Distribution Groups Distribution Groups, unlike Security Groups, are not primarily used for access control, although they can be used in an ACL at the application layer. Distribution groups are designed to be used with e- mail applications only.You can convert a Distribution Group to a Security Group (or vice versa), if the functional level is Windows 2000 native or higher.You have to be a domain or enterprise admin, or a member of the Account Operators Group (or have the appropriate authority delegated) to convert a group. Changing the group type is as simple as right-clicking the group in Active Directory Users and Computers, clicking Properties, and clicking the desired group type on the General tab. Domain Trees A domain tree can be thought of as a DNS namespace composed of one or more domains. If you plan to create a forest with discontiguous namespaces, you must create more than one tree. Referring back to Figure 12.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly related to the domains above and below it in each tree.The forest has a discontiguous namespace because it contains two unrelated top-level domains. Forest and Domain Functional Levels Functional levels are a mechanism that Microsoft uses to remove obsolete backward compatibility within the Active Directory. It is a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels (which were called “modes”), native mode and mixed mode, while the forest only had one functional level. In Windows Server 2003, there are two more levels to consider in both domains and forests.To enable all Windows Server 2003 forest and domainwide features, all DCs must be running Windows Server 2003 and the functional levels must be set to Windows Server 2003.Table 12.2 summarizes the levels, DCs supported in each level, and each level’s primary purpose. Table 12.2 Domain and Forest Functional Levels Type Functional Level Supported DCs Purpose Domain Default Windows 2000 mixed NT, 2000, 2003 Supports mixed envi- ronments during upgrade; low secu- rity, high compati- bility Domain Windows 2000 native 2000, 2003 Supports upgrade from 2000 to 2003 Domain Windows Server NT, 2003 Supports upgrade 2003 interim from NT to 2003; low security, no new features 456 Chapter 12 • Working with Forests and Domains Continued 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 456 Table 12.2 Domain and Forest Functional Levels Type Functional Level Supported DCs Purpose Domain Windows Server 2003 2003 Ideal level, best secu- rity, least compati- bility, all new Active Directory features are enabled Forest Default Windows 2000 NT, 2000, 2003 Supports mixed envi- ronments during upgrade; low secu- rity, high compati- bility Forest Windows Server NT, 2003 Supports upgrade 2003 interim from NT to 2003; low security, some new features Forest Windows Server 2003 2003 Ideal level, best secu- rity, least compati- bility, all new Active Directory features are enabled Domain Functionality When considering raising the domain functionality level, remember that the new features will directly affect only the domain being raised. Once the domain functional level has been raised, no prior version DCs can be added to the domain. In the case of the Windows Server 2003 domain functional level, no Windows 2000 servers can be promoted to DC status after the functionality has been raised.Table 12.2 summarizes the levels, DCs supported in each level, and the level’s primary purpose. See Table 12.3 for a summary of the capabilities of the current Windows 2000 and new Windows Server 2003 domain functional levels. Working with Forests and Domains • Chapter 12 457 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 457 Table 12.3 Domain Functional Level Features Windows Windows 2000 Windows 2000 Windows Server Server 2003 Domain Feature Mixed Native 2003 Interim Native Local and Global Enabled Enabled Enabled Enabled Groups Distribution Groups Enabled Enabled Enabled Enabled GC support Enabled Enabled Enabled Enabled Number of domain 40,000 1,000,000 40,000 1,000,000 objects supported Kerberos KDC key Disabled Disabled Disabled Enabled version numbers Security Group Disabled Enabled Disabled Enabled nesting Distribution Group Enabled Enabled Enabled Enabled nesting Universal Groups Disabled Enabled Disabled Enabled SIDHistory Disabled Enabled Disabled Enabled Converting groups Disabled Enabled Disabled Enabled between Security Groups and Dis- tribution Groups DC rename Disabled Disabled Disabled Enabled Logon timestamp Disabled Disabled Disabled Enabled attribute updated and replicated User password Disabled Disabled Disabled Enabled support on the InetOrgPerson objectClass Constrained Disabled Disabled Disabled Enabled delegation Users and Disabled Disabled Disabled Enabled Computers container redirection 458 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 458 Windows 2000 Mixed Domain Functional Level The Windows 2000 mixed domain functional level is primarily designed to support mixed environ- ments during the course of an upgrade.Typically, this applies to a transition from Windows NT to Windows 2000, although it is also the default mode for a newly created Windows Server 2003 domain. It is characterized by lowered security features and defaults, and the highest compatibility level possible for Active Directory. In the Windows 2000 mixed functional level, which is the default level, Windows 2000 and greater DCs can exist, as well as Windows NT backup domain controllers (BDCs). Newly created Windows Server 2003 domains always start at this level. Windows NT primary domain controllers (PDCs) do not exist in any version of Active Directory. Windows 2000 Native Domain Functional Level The Windows 2000 native domain functional level is primarily intended to support an upgrade from Windows 2000 to Server 2003.Typically, this applies to existing Active Directory implementa- tions since mixed and interim