- 21 minutes to read
This article describes how to raise the functional levels of Active Directory domains and forests.
Applies to:Windows Server 2003
Original knowledge base number:322692
For information about Windows Server 2016 and new features in Active Directory Domain Services (AD DS), seeWhat's New in Active Directory Domain Services for Windows Server 2016.
This article explains how to increase the domain and forest functional levels supported by domain controllers based on Microsoft Windows Server 2003 or later. There are four versions of Active Directory, and only the versions that have changed since Windows NT Server 4.0 require special consideration. Therefore, the other level changes are referenced using newer, current, or earlier versions of the operating system of the domain controller, domain, or forest functional level.
Functional levels are an extension of the mixed-mode and native-mode concepts introduced in Microsoft Windows 2000 Server to enable new Active Directory features. Some additional Active Directory features are available when all domain controllers in a domain or forest are running the latest version of Windows Server and the administrator has enabled the appropriate functional level in the domain or forest.
To enable the latest domain features, all domain controllers must be running the latest version of the Windows Server operating system in the domain. When this requirement is met, the administrator can raise the functional level of the domain.
To enable the latest forest-wide features, all domain controllers in the forest must be running the version of the Windows Server operating system that corresponds to the desired functional level in the forest. Also, the functional level of the current domain must already be at the latest level. When these requirements are met, the administrator can raise the functional level of the forest.
In general, changes at the domain and forest functional levels are irreversible. If the change can be undone, a forest recovery should be used. With the Windows Server 2008 R2 operating system, changes at the domain and forest functional levels can be rolled back. However, rollback can only be performed in the specific scenarios described inTechnet article on Active Directory functional levels.
The latest domain functional levels and the latest forest functional levels only affect how domain controllers work together as a group. Clients that interact with the domain or forest are not affected. Also, applications are not affected by changes to domain functional levels or forest functional levels. However, applications can take advantage of the latest domain features and the latest forest features.
For more information, seeTechNet article on features associated with different functional levels.
Raise the functional level
Do not raise the functional level if the domain has or has a domain controller that is at an earlier version than specified for that level. For example, a Windows Server 2008 functional level requires that all domain controllers run Windows Server 2008 or a later operating system in the domain or forest. Once the domain functional level is raised to a higher level, it can only be changed back to a previous level through a forest restore. This limitation exists because roles often change the way domain controllers communicate or because roles change the way Active Directory data is stored in the database.
The most common way to enable domain and forest functional levels is to usethe graphical user interface (GUI) administration tools documented in the TechNet article Windows Server 2003 Active Directory Functional Levels. This article covers Windows Server 2003. However, the steps are the same for newer OS versions. Additionally, the functional level can be set manually or using Windows PowerShell scripts. For more information on how to manually configure the functional level, see the section Viewing and configuring the functional level.
For more information about using Windows PowerShell script to set the functional level, see ViewIncrease the functioning level of the forest.
Function level display and manual adjustment
Lightweight Directory Access Protocol (LDAP) tools such as Ldp.exe and Adsiedit.msc can be used to view and change current forest and domain functional level settings. If you manually change functional level attributes, it is best to make the attribute changes on the Flexible Single Master Operations (FSMO) domain controller, which is often the target of Microsoft management tools.
Domain Functional Level Configuration
The msDS-Behavior-Version attribute is in the Domain Naming Context (NC) header; h DC=corp, DC=contoso, DC=com.
You can set the following values for this attribute:
- Value 0 or not established = mixed level domain
- Value 1 = Windows Server 2003 domain level
- Value 2 = Windows Server 2003 domain level
- Value 3 = Windows Server 2008 domain level
- Value 4 = Windows Server 2008 R2 domain level
Mixed mode and native mode configuration
The ntMixedDomain attribute is found in the domain naming context (NC) header, i.e. h DC=corp, DC=contoso, DC=com.
You can set the following values for this attribute:
- Value 0 = native proficiency level
- Wert 1 = mixed level domain
forest level settings
The msDS-Behavior-Version attribute resides on the CN=Partitions object in the configuration naming context (NC), that is, h "CN=Partitions", "CN=Configuration", "DC=ForestRootDomain".
