After you assess your current environment, identify the functional level scenario — Windows NT 4.0 environment, Windows 2000 mixed-mode environment, Windows 2000 native-mode environment, or new Windows Server 2003 forest — that applies to your organization.
Windows NT 4.0 environment
You have a pure Windows NT 4.0 environment consisting of one or more Windows NT 4.0 PDCs and backup domain controllers (BDCs). You want to upgrade directly to Windows Server 2003 and take advantage of all Windows Server 2003 forest- and domain-level features without deploying any Windows 2000 domain controllers in the environment.
Windows 2000 mixed mode environment
You have a mixed mode Windows 2000 domain that includes both Windows 2000 and Windows NT 4.0–based domain controllers. You want to upgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level features.
Windows 2000 native mode environment
You have a native mode Windows 2000 domain consisting of only Windows 2000–based domain controllers. You want to upgrade to Windows Server 2003 to take advantage of all Windows Server 2003 forest- and domain-level features.
New Windows Server 2003 forest
You are creating a new Windows Server 2003 forest by installing Active Directory on a Windows Server 2003–based member server. You want to take advantage of all Windows Server 2003 forest- and domain-level features.
Enabling Windows Server 2003 Active Directory Functional Levels
Enabling advanced Windows Server 2003 Active Directory features in your environment involves installing Windows Server 2003 Active Directory, determining the functional level that is appropriate for your environment, and then raising domain and forest functional levels to meet your requirements. If you choose to raise your existing infrastructure to the Windows Server 2003 functional level, you can take advantage of all the Windows Server 2003 Active Directory features that are available.
You can determine the current domain functional level by viewing the properties of the domain object in either Active Directory Users and Computers or Active Directory Domains and Trusts. You can determine the current forest functional level by using Active Directory Domains and Trusts to view the properties of the Active Directory Domains and Trusts node.
To raise the forest functional level to Windows Server 2003, use Active Directory Domains and Trusts. To raise the domain functional level to Windows Server 2003 or Windows 2000 native, use Active Directory Domains and Trusts or Active Directory Users and Computers. For more information about how to view and raise domain and forest functional levels, see “Raise the domain functional level” and “Raise the forest functional level” in Help and Support Center for Windows Server 2003.
Figure 5.4 Enabling Windows Server 2003 Active Directory Functional Levels
Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0 Environment
If all of the domain controllers in your environment are running Windows NT 4.0, and you plan to upgrade them to Windows Server 2003 without ever upgrading to Windows 2000 or installing a new Windows 2000–based domain controller, maintain the Windows Server 2003 interim functional level in your domains and forest until you upgrade all Windows NT 4.0 domain controllers to Windows Server 2003.
Important
If you choose to raise the forest and domain functional level to Windows Server 2003 interim, you cannot return to the Windows 2000 mixed domain functional level or the Windows 2000 forest functional level, and therefore you cannot add Windows 2000–based domain controllers to the forest.
For more information about deploying Windows Server 2003 in a Windows NT 4.0 environment, see “Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
If you intend to add one or more Windows 2000–based domain controllers instead of having only domain controllers running Windows Server 2003 in your environment, see “Enabling Windows Server 2003 Functional Levels in a Mixed Windows 2000 Forest” later in this chapter.
Important
If you are running Windows NT 4.0 or Windows 2000 domain controllers in your environment, do not raise the functional level of your domain or forest to Windows Server 2003. You cannot operate at the Windows Server 2003 functional level until all of your domain controllers are running Windows Server 2003.
Windows 2000 Active Directory group replication limits the size of groups in a Windows 2000 forest. You must divide groups that include more than 5,000 members into smaller groups when you upgrade to Windows 2000. The Windows Server 2003 interim forest functional level is ideal if the groups in any domains in your existing Windows NT 4.0 environment include more than 5,000 members. When you are operating at the Windows Server 2003 interim functional level, you can take advantage of group membership replication improvements, which support large groups of more than 5,000 members.
When upgrading your Windows NT 4.0 environment to Windows Server 2003, you can choose to do one of the following:
Upgrade to a regional domain in an existing Windows Server 2003 forest.
Upgrade to a single domain forest.
