or versions of Windows that the new functional level supports.
You cannot lower the functional level of a domain after it has been raised.
Guidelines for Raising Forest Functional Levels
The following guidelines apply to raising the forest functional level:
You must be a member of the Enterprise Admins group to raise the forest functional level.
You can raise the forest functional level on the schema operations master only. The Active Directory Domains and Trusts console automatically targets the schema operations master when you raise the forest functional level.
You can raise the functional level of a forest only if all domain controllers in the forest are running the version or versions of Windows that the new functional level supports.
You can raise the forest to the Windows Server 2003 functional level only if all domains are at either the Windows 2000 native or Windows Server 2003 functional level.
You cannot lower the functional level of a forest after it has been raised.
Important
Raising the domain and forest functional levels are one-way operations that cannot be reversed. In the event that you need to revert to a lower functional level, you need to rebuild the domain or forest or restore it from a backup. For more information about domain and forest recovery, see the Best Practices: Active Directory Forest Recovery link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
When you raise the forest functional level to Windows Server 2003, Active Directory automatically raises all domains that are operating at the Windows 2000 native domain functional level to the Windows Server 2003 domain functional level. However, if any domains in your environment are operating at the Windows 2000 mixed domain functional level, you cannot raise the forest functional level to Windows Server 2003.
For more information about raising functional levels, see “Raising domain and forest functional levels” in Help and Support Center for Windows Server 2003.
|