Server Solver

Move Up or Stay Put?

When it makes sense to raise the forest and domain functional levels to Windows Server 2003.

• By Zubair Alexander
• 02/21/2006

Zubair: We are about to create a new Windows Server 2003 forest. We’ve had lots of discussions on the topic of raising the functional levels to Windows Server 2003. Some administrators on the design team believe the functional levels should be raised as soon as possible, while others oppose the idea. We may have to add a Windows 2000 or NT domain later for testing the software products that we develop for our customers, but in the beginning we’ll only have Windows Server 2003 domain controllers in the forest. The team has decided not to raise the forest and domain functional level to Windows Server 2003. Are we making a big mistake?
— Nick

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Nick, before I give you some suggestions on when it’s best to raise the functional levels for Windows Server 2003, I should point out that your team has made a safe and wise choice. The functional levels can always be raised later when there’s a need, so leaving it at the default levels may not be such a bad idea. In a moment, I will talk about the pros and cons for not raising the functional levels so you will be able to make a better choice for your organization.

In Windows 2000 Active Directory domains is the concept of Mixed and Native Modes. The default mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once you convert to Native Mode, you are only allowed to have Windows 2000 domain controllers in your domain. The conversion is a one-way conversion -- it cannot be reversed. In Windows Server 2003, Microsoft introduced forest and domain functional levels. The concept is rather similar to switching from Mixed to Native Mode in Windows 2000. The new functional levels give you additional capabilities that the previous functional levels didn’t have. There are four domain functional levels:

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)
2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)

and three forest functional levels:

1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2000 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)

For a list of features that are enabled with each domain functional level, click here. For a list of features supported in each forest functional level, click here. If you are interested in more detailed explanation of the features available in each functional level, check out WS03 Features and Improvements. While you read the rest of this article, you will find it easier to follow the discussion if you print out the tables posted at the first two links related to domain and forest functional levels. At minimum, having them available in two browser Windows will help as I will be referring to them several times.

Warning! Some Microsoft documents contain an error (and several Web sites copy that error) about the functional level required to rename domain controllers. They claim that renaming a domain controller requires you to raise the “domain” functional level to Windows Server 2003, which is not correct. You can rename a domain controller even in the default Windows 2000 mixed domain functional level. Renaming a domain, however, does require you to raise your “forest” functional level to Windows Server 2003. It is important to note that renaming a domain controller is a completely different concept than renaming a domain.

In Windows 2000 there are several reasons that I recommend you switch to Native Mode as soon as possible. Since your question pertains to Windows Server 2003, I’ll keep the focus on the new functional levels. In Windows 2003, my philosophy is not to rush to raise the functional levels for most small to medium-size companies, unless you have a legitimate reason to do so. Let’s explore this a bit further.

Just like switching from Mixed to Native Mode, once you raise your functional level to the next level, you can’t revert back to a previous level. However, unlike Windows 2000 environment, you may not notice major advantages to raising either domain or forest functional level. This may be true for a lot of small to medium-size companies. Larger organizations may find it beneficial to raise their functional levels to higher levels because of the added functionality that they can get. Among other things, the default domain level (Windows 2000 Mixed) limits you to the number of objects that you can have because it allows Windows NT 4.0 domain controllers. If you recall, NT 4.0 domains have a “recommended” limit of about 40,000 objects. Raising the domain level to Windows 2000 Native will allow you to have millions of objects in your domain.

A simple way to determine whether you should raise the functional level is to look at the added features that you will get by raising the functional level. For example, if you have a need for Universal Groups and don’t need to add any Windows NT 4.0 domain controllers to your domain, then by all means raise the domain level to Windows 2000 native. Look at the Enabled Features column in the document WS03 Domain Functional Levels. Similarly, in organizations that have to deal with a lot of Active Directory replication issues, raising forest function level can be beneficial.

If your company merges with another company and you need to create a cross-forest trust between the two companies, or you need to rename your domain, you must raise your forest functional level to Windows Server 2003.

Keep in mind that these functional levels only limit the addition of domain controllers. You can always add member servers or clients from previous versions, even if you raise the functional level to Windows Server 2003. In other words, if you decide to raise the forest functional level to Windows Server 2003, you can still have clients or member servers in your domains that are running Windows NT 4.0 or Windows 2000.

Another thing to note is that the process of raising a domain or forest functional level takes only seconds, and you don’t even need to reboot your computers. Therefore, I suggest you stay at the lowest functional level for your domain as well as forest until you feel the need to benefit from a feature that’s only available at a higher functional level. It’s very easy to jump to a new level but it’s not possible to go back if you change your mind.

You can raise the domain functional level in Active Directory Users and Computers (ADUC) but you can’t raise the forest functional level in that MMC. You can view the current levels if you go to the properties of your domain in ADUC. I prefer to use Active Directory Domains and Trusts because it allows me to raise (and verify) both domain and forest functional levels.

To raise the domain functional level, you go to the properties of your domain in Active Directory Domains and Trusts. To raise the forest functional level you go to the properties of Active Directory Domains and Trusts at the root. Of course, if your domains are not at the correct level, you won’t be able to raise the forest functional level.