Whether you decide to upgrade to a regional domain in an existing Windows Server 2003 forest or upgrade to a single domain forest, if you choose to raise the forest functional level to Windows Server 2003 interim, you must remain at the Windows Server 2003 interim functional level until you upgrade all other Windows NT 4.0–based domain controllers to Windows Server 2003 or retire them from service. The Windows Server 2003 interim functional level supports both Windows NT 4.0–based domain controllers and Windows Server 2003–based domain controllers.
Upgrading to a Regional Domain in an Existing Windows Server 2003 Forest
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, it is recommended that you raise the forest functional level of the existing forest to Windows Server 2003 interim before upgrading the Windows NT 4.0 PDC to take advantage of the added features of the Windows Server 2003 interim functional level. After you raise the forest functional level of the existing forest to Windows Server 2003 interim, the domain functional level of the forest root domain and all subsequent regional domains is set by default to Windows Server 2003 interim.
When you upgrade a Windows NT 4.0 domain to a regional domain in an existing Windows Server 2003 forest, where the forest functional level is set to Windows 2000, functional levels are set in the new regional domain to the following by default, and they remain in effect until you raise them manually:
You cannot use Active Directory administrative consoles to raise the forest functional level of the existing Windows Server 2003 forest root domain to Windows Server 2003 interim. Instead, use a Lightweight Directory Access Protocol (LDAP) application such as ADSI Edit or LDP in Windows Support Tools to edit the value of the msDS-Behavior-Version attribute.
To raise the forest functional level of the existing forest to Windows Server 2003 interim by using ADSI Edit
In ADSI Edit, expand the Configuration partition, and expand CN=Configuration,DC=forestname,DC=domainname,DC=com.
Right-click CN=Partitions, and then click Properties.
Select the msDS-Behavior-Version attribute.
Click Edit.
In the Value field, type 1 to raise the forest functional level to Windows Server 2003 interim.
Click OK.
After you raise the forest functional level to Windows Server 2003 interim forest, you cannot add Windows 2000–based domain controllers to the forest.
If you are deploying a new Windows Server 2003 forest root domain and are planning to upgrade a Windows NT 4.0 domain to a regional domain in this new environment, after you raise the forest functional level to Windows Server 2003 interim, upgrade the Windows NT 4.0 domain to Windows Server 2003. Select Child domain in an existing domain tree when prompted by the Active Directory Installation Wizard.
For more information about deploying a Windows Server 2003 forest root domain, see “Deploying the Windows Server 2003 Forest Root Domain” in this book.
Upgrading to a Single Domain Forest
When upgrading to a new Windows Server 2003 single domain forest by upgrading an existing Windows NT 4.0 PDC to Windows Server 2003, you are prompted to use the Active Directory Installation Wizard to install Active Directory. The wizard gives you the option of setting the forest functional level to Windows Server 2003 interim during the Active Directory installation process.
If you set the functional level during the Active Directory installation, both the domain and forest will be set at Windows Server 2003 interim after the installation process is complete and the computer is restarted.
Important
If you do not set the functional level to Windows Server 2003 interim during the Active Directory installation process, functional levels are set by default to the following:
Windows 2000 forest functional level
Windows 2000 mixed domain functional level
Use the preceding procedure to use ADSI Edit to manually raise the forest functional level to Windows Server 2003 interim after the Active Directory installation process is complete and the computer is restarted.
Raise the Domain Functional Level to Windows Server 2003
After you upgrade all Windows NT 4.0–based domain controllers in a domain to Windows Server 2003, you can raise the functional level of each domain in the forest to Windows Server 2003. Before you raise the domain functional level, however, you must ensure that no Windows NT 4.0–based domain controllers remain in the domain.
WARNING
If Windows NT 4.0–based domain controllers are running in a domain when you raise the domain functional level to Windows Server 2003, they will no longer be able to communicate with the new Windows Server 2003 domain controllers and will not receive necessary updates.
Use the following LDAP query to identify any Windows NT 4.0 domain controllers remaining in the domain. Run the LDAP query against the Domain container in Active Directory Users and Computers. If you have not manually changed the value of the operatingSystemVersion attribute of the computer object, this query is conclusive for domain controllers running Windows NT 4.0. You must be a member of the Domain Admins group to run the following query.
