New Active Directory Features in Windows Server 2003, Part 1

By Dan DiNicolo (Send Email)
Posted May 28, 2003


Although many people have already decided that Windows Server 2003 is no more than a minor revision of Windows 2000, this new version includes a number of new features, tools, and services. Although the server is built on the foundation provided by Windows 2000, a great deal of these new elements are ones that many organizations, especially larger ones, will want to be aware.

In this two-part series, Dan DiNicolo discusses what's new in Windows Server 2003's Active Directory. Part 1 examines domain and forest functional levels, as well as the ability to rename and reposition domains and domain controllers.

The goal of this article and the subsequent one is to provide an overview of some of the new features found in Windows Server 2003, specifically those associated with its directory service, Active Directory. In this first article we'll examine domain and forest functional levels, as well as the ability to rename and reposition domain and domain controllers.

In Part 2, we'll examine new features like cross-forest trust relationships, universal group caching, and changes to some of the Active Directory tools with which you are most likely already familiar.

Whether you're in the process of evaluating this operating system or beginning to think about upgrading your MCSA or MCSE to the Windows Server 2003 track, you'll want to be familiar with these concepts.

Domain and Forest Functional Levels

Those familiar with Active Directory in Windows 2000 will recall that once installed, domains could be configured in one of two modes -- mixed mode and native mode. In mixed mode, an Active Directory domain was still capable of supporting Windows NT 4.0 domain controllers, enabling enterprises to transition their domains from the old model to the new directory-based design. Although mixed mode made the deployment of Active Directory in existing environments more flexible, it had limitations, namely the inability to configure universal groups. Once a domain was switched to native mode, all domain controllers had to be running Windows 2000, and using universal groups became possible.

In Windows Server 2003 Active Directory, the concept of a domain "mode" has been re-branded as a "functional level." This is definitely not a bad idea, since the functional level of a Windows Server 2003 Active Directory domain impacts not only the operating system versions that can function as domain controllers, but also the ability to use some of the new features in Active Directory. Furthermore, Windows Server 2003 also introduces an entirely new concept -- a forest functional level. Similar to a domain functional level, the forest functional level when configured impacts the ability to implement certain new Active Directory features, as we will explain later in this article.

The domain functional levels associated with Windows Server 2003 are outlined below. For each functional level, the versions of Windows supported as domain controllers are also listed.

Domain Functional Level Domain Controllers Supported
Windows 2000 Mixed (Default) Windows NT 4.0
Windows 2000
Windows Server 2003
Windows 2000 Native

Windows 2000
Windows Server 2003

Windows Server 2003 Interim Windows NT 4.0
Windows Server 2003
Windows Server 2003 Windows Server 2003

Note that once the functional level of a domain is raised, domain controllers running previous versions of Windows cannot be added to the domain. So if you raise the functional level of a domain to Windows Server 2003, Windows 2000 domain controllers can no longer be added to that domain.

The functional level of a domain is changed from within the Active Directory Users and Computers tool much like how the mode of a domain is changed in Windows 2000. To raise the functional level of a domain, right-click on the domain object in Active Directory Users and Computers and click Raise Domain Functional Level.

In the screenshot below, notice how the domain functional level cannot be changed because it has already been configured to the Windows Server 2003 level. To raise the functional level of a domain, you must be a member of the Enterprise Admins group, or the Domain Admins group in that particular domain. This ability can also be delegated to other users.

In much the same manner, Windows Server 2003 Active Directory supports three different forest functional levels. Each of the forest functional levels is listed below. For each functional level, the versions of Windows supported as domain controllers are also listed.

Forest Functional Level Domain Controllers Supported
Windows 2000 (Default) Windows NT 4.0
Windows 2000
Windows Server 2003
Windows Server 2003 Interim Windows NT 4.0
Windows Server 2003
Windows Server 2003 Windows Server 2003

As is the case with domain functional levels, once the functional level of a forest is changed, domain controllers running earlier Windows versions can no longer be added to any domain in the forest.

Changing the functional level of a forest is accomplished differently than changing a domain. Forest-functional levels are configured using the Active Directory Domains and Trusts tool by right-clicking on a forest and clicking Raise Forest Functional Level. The screenshot below shows that the current functional level of my forest is set to the default, Windows 2000. In this case, it can still be upgraded to Windows Server 2003. To raise the functional level of a forest, you must be a member of the Enterprise Admins group or the Domain Admins group in the forest root domain.

Before beginning to look at some of the new features of Windows Server 2003 Active Directory, it is important to note that not every new feature requires a certain domain or forest functional level to be configured. Some of the features work at any functional level, while others explicitly require the Windows Server 2003 domain or forest functional level. These requirements are outlined in each of the new feature sections that follow.

Domain Renaming and Repositioning

In the Windows 2000 version of Active Directory, it was not possible to rename domains without demoting all domain controllers, which effectively destroyed the domain. In Windows Server 2003, domains can be renamed, as long as the forest in which they exist is configured to the Windows Server 2003 forest functional level. Of course, this means you cannot rename a domain that includes either Windows 2000 or Windows NT 4.0 domain controllers, since the Windows Server 2003 forest functional level supports only Windows Server 2003 domain controllers. The tool to rename Windows Server 2003 domains is named RENDOM, and it is found in the Valueadd\Msft\Mgmt\Domren folder on the Windows Server 2003 CD.

Along the same lines, Windows Server 2003 also allows you to rename individual domain controllers with a new computer name. In Windows 2000 Active Directory, this was possible only if you first used DCPROMO to demote a domain controller back to a member server, changed the name, and then re-promoted it. Renaming a domain controller is possible only if a domain is configured to the Windows Server 2003 domain functional level.

Renaming a Windows Server 2003 domain controller is handled differently than the traditional method (via the System tool in Control Panel). Instead, the NETDOM command line utility is used to handle the domain controller renaming function. For example, the series of commands to rename a domain controller from server1.company.com to database.company.com would be:

C:\>netdom computername server1.company.com /add:database.company.com


C:\>netdom computername server1.company.com /makeprimary:database.company.com

Then, after rebooting the server:

C:\>netdom computername database.company.com /remove:server1.company.com

Finally, Windows Server 2003 also supports the ability to reposition domains within an Active Directory forest. For example, if you originally implemented each domain as its own forest, and then decided that you instead wanted to change the structure such that all domains fell into the same DNS namespace as part of a single tree. This is now possible, but only if the forest is configured to the Windows Server 2003 functional level.

Even with this limitation, the ability to reposition domains is a great feature, especially if you managed to inherit responsibility for a forest that was not well designed in the first place.

In the same manner as renaming domains, domain repositioning in Windows Server 2003 Active Directory environments is also accomplished by using the RENDOM utility. To be honest, the steps involved in repositioning domains with this tool can be quite complex, and will be left for another article.

However, if you are curious right now, you can read more about RENDOM here.

That's all for Part 1 of our overview of the new features in Windows Server 2003 Active Directory. The next article will continue this overview with the exploration of new features, like cross-forest trust relationships, universal group caching, and changes to some of Active Directory tools.

Until then, best of luck with your stroll through the world of Windows Server 2003.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.