Although many people have already decided that Windows Server 2003 is no more than a minor revision of Windows 2000, this new version includes a number of new features, tools, and services. Although the server is built on the foundation provided by Windows 2000, a great deal of these new elements are ones that many organizations, especially larger ones, will want to be aware.
In this two-part series, Dan DiNicolo discusses what’s new in Windows Server 2003’s Active Directory. Part 1 examines domain and forest functional levels, as well as the ability to rename and reposition domains and domain controllers.
The goal of this article and the subsequent one is to provide an overview of some of the new features found in Windows Server 2003, specifically those associated with its directory service, Active Directory. In this first article we’ll examine domain and forest functional levels, as well as the ability to rename and reposition domain and domain controllers.
In Part 2, we’ll examine new features like cross-forest trust relationships, universal group caching, and changes to some of the Active Directory tools with which you are most likely already familiar.
Whether you’re in the process of evaluating this operating system or beginning to think about upgrading your MCSA or MCSE to the Windows Server 2003 track, you’ll want to be familiar with these concepts.
Domain and Forest Functional Levels
Those familiar with Active Directory in Windows 2000 will recall that once installed, domains could be configured in one of two modes — mixed mode and native mode. In mixed mode, an Active Directory domain was still capable of supporting Windows NT 4.0 domain
controllers, enabling enterprises to transition their domains from the old model to the new directory-based design. Although mixed mode made the deployment of Active Directory in existing environments more flexible, it had limitations, namely the inability to configure universal groups. Once a domain was switched to native mode, all domain controllers had to be running Windows 2000, and using universal groups became possible.
In Windows Server 2003 Active Directory, the concept of a domain “mode” has been re-branded as a “functional level.” This is definitely not a bad idea, since the functional level of a Windows Server 2003 Active Directory domain impacts not only the
operating system versions that can function as domain controllers, but also the
ability to use some of the new features in Active Directory. Furthermore,
Windows Server 2003 also introduces an entirely new concept — a forest
functional level. Similar to a domain functional level, the forest
functional level when configured impacts the ability to implement certain new Active
Directory features, as we will explain later in this article.
The domain functional levels associated with Windows Server 2003 are outlined below. For each functional level, the versions of Windows supported as domain
controllers are also listed.
Domain Functional Level |
Domain Controllers Supported |
Windows 2000 Mixed (Default) |
Windows NT 4.0 |
Windows 2000 Native |
Windows 2000 |
Windows Server 2003 Interim |
Windows NT 4.0 Windows Server 2003 |
Windows Server 2003 | Windows Server 2003 |
Note that once the functional level of a domain is raised, domain controllers running
previous versions of Windows cannot be added to the domain. So if you raise the
functional level of a domain to Windows Server 2003, Windows 2000 domain
controllers can no longer be added to that domain.
The functional level of a domain is changed from within the Active Directory Users and Computers tool much like how the mode of a domain is changed in Windows 2000. To raise the functional level of a domain, right-click on the domain object in Active Directory Users and Computers and click Raise Domain Functional Level.
In the screenshot below, notice how the domain functional level cannot be changed because it has already been configured to the Windows Server 2003 level. To raise the
functional level of a domain, you must be a member of the Enterprise Admins
group, or the Domain Admins group in that particular domain. This ability can
also be delegated to other users.
In much the same manner, Windows Server 2003 Active Directory supports three different forest functional levels. Each of the forest functional levels is listed below. For each
functional level, the versions of Windows supported as domain controllers are also listed.
Forest Functional Level | Domain Controllers Supported |
Windows 2000 (Default) | Windows NT 4.0 Windows 2000 Windows Server 2003 |
Windows Server 2003 Interim | Windows NT 4.0 Windows Server 2003 |
Windows Server 2003 |
Windows Server 2003 |
As is the case with domain functional levels, once the functional level of a forest is changed, domain controllers running earlier Windows versions can no longer be added to any domain in the forest.
Changing the functional level of a forest is accomplished differently than changing a domain. Forest-functional levels are configured using the Active Directory Domains and Trusts tool by right-clicking on a forest and clicking Raise Forest Functional Level. The
screenshot below shows that the current functional level of my forest is set to
the default, Windows 2000. In this case, it can still be upgraded to Windows
Server 2003. To raise the functional level of a forest, you must be a member of
the Enterprise Admins group or the Domain Admins group in the forest root
domain.
Before beginning to look at some of the new features of Windows Server 2003 Active Directory, it is important to note that not every new feature requires a certain domain
or forest functional level to be configured. Some of the features work at any
functional level, while others explicitly require the Windows Server 2003 domain
or forest functional level. These requirements are outlined in each of the new
feature sections that follow.
Domain Renaming and Repositioning
In the Windows 2000 version
of Active Directory, it was not possible to rename domains without demoting all
domain controllers, which effectively destroyed the domain. In Windows Server
2003, domains can be renamed, as long as the forest in which they exist is
configured to the Windows Server 2003 forest functional level. Of course, this
means you cannot rename a domain that includes either Windows 2000 or
Windows NT 4.0 domain controllers, since the Windows Server 2003 forest
functional level supports only Windows Server 2003 domain controllers. The tool
to rename Windows Server 2003 domains is named RENDOM, and it is found in the
ValueaddMsftMgmtDomren folder on the Windows Server 2003 CD.
Along the same lines,
Windows Server 2003 also allows you to rename individual domain controllers with
a new computer name. In Windows 2000 Active Directory, this was possible only if
you first used DCPROMO to demote a domain controller back to a member server,
changed the name, and then re-promoted it. Renaming a domain controller is
possible only if a domain is configured to the Windows Server 2003 domain functional
level.
Renaming a Windows Server
2003 domain controller is handled differently than the traditional method (via
the System tool in Control Panel). Instead, the NETDOM command line utility is
used to handle the domain controller renaming function. For example, the series
of commands to rename a domain controller from server1.company.com to
database.company.com would be:
C:>netdom computername
server1.company.com /add:database.company.com
C:>netdom computername
server1.company.com /makeprimary:database.company.com
Then, after rebooting the
server:
C:>netdom computername
database.company.com /remove:server1.company.com
Finally, Windows Server
2003 also supports the ability to reposition domains within an Active Directory
forest. For example, if you originally implemented each domain as its
own forest, and then decided that you instead wanted to change the structure such
that all domains fell into the same DNS namespace as part of a single
tree. This is now possible, but only if the forest is configured to the Windows
Server 2003 functional level.
Even with this limitation, the ability to reposition domains is a great feature, especially if you managed to inherit responsibility for a forest that was not well designed in the first place.
In the same manner as renaming domains, domain repositioning in Windows Server 2003 Active Directory environments is also accomplished by using the RENDOM utility. To be honest, the steps involved in repositioning domains with this tool can be quite complex, and will be left for another article.
However, if you are curious right now, you can read more about RENDOM
here.
That’s all for Part 1 of our overview of the new features in Windows Server 2003 Active Directory. The next article will continue this overview with the exploration of new features, like cross-forest trust relationships, universal group caching, and changes to some of Active Directory tools.
Until then, best of luck with your stroll through the world of Windows Server 2003.