What Are Active Directory Functional Levels?

In this section

  • Active Directory Functional Level Scenarios
  • Active Directory Functional Level Dependencies

In Windows Server 2003 Active Directory, domain controllers can run different versions of Windows Server operating systems. The Active Directory functional level of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The functional level of a domain or forest controls which advanced features are available in the domain or forest.

Ideally, all servers in an organization could run the latest version of Windows (Windows Server 2003) and take advantage of all advanced features available with the newest software. But organizations often have a mixture of systems, generally running different versions of operating systems, which are migrated to the latest version only as organizational requirements demand additional functionality, either for the entire organization or for a specific area of the organization.

Active Directory supports phased implementation of Windows Server 2003 and advanced features on domain controllers by providing multiple Active Directory functional levels, each of which is specific to the versions of Windows Server operating systems that are running on the domain controllers in the environment. These functional levels provide configuration support for the Active Directory features in Windows Server 2003 and ensure compatibility with domain controllers running Windows 2000 Server and Windows NT 4.0.

Windows Server 2003 Active Directory does not automatically enable advanced features, even if all domain controllers within a forest are running Windows Server 2003. Instead, an administrator raises a domain or forest to a specific functional level to safely enable advanced features when all domain controllers in the domain or forest are running an appropriate version of Windows Server. When an administrator attempts to raise the functional level, Active Directory checks if all domain controllers are running an appropriate Windows Server operating system to ensure the proper environment for enabling new Active Directory features.

Raising the functional level allows the introduction of advanced features but also limits the versions of Windows Server that can run on domain controllers in the environment. Windows Server 2003 has two types of Active Directory functional levels:

  • Domain functional level. Four domain functional levels are available: Windows 2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. Setting the functional level for a domain enables features that affect the entire domain and that domain only. If all domain controllers in a domain are running Windows Server 2003 and the functional level is set to Windows Server 2003, all domain-wide features are available.
  • Forest functional level. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003 interim, and Windows Server 2003. Setting the functional level for a forest enables features across all the domains within a forest. If all domain controllers in a forest are running Windows Server 2003 and the functional level is set to Windows Server 2003, all forest-wide features are available.

When domain controllers running Windows NT 4.0 or Windows 2000 Server are included in your domain or forest with domain controllers running Windows Server 2003, advanced Active Directory features are limited.

The concept of enabling additional functionality in Active Directory exists in Windows 2000 with mixed and native modes. Mixed-mode domains can contain Windows NT 4.0 backup domain controllers and cannot use Universal security groups, group nesting, and security identifier (SID) history capabilities. When the domain is set to native mode, Universal security groups, group nesting, and SID history capabilities are available. Domain controllers running Windows NT 4.0 or Windows 2000 Server are not aware of Windows Server 2003 domain and forest functional levels.

Active Directory Functional Level Scenarios

Functional levels provide a method for any organization to introduce the latest Active Directory functionality. The advanced functionality can be optimized immediately, or phased in over time, depending on the needs of each organization. The following scenarios describe how functional levels can meet a range of deployment needs:

  • A small organization running only Windows Server 2003 operating system on domain controllers. In this scenario, a small organization might be creating an Active Directory infrastructure for the first time, using only two domain controllers in a forest with a single domain. By installing Windows Server 2003 on both domain controllers and raising the functional level of the forest to Windows Server 2003, the organization can immediately take advantage of all of the advanced Active Directory features available in Windows Server 2003.
  • A mid-size organization with accelerated upgrade requirements. In this scenario, a mid-size organization might have a native mode Windows 2000 Server domain, and would now like to start upgrading domain controllers to Windows Server 2003. Upgrading to Windows Server 2003 on some domain controllers, while maintaining some previously installed domain controllers running Windows 2000 Server, enables the mid-size organization to take advantage of much of the latest functionality, even though all domain controllers are not running Windows Server 2003. Later, after all domain controllers running Windows 2000 Server have been upgraded to Windows Server 2003, the organization can raise the forest functional level to take advantage of all advanced Active Directory features.
  • A large organization with phased upgrade requirements. In this scenario, an enterprise with a mature and complex forest with multiple domains, some of which are still running Windows NT 4.0 backup domain controllers (BDCs), might now be ready to install one or more new domain controllers running Windows Server 2003. The organization might want to raise functional levels in a phased manner (one domain at a time). They could target certain domains that are running in mixed mode (they have a mix of Windows NT 4.0 BDCs and Windows 2000 domain controllers) and upgrade the Windows NT 4.0 BDCs first to Windows 2000 or Windows Server 2003. After they have upgraded all Windows NT4.0 BDCs in the domain, they could raise the functional level of only that domain to the next functional level, Windows 2000 native, to take advantage of additional Active Directory features.
    They could then proceed to upgrade the remaining domain controllers running Windows 2000 Server to Windows Server 2003. Once done with that they can raise the functionality of that domain to level further to avail additional Active Directory features. Once satisfied with the results of that domain, the organization can carry out a similar exercise in other domains. After upgrading every domain in the forest to Windows Server 2003, they can finally raise the functional level of the forest to Windows Server 2003 to take advantage of all advanced Active Directory features for Windows Server 2003.

Active Directory Functional Level Dependencies

Active Directory domain and forest-functionality has the following dependencies:

  • After all domain controllers are running an appropriate version of Windows Server, the domain or forest must be configured to support the appropriate domain or forest functional level. That is, to provide support in a domain or forest for advanced Active Directory features, an administrator must raise the domain functional level or forest functional level, which can only be done if the domain controllers are each running the appropriate version of Windows Server.
  • After the domain functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the domain. After the forest functional level is raised, domain controllers running earlier versions of Windows Server cannot be introduced into the forest.