You can set the following values for this attribute:
Value 0 or not established = forest of mixed level
Value 1 = Windows Server 2003 middle tree level
Value 2 = Windows Server 2003 forest level
If you increase the msDS-Behavior-Version attribute from a value of 0 to a value of 1 using Adsiedit.msc, the following error message appears:
Invalid change operation. Some aspects of modification are not allowed.
Value 3 = Windows Server 2008 domain level
Value 4 = Windows Server 2008 R2 domain level
After using the Lightweight Directory Access Protocol (LDAP) tools to edit the functional level, click OK to continue. Attributes in the partition container and domain header are incremented correctly. If Ldp.exe reports an error message, you can ignore it. To verify that the level up was successful, update the attribute list and check the current settings. This error message can also appear after the update on the authorized FSMO if the change has not yet been replicated to the local domain controller.
Quickly view current settings using Ldp.exe
- Start the Ldp.exe file.
- About itConnectionclick no menuTo connect.
- Specify the domain controller you want to query or leave blank to connect to any domain controller.
After connecting to a domain controller, the RootDSE information for the domain controller is displayed. This information includes forest, domain, and domain controller information. The following is an example of a Windows Server 2003-based domain controller. In the following example, assume that the domain mode is Windows Server 2003 and the forest mode is Windows 2000 Server.
Domain controller functionality represents the highest possible functional level for that domain controller.
- 1> Domain functionality: 2=(DS_BEHAVIOR_WIN2003)
- 1> forest functionality: 0=(DS_BEHAVIOR_WIN2000)
- 1> domain controller functionality: 2=(DS_BEHAVIOR_WIN2003)
Prerequisites for changing feature level manually
You must change the domain mode to native mode before increasing the domain level if any of the following conditions are true:
- The domain functional level is raised to the second functional level programmatically by directly changing the value of the msdsBehaviorVersion attribute on the domainDNS object.
- The domain functional level is raised to the second functional level using the Ldp.exe utility or the Adsiedit.msc utility.
If you do not change the domain mode to native mode before raising the domain level, the operation will not complete successfully and you will receive the following error messages:
Additionally, the following message is logged in the Directory Services log:
Active Directory could not update the functional level of the following domain because the domain is in mixed mode.
In this scenario, you can change the domain mode to native mode by using the Active Directory Users and Computers snap-in, using the Active Directory Domains and Trusts MMC snap-in, or by setting the value of Programmatically change the "ntMixedDomain " attribute to 0 for the domainDNS object. When this process is used to raise the domain functional level to 2 (Windows Server 2003), the domain mode is automatically changed to native mode.
The transition from mixed mode to native mode changes the scope of the Schema Admins security group and the Enterprise Admins security group to universal groups. If these groups were changed to universal groups, the following message is logged in the system log:
Event Type: Information Event Source: SAM Event ID: 16408 Computer: Server Name Description: "Domain operating mode has been changed to native mode. The change cannot be undone."
When using Windows Server 2003 administrative tools to join the domain functional level, the ntmixedmode attribute and the msdsBehaviorVersion attribute are modified in the correct order. However, this is not always the case. In the following scenario, native mode is implicitly set to a value of 0 without changing the scope to Universal for the Schema Admins security group and the Enterprise Admins security group:
- The msdsBehaviorVersion attribute, which controls the functional mode of the domain, is manually or programmatically set to a value of 2.
- The forest functional level is set to 2 using either method. In this scenario, the domain controllers block the transition to the forest functional level until all domains on the local network are configured to native mode and the necessary attribute change is made to the security group scopes.
Functional levels relevant to Windows 2000 Server
Windows 2000 Server only supports mixed mode and native mode. Also, these modes only apply to domain functionality. The following sections list the Windows Server 2003 domain modes because these modes affect how Windows NT 4.0 and Windows 2000 Server domains are updated.
There are many considerations when raising the domain controller operating system level. These considerations are due to the storage and replication limitations of linked attributes in Windows 2000 Server modes.
Windows 2000 Server mixed (default)
- Supported domain controllers: Microsoft Windows NT 4.0, Windows 2000 Server, Windows Server 2003
- Enabled features: local and global groups, global catalog support
Windows 2000 Server Native
- Supported domain controllers: Windows 2000 Server, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
- Enabled features: group nesting, universal groups, SID history, group conversion between security groups and distribution groups. You can increase domain levels by increasing the forest level setting.
