"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Functional Levels 101:
Knowing how to control and use functional levels in Windows Server 2003 can be a great asset when needed. Many times, you are either asked or told that you may need to add functionality to your domain, and if you are using mixed versions of Windows (NT/2000/2003) – you have to consider the ‘functional level’ set to either the domain or the forest to get those desired or request features. In this article we will look at the functional levels available, how to determine what you have set on your production systems and how to change it if need be and some features you can get from deploying Windows Server 2003 as the functional level such as domain rename.
A new feature that you may want to use is 'domain rename'. This is only available if all your systems are running Windows Server 2003. This feature is a big help. Domain Rename allows you to replicate portions of a group change instead of the whole group again which cuts down on traffic sent accross the network and helps speed up Active Directory database convergence.
Just to single out one new service, such as domain rename, you can see why you would want to verify and then possibly plan for a domain/forest functional level upgrade. Active Directory domain rename tools provide a way to rename one or more domains in an Active Directory forest. The DNS name and the NetBIOS name of a domain can be completely changed using domain rename. A future article will cover how to use domain rename.
Identify your Functional Level
Now that you know why you have a functional level (and what it is), you should understand how to identify it as well as change it. Before you do, there is one mandatory item you should complete, and that’s to document (or update the documentation) on your current servers in your domain/forest. It’s imperative that you list out all of the different Windows operating systems that you are currently running and that you plan to keep in your environment after you deploy Windows Server 2003. Having a mixed environment will ultimately keep you from using many features domain or forest-wide.
The following graphic shows a sample worksheet you can create to get and list the levels on your production servers for quick analysis. The columns are easy to understand. You would want to have a host name and IP address for your system, the service pack level, the operating system version or level, as well as the current and future functional levels documented so you can plan your ‘desired functional level’.
Once you have collected this information you can use the next section to help you plan out what you need to do if you want to alter the functional level.
Checking and Changing the Functional Level
Now that you have your sheet, we need to fill it out. In this next section we will look at how to get the information you need to get the current functional level and how to change it.
To get your current service pack level (and OS level), go to your systems Control Panel and click on the System applet. This will show you the information you need. To get the hostname and current IP address, you can use the Start => Run = cmd => ipconfig /all command-line utility.
To find and then change the functional level, you do the following:
- First, you need to open up the Active Directory Domains and Trusts MMC found in your Administrative Tools folder. (Also found in the Control Panel or in the Start Menu).
- To check the domain functional level, right click on the current domain and select Properties, this will show you the current level. On mine, I specifically have it set lower and will show you how to upgrade it.
- To raise the domain functional level, right click on the current domain and you will see an option to ‘Raise Domain Functional Level…’ select this option.
- Once you select to raise the domain functional level, you will be shown the Raise Domain Functional Level dialog box where you can select to change the domain level (seen here at Windows 2000 native) to Windows Server 2003. In the 'Select an available domain functional level', change the functional level to Window Server 2003 and select ‘Raise’. You can see the warning exclamation point on the dialog box itself – this means that you do not want to do this change if you want to change it back later because it can't be changed. Once set in motion, you will be hard pressed to revert back. Make sure you read the rest of this article before making any changes and always make changes on a test/lab system first.
- Once you select Raise, you will be asked the following:
- Once you select OK, you will be given a confirmation:
- You can now ‘re-verify’ the functional level:
That’s it… you can see how easy it is to do, it’s the planning and design that takes the most time and work on this project. As you can see from the last graphic, the domain level is now set to Windows Server 2003, but the forest level is still set to Windows 2000. Again, if you have instances where you need to keep the older system in place, this would be ideal, but if you have all Windows Server 2003 systems, then surely go ahead and raise the Forest functional level to Window Server 2003. This can be done by going back into Active Directory Domains and Trusts MMC and selecting the root of the console and right clicking it to ‘Raise Forest Functional Level…’ Following the same steps as above will lead you through the forest upgrade and you will be given similar warnings about making sure you want to make your change.
You can also verify the functional level within the Active Directory Users and Computers MMC although you can’t change it there… you can still verify it. Right click on the Domain node (seen here as rsnetworks.net) and you can see in the General tab, the domain and forest functional levels.
Before you make these changes, you should definitely make sure you plan properly. Planning is the first step you should take in every deployment, especially one of this nature where you are changing Active Directory in a way in which it can't be reversed.
How to Plan
What may be confusing about how to plan is what needs to be done with ‘mixed’ node networks? If you have NT, 2000 and 2003. With your handy information sheet, you can now plan out your strategy. You have NT, 2000 and 2003 to contend with (for now).
If you are running Windows NT 4.0 and you are moving directly to 2003, not Windows 2000 - after you deploy the first Windows Server 2003–based domain controller, raise the forest functional level to Windows Server 2003 interim to take advantage of the advanced features available at that forest functional level. If you have both NT 4.0 and 2000 servers in your environment, once you put in the new Windows Server 2003 domain controller you will want to keep the domain level to Windows 2000.
If you raise the domain (and/or forest) functional level to Windows Server 2003, you won’t be able to add any new domain controllers that are running versions of Windows any earlier than Windows Server 2003 into that domain. Make sure you decide that you want to do this, what you plan to get out of it and then make sure you do it carefully.
In this article we covered functional level settings at the domain and forest level. We covered how to verify what they are, how to change them and what that brings you. In future articles we will cover how to do more with functional levels, especially if you have a pure Windows Server 2003 environment to work with.