Promoting a Windows 2000 domain to Native mode eliminates the use of backup Domain Controllers and, in turn, provides additional Active Directory features such as Universal Groups.. Wind
Trang 1Levels
You are probably familiar with the mixed and native modes of Active Directory in Microsoft Windows 2000 Mixed mode
provides backward-compatibility with NT 4.0 environments
where Backup Domain Controllers can exist and authenticate user logons Promoting a Windows 2000 domain to Native mode eliminates the use of backup Domain Controllers and, in turn, provides additional Active Directory features such as Universal Groups
With Windows Server 2003, the concept of modes is augmented
with the introduction of functional levels Like Windows 2000
Active Directory modes, Functional levels provide levels of
backward-compatibility for both Windows NT 4.0 and Windows
2000 domains In Windows Server 2003, there are four domain functional levels and three forest functional levels This section will provide an overview of the Windows functional levels and their implications on administrative design and management
Common Misunderstanding
There is a common misunderstanding that a native
mode forest in Windows 2000 requires that all
servers and workstations in the network are
Windows 2000 or higher configurations and that an
organization could not have Windows NT 4 servers
or workstations, or Windows 9x workstations This is
a misunderstanding because a native mode forest in
Windows 2000 only required that all domain
controllers were Windows 2000 A native mode
forest in Windows 2000 could have Windows NT 4
member servers, Windows NT4 workstations, and
Windows 9x workstations in the domain and still
Trang 2Windows 2000 Mixed Domain Functional Level
The Windows 2000 Mixed Domain Functional level provides for backward-compatibility with a Windows 2000 Active Directory running in Mixed Mode Installed at this level, Windows Server
2003 domain controllers will be able to communicate with both Windows NT 4.0 and Windows 2000 domain controllers
throughout the forest At this level, Windows Server 2003
shares the same limitations present in the Windows 2000 mixed mode domain Usually, this is a temporary level for most
companies that are in the process of migrating to a native mode Active Directory
Windows 2000 Native Functional Level
The Windows 2000 native functional level is the initial operating level of Windows Server 2003 domain controllers installed into a Windows 2000 native mode domain At this level there are no
NT 4.0 domain controllers All authentication is performed by Windows 2000 and Windows Server 2003 domain controllers
Windows Server 2003 Interim Functional Level
The Windows Server 2003 interim functional level is the initial operating level of Windows Server 2003 domain controllers
installed into a Windows NT 4.0 domain This level is provided primarily as a stepping stone during a migration from Windows
Trang 3NT 4.0 to Windows Server 2003 The interim functional level comes into play for those companies that have not upgraded to Windows 2000, but instead migrate directly to Windows Server
2003 Active Directory
Windows Server 2003 Functional Level
To gain the full functionality of a Windows Server 2003 Active Directory, the Windows Server 2003 functional level is the final goal for domain and forest functional levels Functionality at this level enables many of the new features available to Windows Server 2003 such as renaming domains and domain controllers, schema deactivation, and cross-forest trusts For you to
promote your Active Directory to the full Windows Server 2003 Functional level, all domain controllers must be upgraded to Windows Server 2003 Individual domains can be promoted to the Windows Server 2003 functional level, but the forest can only be promoted to this functional level after all the domains in the forest are operating at this highest level
You can use Active Directory Users and Computers or Active Directory Domains and Trusts to elevate domain functional
levels To raise the forest functional level, though, you must use the Active Directory Domains and Trusts tool If you are ready
to perform both operations, follow these steps:
1 Ensure that all domain controllers in the forest are upgraded to Windows Server 2003.
Open Active Directory Domains and Trusts from the
Administrative Tools menu
In the left scope pane, right-click on the domain name and then click the Raise Domain Functional Level
Trang 4Figure 4.5 Raising the domain functional level.
Click OK and then click OK again to complete the task
Repeat steps 1 through 5 for all domains in the forest
Perform the same steps on the forest root object, except this time choose Raise Forest Functional Level and follow the
prompts
Domain Administrative Functionality
There are new administrative capabilities at each domain
functional level that you should be aware of In part,
understanding the new capabilities help in the decision to
elevate functional levels It is also important to keep these
capabilities in mind when deciding whether to grant or prevent
Trang 5Raising Functional Levels Is a One-way
Operation
Be sure you will not need to add Windows 2000
domains to your forest before performing this
process When the forest is Windows Server 2003
functional, this applies to child domains as well
When you elevate your domain from a Windows 2000 mixed to
a Windows 2000 Native functional level, you add the following administrative capabilities:
SID History This feature enables you to migrate security principles from one domain to another while preserving associated access control lists (ACLs)
Converting Groups This feature gives you the capability to change distribution groups and security groups
Nesting Groups In mixed mode, you can nest distribution groups, but not security groups Windows 2000 Native
mode allows you full nesting of security groups
Universal Groups Universal groups can contain accounts, global groups, and universal groups from any domain in the forest
Elevating your domain from Windows 2000 Native functional level to Windows Server 2003 functional level gives you the capability to rename domain controllers within that domain
Trang 6When you raise your forest functionality from Windows 2000 to Windows Server 2003, you enable the following administrative capabilities:
Deactivation of schema objects Although you cannot delete classes or attributes, you can deactivate them if they are no longer needed or if there was an error in the original
definition
Forest trusts With this functionality, you can link two
disjoined Windows Server 2003 forests to form one-way or two-way transitive trust relationships A two-way forest
trust creates a transitive trust between every domain in both forests
Domain rename Within a Windows Server 2003 native level forest, you have the ability to rename domains This
functionality also permits the restructuring of domains
within the forest
The Senior Administrator Should Limit
the Access of Who Can Raise the
Functional Level of a Domain
Rather than leaving the privilege to all Domain
Admins, the right should be blocked to all Domain
Admins and assigned to specific administrators
Although it is unlikely an individual would maliciously
raise the functional level of a domain and effectively
cause non-compliant domain controllers to be
dropped from the network, there is a very common
possibility of an inexperienced administrator
accidentally changing the functionality level, and
Trang 7network
Be Very Careful in Designing Your
Administrative Framework
so that only individuals who understand and are
responsible for the implications of forestwide
changes have access to make them
The forestwide capabilities of Windows Server 2003 each have
an enormous impact on the stability of your enterprise network