Windows Server 2003 preliminar
- Supported domain controllers: Windows NT 4.0, Windows Server 2003
- Supported Features: There are no domain-wide features enabled at this level. All domains in a forest are automatically promoted to this level when the forest level is raised to staging. This mode is used only when you upgrade domain controllers in Windows NT 4.0 domains to Windows Server 2003 domain controllers.
Windows Server 2003
- Supported domain controllers: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
- Supported features: rename domain controller, update login timestamp attribute, and replicate. User password support for the InetOrgPerson object class. With constrained delegation, you can redirect the Users and Computers containers.
Domains upgraded from Windows NT 4.0 or created by promoting a Windows Server 2003-based computer operate at the Windows 2000 mixed functional level. Windows 2000 Server domains retain their current domain functional level when Windows 2000 Server domain controllers Migrate to Windows Server 2003 Operating System Upgrade You can raise the domain functional level to native Windows 2000 Server or Windows Server 2003.
Intermediate: Upgrading from a Windows NT 4.0 domain
Windows Server 2003 Active Directory allows for a special forest and domain functional level called Windows Server 2003 Interim. This functional level is provided for upgrades to existing Windows NT 4.0 domains that require one or more backup Windows NT 4.0 domain controllers (BDCs) to function after the upgrade. Windows 2000 Server domain controllers are not supported in this mode. Windows Server 2003 Interim applies to the following scenarios:
- Domain upgrades from Windows NT 4.0 to Windows Server 2003.
- Windows NT 4.0 BDCs are not immediately updated.
- Windows NT 4.0 domains that contain groups with more than 5,000 members (excluding the Domain Users group).
- There are no plans at any time to deploy Windows Server 2000 domain controllers in the forest.
Windows Server 2003 Interim offers two important enhancements in enabling replication to Windows NT 4.0 BDCs:
- Efficient security group replication and support for 5,000+ members per group.
- Improved generator algorithms for cross-site KCC topologies.
Due to the efficiency of group replication enabled in the Middle Tier, the Middle Tier is the recommended tier for all Windows NT 4.0 upgrades. For more information, see the Best Practices section of this article.
Set the Windows Server 2003 staging forest functional level
Windows Server 2003 Interim can be activated in three different ways. The first two methods are highly recommended. This is because security groups use Linked Value Replication (LVR) after the primary domain controller (PDC) of the Windows NT 4.0 domain is upgraded to a Windows Server 2003 domain controller. The third option is less recommended because the security group membership uses a single multivalued attribute, which can cause replication issues. The ways to activate Windows Server 2003 Interim are:
During the update.
The option appears in the Dcpromo Setup Wizard when you upgrade the PDC of a Windows NT 4.0 domain that is acting as the first domain controller in the root domain of a new forest.
Before upgrading the Windows NT 4.0 PDC from Windows NT 4.0 as the first domain controller of a new domain in an existing forest, manually configure the forest functional level using Lightweight Directory Access Protocol (LDAP) tools.
Child domains inherit forest-wide resource settings from the forest to which they are promoted. Upgrading the PDC of a Windows NT 4.0 domain as a child domain in an existing Windows Server 2003 forest that has interim forest functional levels configured using the Ldp.exe file or the Adsiedit.msc file enables security groups that replication of Link stock is used after OS version upgrade.
After upgrade using LDAP tools.
Use the last two options when joining an existing Windows Server 2003 forest during an upgrade. This is a common scenario when there is an "empty root domain". The updated domain is added as a child of the empty root and inherits the domain settings from the forest.
recommended course of action
The following section explains best practices for increasing functional levels. The section is divided into two parts. "Preparation Tasks" covers the work you need to do before leveling up, and "Raising Optimal Paths" discusses the rationale and methods for various leveling scenarios.
To discover Windows NT 4.0 domain controllers, follow these steps:
Open on any Windows Server 2003-based domain controllerActive Directory Users and Teams.
If the domain controller is not already connected to the appropriate domain, follow these steps to connect to the appropriate domain:
- Right-click the current domain object and clickconnect to domain.
- I'mDomainIn the dialog, enter the DNS name of the domain you want to connect to and clickOK. or clickfetchto select the domain in the domain tree and clickOK.
