Win Server 2008 Directory Services, Functional Levels Overview Page 2

Functional levels were introduced to organize all possible scenarios that could be implemented using Active Directory domains with Windows NT 4.0, 2000, and 2003 Server computers operating as their domain controllers. These scenarios have been arranged into the following categories:

Domain Functional Levels

• Windows 2000 Mixed — Resulting from either adding a Windows Server 2003 domain controller to an existing mixed-mode domain or promoting a Windows Server 2003 based computer to the first domain controller in a new domain. Since, in this case, it is possible to have all three versions of the OS serve as domain controllers, its domain-wide benefits are limited (equivalent to those in Windows 2000 mixed mode). On the other hand, the mere presence of Windows Server 2003 domain controllers provides variety of efficiency improvements, which are independent of the functional level, such as, new and enhanced Active Directory management utilities (including multi-select edit, drag and drop, or saved queries capabilities in Active Directory Users and Computers). There is also new functionality, although its availability is limited to Windows Server 2003 based domain controller.
• Windows 2000 Native — Resulting from either adding a Windows Server 2003 domain controller to an existing native-mode domain or raising Windows 2000 mixed functional level up one notch. This arrangement gives you extra benefits of the native mode described earlier (in the context of Windows 2000 Server), with both Windows Server 2003 and 2000 based domain controllers allowed to coexist in the same domain.
• Windows Server 2003 Interim — Closely tied to the Windows Server 2003 Interim forest functional level, since most often both of them are introduced together into Active Directory by upgrading of a Windows NT 4.0 PDC to Windows Server 2003.
• Windows Server 2003 — provides access to domain-level features introduced in Windows Server 2003 based Active Directory that are not available with earlier versions of the operating system, which automatically eliminates possibility of having Windows 2000 Server-based domain controllers present in the same domain. These features include support for application partitions, which are intended for custom directory-aware application, but sharing a number of characteristics with standard Configuration, Schema or Domain naming context partitions (e.g., replication capabilities, DNS interaction, or schema extensibility); redirection of newly created users and computers to an arbitrary AD container (with redirusr and redircmp utilities); constrained delegation, mitigating risks associated with granting full delegation implemented in Windows 2000-based Active Directory, restricting it to specific services on target servers; automatic replication lastLogonTimestamp attribute, for which older equivalent had to be queried separately on each domain controller; password support for inetOrgPerson class objects facilitating integration with other LDAP directory services; selective authentication limiting ability of users in others trusted forests to access local domain resources; and the ability to rename domain controllers (by using NETDOM utility, without the need for their demotion), or to store Authorization Manager policies (controlling role access for Web Applications) in Active Directory.

  For more information about this feature, refer to our earlier article.

Forest Functional Levels

• Windows 2000 — Assigned when the first Windows Server 2003 is promoted to a domain controller in a new or existing Active Directory forest. While this step introduces a number of new features, a majority of them are limited strictly to domain controllers running this version of Windows. Among the more relevant ones are universal group caching (facilitating logons in cases where the GC server is in a remote site or temporarily unavailable), incremental synchronization of Global Catalog (following changes to its partial attribute set), installation from media (using System State backup of another Windows Sever 2003 based domain controller in the same domain), the ability to reset Directory Services Restore Mode Password while online (without the need for shutting down the operating system), reduced Active Directory database storage requirements (due to applying Single Instance Store mechanism to its Security Descriptors), and account creation quotas (restricting number of objects that an arbitrary security principal can create in a designated directory partition, which helps mitigate denial-of-service attacks). Since the role of intersite topology generator is transferred to Windows Server 2003 based domain controllers, its efficiency and event logging are improved as well. Concurrent LDAP binds can be leveraged to minimize the performance impact of multiple Active Directory connections. Rapid Global Catalog demotion process significantly reduces the amount of time necessary to accomplish this task in Windows 2000 Server based domains.
• Windows Server 2003 Interim — As mentioned earlier, the most common way of reaching it is by upgrading Windows NT 4.0 Server PDC to Windows Server 2003 (this unique option is presented during Active Directory Installation Wizard) when creating the root domain in a new forest. Alternatively, when dealing with existing Windows 2000 forest that includes a mix of Windows NT 4.0 BDCs and 2003 based domain controllers, you can produce the same outcome by setting to 1 (using, for example, LDP or ADSI Edit utility) the value of the msDS-Behavior-Version attribute of the CN=Partitions,CN=Configuration,DC=forestname,DC=com Active Directory object.

  With the forest level set, each new domain added will automatically gets assigned matching domain functional level. Keep in mind that this operation precludes the existence of any current or future Windows 2000 Server based domain controllers in each of the domains of the forest and forces you to maintain this status as long as you have any remaining Windows NT 4.0 BDCs. You will need to upgrade all of the individual domains operating at Windows 2000 mixed or Server 2003 Interim level to Windows Server 2003 domain functional level before you can switch to Windows Server 2003 forest functional level.

  On the other hand, your environment will benefit from improved handling (via the Linked Value Replication mechanism) of groups with more than 5,000 members. Due to the way group membership changes are applied in Windows 2000 Server-based domains, it is not recommended to exceed this limit when operating in Windows 2000 mixed or native domain functional levels. This, in turn, eliminates the need for identifying and breaking such groups into smaller ones (with less than 5000 users) and repermissioning resources to which access is impacted by this process. Another reason for choosing this level is the improved algorithm employed by Intersite Topology Generator to define replication topology in complex, multi-site environments. Several new attributes have also been added to global catalog, making them readily available forest-wide), which play the role in management of forest trust, Microsoft Message Queueing, printing or Digital Rights Management certificates.

• Windows Server 2003 — Requires all domains in the forest operate at least on the Windows 2000 native functional level (or higher), and all of its domain controllers run on the Windows Server 2003 platform. It also ensures any new domain added to the forest gets assigned a matching functional level. Among its main benefits are such features as cross-forest, transitive trusts (encompassing all domains in both forests), domain rename capability (allowing forest restructuring), dynamic auxiliary AD schema classes (which can be dynamically linked to individual, arbitrarily selected objects of another class), deactivating and reactivating schema extensions (which encourages their reuse), conversion between user and inetOrgPerson objects as well as the ability to associate SID with the latter (further integrating AD with other LDAP-based directory services), significant reduction in the intrasite replication interval (down to 15 seconds, which translates into full site synchronization within one minute), or support for query-based Authorization Manager groups (with dynamically evaluated membership).

Since the improvements described above are cumulative, they also appear in the same (or further enhanced) form in Windows Server 2008-based domains. Keep in mind, however, that functional level options have changed once Windows Server 2008 was introduced. One of the significant modifications was eliminating Windows NT 4.0 Server BDCs from the list of acceptable participants, which effectively rendered Windows 2000 mixed domain functional level obsolete. The next article will look into all possible scenarios in greater detail.