Domain and forest functionality

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Domain and forest functionality

Domain and forest functionality, introduced in Windows Server 2003 Active Directory, provides a way to enable domain- or forest-wide Active Directory features within your network environment. Different levels of domain functionality and forest functionality are available depending on your environment.

If all domain controllers in your domain or forest are running Windows Server 2003 and the functional level is set to Windows Server 2003, all domain- and forest-wide features are available. When Windows NT 4.0 or Windows 2000 domain controllers are included in your domain or forest with domain controllers running Windows Server 2003, Active Directory features are limited. For more information about how to enable domain- or forest-wide features, see Raising domain and forest functional levels.

The concept of enabling additional functionality in Active Directory exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security ID (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and SID history capabilities are available. Domain controllers running Windows 2000 Server are not aware of domain and forest functionality.

Domain functionality

Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.

The following table lists the domain functional levels and their corresponding supported domain controllers.

Domain functional level Domain controllers supported

Windows 2000 mixed (default)

Windows NT 4.0

Windows 2000

Windows Server 2003 family

Windows 2000 native

Windows 2000

Windows Server 2003 family

Windows Server 2003 interim

Windows NT 4.0

Windows Server 2003 family

Windows Server 2003

Windows Server 2003 family

Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.

The following table describes the domain-wide features that are enabled for three of the domain functional levels. For information about the Windows Server 2003 interim functional level, see Upgrading from a Windows NT domain.

Domain feature Windows 2000 mixed Windows 2000 native Windows Server 2003

Domain controller rename tool

For more information, see Renaming domain controllers.

Disabled

Disabled

Enabled

Different location option for user and computer accounts

For more information about how to redirect the default location for user and computer accounts, see Redirect the Users and Computers Containers.

Disabled

Disabled

Enabled

Update logon timestamp

For more information about the lastLogonTimestamp attribute, see User and computer accounts.

Disabled

Disabled

Enabled

User password on InetOrgPerson object

For more information about InetOrgPerson objects, see User and computer accounts.

Disabled

Disabled

Enabled

Universal Groups

For more information, see Group types and Group scope.

Enabled for distribution groups.

Disabled for security groups.

Enabled

Allows both security and distribution groups.

Enabled

Allows both security and distribution groups.

Group Nesting

For more information, see Nesting groups.

Enabled for distribution groups.

Disabled for security groups, except for domain local security groups that can have global groups as members.

Enabled

Allows full group nesting.

Enabled

Allows full group nesting.

Converting Groups

For more information, see Converting groups.

Disabled

No group conversions allowed.

Enabled

Allows conversion between security groups and distribution groups.

Enabled

Allows conversion between security groups and distribution groups.

SID history

Disabled

Enabled

Allows migration of security principals from one domain to another.

Enabled

Allows migration of security principals from one domain to another.

Forest functionality

Forest functionality enables features across all the domains within your forest. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003 . By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003 .

The following table lists the forest functional levels and their corresponding supported domain controllers:

Forest functional level Domain controllers supported

Windows 2000 (default)

Windows NT 4.0

Windows 2000

Windows Server 2003 family

Windows Server 2003interim

Windows NT 4.0

Windows Server 2003 family

Windows Server 2003

Windows Server 2003 family

Once the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the forest functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to the forest.

If you are upgrading your first Windows NT 4.0 domain so that it becomes the first domain in a new Windows Server 2003 forest, you can set the domain functional level to Windows Server 2003 interim. For more information, see Upgrading from a Windows NT domain.

The following table describes the forest-wide features that are enabled for the Windows 2000 and Windows Server 2003 forest functional levels.

Forest feature Windows 2000 Windows Server 2003

Global catalog replication improvements

For more information, see Global catalog replication.

Enabled if both replication partners are running Windows Server 2003.

Otherwise, disabled.

Enabled

Defunct schema objects

For more information, see Deactivating a class or attribute.

Disabled

Enabled

Forest trusts

For more information, see Forest trusts.

Disabled

Enabled

Linked value replication

For more information, see How replication works.

Disabled

Enabled

Domain rename

For more information, see Renaming domains.

Disabled

Enabled

Improved Active Directory replication algorithms

For more information, see Replication overview.

Disabled

Enabled

Dynamic auxiliary classes.

For more information, see New features for Active Directory.

Disabled

Enabled

InetOrgPerson objectClass change

For more information about InetOrgPerson objects, see User and computer accounts.

Disabled

Enabled