Right-click the domain object and clickMeet.
I'mMeetdialog box, clickcustom search.
Click on the domain for which you want to change the functional level.
I'mEnter LDAPIn the query box, type the following, leaving no spaces between characters:(&(objectCategory=computadora)(Betriebssystem Version=4*)(userAccountControl:1.2.840.1135184.108.40.2063:=8192))
This query is not case sensitive.
A list of computers in the domain running Windows NT 4.0 that act as domain controllers is displayed.
A domain controller can appear in the list for one of the following reasons:
- The domain controller is running Windows NT 4.0 and needs to be updated.
- The domain controller is upgraded to Windows Server 2003, but the change is not replicated to the target domain controller.
- The domain controller is no longer operational, but the domain controller's computer object has not been removed from the domain.
Before changing the domain functional level to Windows Server 2003, you should physically locate any domain controller listed, determine the current state of the domain controller, and upgrade or remove the domain controller as needed.
Unlike Windows Server 2000 domain controllers, Windows NT 4.0 domain controllers do not block a level increase. Changing the domain functional level breaks replication on Windows NT 4.0 domain controllers. However, if you try to raise the Windows Server 2003 forest level with domains on Windows Server 2000, the mixed level will be blocked. The lack of a Windows NT 4.0 BDC is implied by meeting the forest level requirements of all domains on Windows Server 2000 or higher.
Example: Preparation tasks before leveling up
This example promotes Windows Server 2000 mixed mode environment to Windows Server 2003 forest mode.
Perform a forest inventory for older versions of domain controllers.
If an exact list of servers is not available, follow these steps:
- To discover mixed-level domains, Windows Server 2000 domain controllers, or domain controllers with missing or corrupted objects, use the Active Directory Domains and Trusts snap-in.
- No plug-in, clique emIncrease forest functionalityand then clickSave asto create a detailed report.
- If no problems are found, the Windows Server 2003 Raise to forest level option is available at"Available forest functional levels"the drop-down list. If you try to raise the forest level, the domain controller objects in the configuration containers will be searched for all domain controllers that don't have one.msds behavior versionto the desired target level. It is assumed to be damaged Windows Server 2000 domain controllers or newer Windows Server domain controller objects.
- If older version domain controllers or domain controllers with damaged or missing computer objects are found, they will be included in the report. The status of these domain controllers should be investigated and the domain controller's representation in Active Directory should be repaired or removed using Ntdsutil.
For more information, click the article number below to view the article in the Microsoft Knowledge Base:
216498How to delete data in Active Directory after a failed domain controller demotion
Ensure end-to-end replication works across the entire forest
To verify that end-to-end replication is working in the forest, use Windows Server 2003 or a later version of Repadmin for Windows Server 2000 or Windows Server 2003 domain controllers:
Repadmin/Replsum * /Sort:Delta[/Errorsonly]for the initial inventory.
Repadmin/Showrepl * /CSV>showrepl.csv. Import into Excel and use Data->AutoFilter to identify replication features.
Use replication tools such as Repadmin to verify that forest-wide replication is working correctly.
Check any program or service for compatibility with newer Windows Server domain controllers and Windows Server top domain and forest mode. Use a lab environment to extensively test production programs and services for compatibility issues. Contact vendors to confirm capacity.
Prepare a retirement plan that includes one of the following:
- Separate at least two domain controllers from each domain in the forest.
- Create a system state backup of at least two domain controllers in each domain in the forest.
Before the rollback plan can be used, all domain controllers in the forest must be turned off prior to the recovery process.
Level ups cannot be authoritatively restored. This means that all domain controllers that replicated the update must be retired.
After removing all old domain controllers, start offline domain controllers or restore domain controllers from backup. Delete the metadata for all other domain controllers and promote them again. This is a difficult process and should be avoided.
Example: Moving from Windows Server 2000 Mixed Level to Windows Server 2003 Forest Level
Raise all domains to the Windows Server 2000 native level. Then, raise the forest root domain functional level to the Windows Server 2003 forest level. When the forest level is replicated to the PDCs of each domain in the forest , the forest level The domain level is automatically elevated to the Windows Server 2003 domain level. This method has the following advantages:
- Leveling up the entire forest only happens once. You do not have to manually raise each domain in the forest to the Windows Server 2003 domain functional level.
