Domains can operate at three functional levels: Windows 2000 mixed, the default setting (which includes domain controllers running Windows 2000, Windows NT Server 4.0, and Windows Server 2003), Windows 2000 native (which includes domain controllers running Windows 2000 and Windows Server 2003), and Windows Server 2003 (which only includes domain controllers running Windows Server 2003).
Once all domain controllers are running on Windows Server 2003, you can raise the Domain and Forest Functionality to Windows Server 2003 by opening Active Directory Domains and Trusts, right clicking the domain for which you want to raise functionality, and then clicking Raise Domain Functional Level.
Note that once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
The following table describes the domain-wide features that are enabled for the corresponding domain functional level:
Domain Feature
|
Windows 2000 mixed
|
Windows 2000 native
|
Windows Server 2003
|
Domain controller rename tool
|
Disabled
|
Disabled
|
Enabled
|
Update logon timestamp
|
Disabled
|
Disabled
|
Enabled
|
Kerberos KDC key version numbers
|
Disabled
|
Disabled
|
Enabled
|
User password on InetOrgPerson object
|
Disabled
|
Disabled
|
Enabled
|
Universal Groups
|
Enabled for distribution groups.
Disabled for security groups.
|
Enabled
Allows both security and distribution groups.
|
Enabled
Allows both security and distribution groups.
|
Group Nesting
|
Enabled for distribution groups.
Disabled for security groups, except for domain local security groups that can have global groups as members.
|
Enabled
Allows full group nesting.
|
Enabled
Allows full group nesting.
|
Converting Groups
|
Disabled
No group conversions allowed.
|
Enabled
Allows conversion between security groups and distribution groups.
|
Enabled
Allows conversion between security groups and distribution groups.
|
SID History
|
Disabled
|
Enabled
Allows migration of security principals from one domain to another.
|
Enabled
Allows migration of security principals from one domain to another.
| Table 2 Domain-wide Features Enabled for Corresponding Domain Functional Level Raising Forest Functional Levels
Forest functionality enables features across all the domains within your forest. Two forest functional levels are available: Windows 2000 (which supports domain controllers running Windows NT 4, Windows 2000, and Windows Server 2003) and Windows Server 2003 (which only supports domain controllers running Windows Server 2003). If you are upgrading your first Windows NT domain so that it becomes the first domain in a new Windows Server 2003 forest, there is an additional forest functional level that you can choose called Windows Server 2003 interim mode.
By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003. Once forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest.
The following table describes the forest-wide features that are enabled for the corresponding forest functional levels:
Forest Feature
|
Windows 2000
|
Windows Server 2003
|
Global catalog replication tuning
|
Disabled
|
Enabled
|
Defunct schema objects
|
Disabled
|
Enabled
|
Forest trust
|
Disabled
|
Enabled
|
Linked value replication
|
Disabled
|
Enabled
|
Domain rename
|
Disabled
|
Enabled
|
Improved replication algorithms
|
Disabled
|
Enabled
|
Dynamic auxiliary classes
|
Disabled
|
Enabled
|
InetOrgPerson objectClass change
|
Disabled
|
Enabled
| Table 3 Forest-wide Features Enabled for Corresponding Forest Functional Level
|