To identify Windows NT 4.0–based domain controllers in a domain
From any Windows Server 2003–based domain controller, open Active Directory Users and Computers.
If the domain controller is not already connected to the appropriate domain, connect it to the domain as follows:
Right-click the current domain object, and then click Connect to domain.
In the Domain dialog box, type the DNS name of the domain that you want to connect to, or click Browse to select the domain from the domain tree, and then click OK.
Right-click the domain object, and then click Find.
In the Find dialog box, click Custom Search.
Click the domain for which you want to change the functional level.
Click the Advanced tab.
In the Enter LDAP query box, type the following, leaving no spaces between any characters (the query is not case-sensitive):
(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))
Click Find Now. This produces a list of the computers in the domain that are running Windows NT 4.0 and functioning as domain controllers.
A domain controller might appear in the list for any of the following reasons:
The domain controller is running Windows NT 4.0 and must be upgraded.
The domain controller has been upgraded to Windows Server 2003, but the change has not replicated to the target domain controller.
The domain controller is no longer in service, but its computer object has not been removed from the domain.
Before you can change the domain functional level to Windows Server 2003, you must physically locate any domain controller in the list, determine its current status, and either upgrade or remove the domain controller as appropriate.
For more information about LDAP queries, see the Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit).
Raise the Forest Functional Level to Windows Server 2003
After all domains are operating at the Windows Server 2003 functional level, raise the forest functional level to Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest-level features.
If any domains in the forest are still operating at the Windows Server 2003 interim functional level, you will be unable to raise the forest functional level to Windows Server 2003. Ensure that all domains are operating at the Windows Server 2003 functional level before you raise the forest functional level.
Enabling Windows Server 2003 Functional Levels in a Mixed Windows 2000 Environment
If your Windows 2000 forest includes one or more domains that contain Windows NT 4.0–based domain controllers, those domains are in Windows 2000 mixed mode. Domains that include only Windows 2000–based domain controllers might be in Windows 2000 mixed mode or native mode. Functional levels in a mixed Windows 2000 forest are set by default when you deploy the first Windows Server 2003–based domain controller.
For more information about deploying Windows Server 2003 in a mixed Windows 2000 environment, see “Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
You can introduce a Windows Server 2003–based domain controller in a mixed environment in one of two ways:
By installing a new Windows Server 2003–based domain controller.
By upgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.
Functional levels are set at the following levels by default, and remain at these levels until they are raised manually:
Windows 2000 mixed or Windows 2000 native domain functional level, depending on whether the domain was in mixed mode or native mode prior to the upgrade.
Windows 2000 forest functional level.
If the domain functional level is set to Windows 2000 mixed after the initial upgrade, the domain must remain at that level for as long as Windows NT 4.0–based domain controllers are in the domain. If you upgrade all Windows NT 4.0–based domain controllers to either Windows 2000 or Windows Server 2003 and decommission the Windows NT 4.0–based domain controllers that you do not intend to upgrade, you can raise the domain functional level to Windows 2000 native.
If the domain functional level is set to Windows 2000 native after the initial upgrade, the domain must remain at that level for as long as Windows 2000–based domain controllers are operating in the domain.
Note
This also applies to Windows NT 4.0 environments in which you intend to deploy one or more Windows 2000 domain controllers in the future. After the initial upgrade, the domain must remain at a functional level of Windows 2000 mixed.
After you upgrade all Windows 2000–based domain controllers to Windows Server 2003, you can raise the functional levels of the domains in the forest to Windows Server 2003. Before you raise the domain functional level, you must verify that no Windows NT 4.0–based domain controllers remain in the domain. For more information about identifying Windows NT 4.0–based domain controllers in a domain, see “Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0 Environment” earlier in this chapter.
If all domain controllers in the domain are running Windows Server 2003, you can raise the domain functional level from Windows 2000 mixed to Windows Server 2003 directly. Alternatively, you can raise the functional level step by step — from Windows 2000 mixed to Windows 2000 native and then to Windows Server 2003.
After you upgrade all domain controllers in the forest to Windows Server 2003 and raise all domains to the Windows 2000 native or Windows Server 2003 functional level, you can raise the forest functional level to Windows Server 2003. This automatically raises the functional level of any remaining domains that are operating at the Windows 2000 native functional level to Windows Server 2003.