- Before the upgrade, a Windows Server 2000 domain controller check is performed (see Preparatory Steps). Elevation is blocked until the problematic domain controllers are removed or upgraded. A detailed report can be generated listing the blocking domain controllers and providing actionable data.
- A scan is performed for domains at Windows Server 2000 Mixed or Windows Server 2003 Interim Level. Elevation is blocked until domain levels are elevated to at least native Windows Server 2000. Mid-level domains must be elevated to the Windows Server 2003 domain level. A detailed report can be generated listing the blocking domains.
Windows NT 4.0-Updates
Windows NT 4.0 upgrades always use the intermediate stage when upgrading the PDC unless Windows Server 2000 domain controllers have been introduced in the forest where the PDC is being upgraded. If intermediate mode is used during the PDC upgrade, existing large pools will immediately use LVR replication, avoiding the potential replication issues discussed earlier in this article. Use one of the following methods to reach the intermediate level during the upgrade:
- Choose the intermediate level during Dcpromo. This option only appears when the PDC is upgraded to a new forest.
- Set the forest level of an existing forest to Interim and join the forest during PDC upgrade. The upgraded domain inherits forest settings.
- After upgrading or removing all Windows NT 4.0 BDCs, each domain must be migrated to forest level and can be migrated to Windows Server 2003 forest mode.
One reason to avoid transition mode is if you plan to deploy Windows Server 2000 domain controllers after the upgrade or at a later date.
Special consideration for large groups in Windows NT 4.0
In mature Windows NT 4.0 domains, security groups can have more than 5000 members. In Windows NT 4.0, when a security group membership changes, only the single membership change is replicated to the backup domain controllers. In Windows Server 2000, group memberships are linked attributes that are stored in a single multi-valued attribute of the group object. When a single change is made to a group's membership, the entire group is replicated as a single entity. Because group membership is replicated as a single entity, there is a potential for group membership updates to be "lost" when different members are added or removed at the same time on different domain controllers. Also, the size of this single object can be larger than the buffer used to transfer an entry to the database. For more information, see the "Version Store Issues with Large Groups" section of this article. For these reasons, the recommended limit for group members is 5,000.
The exception to the 5,000 member rule is the core group (by default, this is the "Domain Users" group). The primary group uses a "computed" mechanism based on the user's "primarygroupID" to determine membership. The parent group does not store members as linked multivalued attributes. If the user's home group is changed to a custom group, their membership in the Domain Users group will be written to the group's linked attribute and will no longer be calculated. The new primary group RID is written to "primarygroupID" and the user is removed from the group's membership attribute.
If the administrator does not select the middle tier for the upgrade domain, you must complete the following steps before upgrading:
- Take inventory of all large groups and identify all groups greater than 5000 except the Domain Users group.
- All groups with more than 5,000 members must be split into smaller groups with less than 5,000 members.
- Locate all ACLs that have the large groups populated and add the small groups that you created in step 2. The Windows Server 2003 preliminary forest level frees up administrators to discover and reassign global security groups with more than 5,000 members.
Version store issues with large pools
For long-running operations, such as deep checks or commits on a single large attribute, Active Directory must ensure that the database state is static until the operation completes. An example of deep lookups or large attribute commits is a large pool using legacy storage.
Because database updates are made continuously locally and from replication partners, Active Directory provides a static state by queuing all incoming changes until the long-running process completes. When the process is complete, the queued changes will be applied to the database.
The storage location for these queued changes is called the "version store" and is approximately 100 megabytes. Version store size varies and is based on physical memory. If a long-running operation does not complete before the version store is exhausted, the domain controller stops accepting updates until the long-running operation and queued changes are committed. Groups that reach large numbers (more than 5000 members) put the domain controller at risk of exhausting the version store while the large group is committed.
Windows Server 2003 introduces a new replication mechanism for linked multivalued attributes called Link Value Replication (LVR). Instead of replicating the entire pool in a single replication operation, the LVR solves this problem by replicating each member of the pool as a separate replication operation. LVR is available when the forest functional level is raised to Windows Server 2003 staging forest level or Windows Server 2003 forest level. At this functional level, LVR is used to replicate groups between Windows Server domain controllers 2003.