Active Directory Functional Levels Tools and Settings

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • Tools for Managing Active Directory Functional Levels

  • Network Ports Used to Raise Active Directory Functional Levels

  • Related Information

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

This section contains information about the tools that are associated with Active Directory functional levels.

Tools for Managing Active Directory Functional Levels

The following tools are associated with Active Directory functional levels.

Domain.msc: Active Directory Domains and Trusts

Category

An Active Directory Administrative Tools Microsoft Management Console (MMC) snap-in that is automatically installed on all domain controllers.

Version compatibility

This tool is compatible with domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. This tool can also be run on computers running Windows XP Professional. Updated versions of this tool can also be run on later versions of Windows. For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

Active Directory Domains and Trusts provides a graphical user interface (GUI) that can be used to manage Active Directory forests, domains, and trusts. Specific to functional levels, this tool can be used for the following:

  • To view the current domain functional level by viewing the properties of the domain object.

  • To view the current forest functional level by viewing the properties of the Active Directory Domains and Trusts node.

  • To raise a domain functional level.

  • To raise a forest functional level.

Dsa.msc: Active Directory Users and Computers

Category

An Active Directory Administrative Tools MMC snap-in that is automatically installed on all domain controllers.

Version compatibility

This tool is compatible with domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. This tool can also be run on computers running Windows XP Professional. Updated versions of this tool can also be run on later versions of Windows. For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

Active Directory Users and Computers provides a GUI that can be used to manage users and computers in Active Directory domains. Specific to functional levels, this tool can be used for the following:

  • To view the current domain functional level by viewing the properties of the domain object.

  • To raise a domain functional level.

In addition, LDAP Query can be used in this tool for the following:

  • To identify domain controllers running Windows NT 4.0.

  • To connect to a domain.

Adsiedit.exe: ADSI Edit

Category

This tool is included with Support Tools for Windows Server 2003, and it is automatically installed on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.

Version Compatibility

Can be run from Can be run against

Computers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

Updated versions of this tool can also be run on later versions of Windows. For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

ADSI Edit is an MMC tool that uses Active Directory Service Interfaces (ADSI), which ultimately uses the Lightweight Directory Access Protocol (LDAP) protocol. This tool can be used to view and modify directory objects in the Active Directory database. Specific to functional levels, this tool can be used to edit the value of the msDS-Behavior-Version attribute of the Partitions container to raise the forest functional level to Windows Server 2003 interim, which cannot be done by using the Active Directory MMC administrative tools.

The msDS-Behavior-Version attribute is set in the ADSI Edit console on the Partitions container object (class crossRefContainer) in the configuration directory partition (cn=partitions,cn=configuration,dc=ForestRootDomainName). Raising the forest functional level to Windows Server 2003 interim requires changing the default value of the attribute from 0 to a value of 1.

To find more information about ADSI Edit, see “Support Tools Help” in Tools and Settings Collection.

Ldp.exe: Ldp

Category

This tool is included with Support Tools for Windows Server 2003, and it is automatically installed on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.

Version Compatibility

Can be run from Can be run against

Computers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows Server 2003, Web Edition

  • Windows XP Professional

Domain controllers running:

  • Windows Server 2003, Standard Edition

  • Windows Server 2003, Enterprise Edition

  • Windows Server 2003, Datacenter Edition

  • Windows 2000 Server

Updated versions of this tool can also be run on later versions of Windows. For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

Ldp is a GUI tool that can be used to perform LDAP operations (such as connect, bind, search, modify, add, or delete) against any LDAP-compatible directory, such as AD DS.

Specific to functional levels, Ldp can be used as an alternative to ADSI Edit to modify the value of msDS-Behavior-Version attribute of the Partitions container object (class crossRefContainer) in the configuration directory partition (cn=partitions,cn=configuration,dc=ForestRootDomainName) and raise the forest functional level to Windows Server 2003 interim, which cannot be done by using the Active Directory administrative MMC tools.

The msDS-Behavior-Version attribute is set in Ldp by using the Replace operation in the Modify dialog box to change the default value of the attribute from 0 to a value of 1, which raises the forest functional level to Windows Server 2003 interim.

To find more information about Ldp, see “Support Tools Help” in Tools and Settings Collection.

Dcpromo.exe: Active Directory Domain Services Installation Wizard

Category

A wizard that is included with Windows Server. It is available from the command line or from the Configure Your Server Wizard on any computer running Windows Server 2003 or from Server Manager on servers that run Windows Server 2008 or Windows Server 2008 R2.

Version compatibility

This tool is compatible with computers running all editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, except Web Edition.

The Active Directory Domain Services Installation Wizard provides a GUI for setting up a domain controller by installing AD DS and, optionally, DNS. Specific to functional levels, the wizard can be used on a Windows NT 4.0 PDC when you are upgrading it to Windows Server 2003 and forming a new forest to raise the forest functional level to Windows Server 2003 interim, if appropriate.

Network Ports Used to Raise Active Directory Functional Levels

The following table shows the network ports that are used to raise functional levels.

Port Assignments for Raising Active Directory Functional Levels

Service Name TCP

LDAP

389

LDAP SSL

636

In addition, replication to all domain controllers requires the ports that are used for replication. For more information about the ports that are used for replication, see Active Directory Replication Tools and Settings in this collection.

The following resources contain additional information that is relevant to this section.