Enabling Windows Server 2003 Functional Levels in a Native Windows 2000 Environment
If the domains in your Windows 2000 forest include only Windows 2000 domain controllers and are in Windows 2000 native mode, deploy a Windows Server 2003–based domain controller to enable functional levels.
For more information about deploying Windows Server 2003 in a Windows 2000 environment, see “Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
In an environment that contains only domain controllers running Windows 2000, you can introduce a Windows Server 2003–based domain controller in one of two ways:
By installing a new Windows Server 2003–based domain controller.
By upgrading an existing Windows 2000 domain controller in the forest to Windows Server 2003.
Functional levels are set by default to the following levels, and they remain at these levels until they are raised manually:
Windows 2000 native domain functional level
Windows 2000 forest functional level
Note
If your Windows 2000 forest consists solely of Windows 2000–based domain controllers, but one or more of your domains are operating in mixed mode, see “Enabling Windows Server 2003 Functional Levels in a Mixed Windows 2000 Environment” earlier in this chapter.
To take advantage of the Windows Server 2003 domain-level features without waiting to complete the upgrade of your Windows 2000 forest to Windows Server 2003, raise only the domain functional level to Windows Server 2003. Before you raise the domain functional level, you must upgrade all Windows 2000–based domain controllers in the domain to Windows Server 2003.
After you upgrade all Windows 2000–based domain controllers in the forest to Windows Server 2003, make sure that the domain functional level of each domain is set to Windows 2000 native or higher. Then raise the forest functional level to Windows Server 2003. Raising the forest functional level to Windows Server 2003 automatically raises the functional level of all domains in the forest that are set to Windows 2000 native or higher to Windows Server 2003.
Enabling Windows Server 2003 Functional Levels in a New Windows Server 2003 Forest
After you have installed the first domain controller in a new Windows Server 2003 forest, functional levels are set by default to the following levels, and remain at these levels until they are raised manually:
Windows 2000 mixed domain functional level
Windows 2000 forest functional level
Functional levels are set at these levels to allow you the option of adding Windows 2000 or Windows NT 4.0–based domain controllers to your new Windows Server 2003 forest.
After you create a forest root domain, the domain functional level for each additional domain that you add to the Windows Server 2003 forest is set to Windows 2000 mixed.
Important
If the forest is operating at the Windows Server 2003 functional level, and you attempt to install Active Directory on a Windows 2000–based member server, the installation will fail. If you install Active Directory on a Windows Server 2003–based member server in order to create a new regional domain, the domain functional level is set to Windows Server 2003.
After you deploy the new Windows Server 2003 forest and the domain functional level is set in all domains, raise the domain functional level and then the forest functional level to Windows Server 2003. This enables you to take advantage of all Windows Server 2003 forest- and domain-level features. Thereafter, all new domains that you create are set at the Windows Server 2003 domain functional level.
These resources contain additional information and tools related to this chapter.
Related Information
“Deploying the Windows Server 2003 Forest Root Domain” in this book.
“Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory” in this book.
“Upgrading Windows 2000 Domains to Windows Server 2003 Domains” in this book.
The Directory Services Guide of the Windows Server 2003 Resource Kit (or see the Directory Services Guide on the Web at http://www.microsoft.com/reskit) for more information about Active Directory functional levels.
Article 322692, “HOW TO: Raise the domain functional level in Windows Server 2003,” in the Microsoft Knowledge Base for more information about raising functional levels. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Related Tools
The ADSI Edit tool (Adsiedit.exe) is a Microsoft Management Console snap-in that you can use to edit objects in the Active Directory database. For more information about Adsiedit.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.
LDP provides an interface to perform LDAP operations against Active Directory. For more information about LDP, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click Set search options. Under Help Topics, select the Search in title only check box.
“New features for Active Directory” in Help and Support Center for Windows Server 2003 for more information about the default Active Directory features that are available on any Windows Server 2003 domain controller.
“Raising domain and forest functional levels” in Help and Support Center for Windows Server 2003 for more information about raising functional levels.
Related Job Aids
“Domain Controller Assessment” (DSSPFL_1.doc) on the Windows Server 2003 Deployment Kit companion CD (or see “Domain Controller Assessment” on the Web at http://microsoft.com/reskit).
|
