Forest and Domain Functional Levels

Although many people have already decided that Windows Server 2003 is no more than a minor revision of Windows 2000, the truth of the matter is that this new version includes more than just a few new features, tools, and services. Although it is built upon the foundation provided by Windows 2000, many of these new elements are ones that many organizations, and especially larger ones, will want to be aware of. My goal with this article and the next is to provide an overview of some of the new features found in Windows Server 2003, and specifically those associated with it’s directory service, Active Directory. In this article we’ll take a look at domain and forest functional levels.

Domain and Forest Functional Levels

Those familiar with Active Directory in Windows 2000 will recall that once installed, domains could be configured in one of two modes – mixed mode, and native mode. In mixed mode, an Active Directory domain was still capable of supporting Windows NT 4.0 domain controllers, providing companies with the ability to transition their domains from the old model to the new directory-based design. Although mixed mode made the deployment of Active Directory in existing environments more flexible, it did come with limitations, namely the inability to configure universal groups. Once a domain was switched to native mode, all domain controllers had to be running Windows 2000, and using universal groups became possible.

In Windows Server 2003 Active Directory, the concept of a domain “mode” has been re-branded as a “functional level”. This is definitely not a bad idea, since the functional level of a Windows Server 2003 Active Directory domain not only impacts the operating system versions that can function as domain controllers, but also the ability to utilize some of the new features in Active Directory. Furthermore, Windows Server 2003 also introduces an entirely new concept, known as a forest functional level. Along the same lines as a domain functional level, the forest functional level configured impacts the ability to implement certain new Active Directory features, as you’ll see later in this article.

The domain functional levels associated with Windows Server 2003 are outlined below. For each functional level, the versions of Windows that are supported as domain controllers are also listed.

Table

It should be noted that once the functional level of a domain is raised, domain controllers running previous versions of Windows cannot be added to the domain. So, if you raise the functional level of a domain to Windows Server 2003, Windows 2000 domain controllers can no longer be added to that domain.

Much like changing the mode of a domain in Windows 2000, the functional level of a domain is changed from within the Active Directory Users and Computers tool. To raise the functional level of a domain, right-click on the domain object in Active Directory Users and Computers and click Raise Domain Functional Level. In the screenshot below, you’ll notice that the domain functional level cannot be changed, because it has already been configured to the Windows Server 2003 level. To raise the functional level of a domain, you must be a member of the Enterprise Admins group, or the Domain Admins group in that particular domain. This ability can also be delegated to other users.

In much the same manner, Windows Server 2003 Active Directory supports 3 different forest functional levels. Each of the forest functional levels is listed below. For each functional level, the versions of Windows that are supported as domain controllers are also listed.

Table

In the same manner as with domain functional levels, once the functional level of a forest is changed, domain controllers running earlier Windows versions can no longer be added to any domain in the forest.

Changing the functional level of a forest is accomplished differently than a domain. Forest functional levels are configured using the Active Directory Domains and Trusts tool, by right-click on a forest and clicking Raise Forest Functional Level. The screenshot below shows that the current functional level of my forest is set to the default, Windows 2000. In this case, it can still be upgraded to Windows Server 2003. To raise the functional level of a forest, you must be a member of the Enterprise Admins group or the Domain Admins group in the forest root domain.

Before beginning to look at some of the new features of Windows Server 2003 Active Directory, it is important for you to note that not every new feature requires a certain domain or forest functional level to be configured. Some of the features work at any functional level, while others explicitly require the Windows Server 2003 domain or forest functional level.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.