modes support the upgrade from Windows NT. It is characterized by better security features and defaults, and an average compatibility level. In Windows 2000 native functional level, DCs have all been upgraded to Windows 2000 or Windows Server 2003. Native mode enables Universal Security Groups, nested groups, group con- version between distribution and security types, and SIDHistory. Windows Server 2003 Interim Domain Functional Level The Windows Server 2003 interim domain functional level is the preferred method of supporting Windows NT environments during the course of an upgrade.This level only applies to a transition from Windows NT to Windows Server 2003 because it does not allow for the presence of Windows 2000 DCs. It is characterized by lowered security features and defaults, similar to the Windows 2000 mixed domain functional level, and a high compatibility level for Windows NT. In the Windows Server 2003 interim domain functional level, no domainwide features are acti- vated, although many forest level features are activated at this level (see the section Windows Server 2003 Interim Forest Functional Level later in the chapter).This mode is only used during the upgrade of Windows NT 4.0 DCs to Windows Server 2003 DCs. If a Windows 2000 Active Directory domain already exists, then the Windows Server 2003 interim domain level cannot be achieved. Remember that any domain joined to an existing forest inherits its domain functional level from the child, top-level, or root-level domain that it connects to during the joining process.The domain level of Windows 2000 is only the default when you create a new forest root. Windows Server 2003 Domain Functional Level The Windows Server 2003 domain functional level is the ideal level.This level does not allow for the presence of Windows NT or Windows 2000 DCs. It starts out with the best security defaults and capabilities, and the least compatibility with earlier versions of windows. All new 2003 Active Directory domain features are enabled at this level, providing the most efficient and productive envi- ronment. In the Windows Server 2003 domain functional level, only Windows Server 2003 DCs can exist. Working with Forests and Domains • Chapter 12 459 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 459 Forest Functionality The Windows Server 2003 forest functional levels are named similarly to the domain levels. Windows 2000 originally had only one level, and that level was carried over into Windows 2003.The two other available functional levels are Windows Server 2003 interim and Windows Server 2003, some- times referred to as Windows Server 2003 native mode.Table 12.2 summarizes the levels, DCs sup- ported in each level, and the level’s primary purpose. See Table 12.4 for a summary of the capabilities of the new Windows Server 2003 forest functional levels. Table 12.4 New Forest Functional Level Features Windows Server Windows Server Forest Feature Windows 2000 2003 Interim 2003 Native Support for more Not available Enabled Enabled than 5000 members per group Universal Group Enabled Enabled Enabled caching Application Enabled Enabled Enabled partitions Install from Enabled Enabled Enabled backups Quotas Enabled Enabled Enabled Rapid GC demotion Enabled Enabled Enabled SIS for system Enabled Enabled Enabled access control lists (SACL) in the Jet Database Engine Improve topology Enabled Enabled Enabled generation event logging Windows Server Enabled Enabled Enabled 2003 DC assumes the Intersite Topology Generator (ISTG) role Efficient group Disabled Enabled Enabled member replication using linked value replication Improved KCC Disabled Enabled Enabled inter-site replication topology generator algorithms 460 Chapter 12 • Working with Forests and Domains Continued 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 460 Table 12.4 New Forest Functional Level Features Windows Server Windows Server Forest Feature Windows 2000 2003 Interim 2003 Native ISTG aliveness no Disabled Enabled Enabled longer replicated Attributes added to Disabled Enabled Enabled the GC, such as: ms-DS-Entry-Time- To-Die, Message Queuing- Secured-Source, Message Queuing- Multicast-Address, Print-Memory, Print-Rate, and Print-Rate-Unit Defunct schema Disabled Disabled Enabled objects Cross-forest trust Disabled Disabled Enabled Domain rename Disabled Disabled Enabled Dynamic auxiliary Disabled Disabled Enabled classes InetOrgPerson Disabled Disabled Enabled objectClass change Application groups Disabled Disabled Enabled 15-second intrasite Disabled Disabled Enabled replication frequen- cy for Windows Server 2003 DCs upgraded from Windows 2000 Reduced NTDS.DIT Disabled Disabled Enabled size Unlimited site Disabled Disabled Enabled management Windows 2000 Forest Functional Level (default) The Windows 2000 forest functional level is primarily designed to support mixed environments during the course of an upgrade.Typically, this applies to a transition from Windows 2000 to Windows Server 2003. It is also the default mode for a newly created Windows Server 2003 domain. It is characterized by relatively lower security features and reduced efficiency, but maintains the highest compatibility level possible for Active Directory.The Windows 2003 interim forest func- tional level handles upgrades from Windows NT to Windows Server 2003. Working with Forests and Domains • Chapter 12 461 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 461 In the Windows 2000 functional level, which is the default level, Windows 2000 and greater DCs can exist, as well as Windows NT BDCs. Newly created Windows Server 2003 forests always start at this level. Windows NT PDCs do not exist in any version of Active Directory. Features avail- able in the Windows 2000 forest functional level of Windows Server 2003 carry over the old fea- tures and add many new ones. Windows Server 2003 Interim Forest Functional Level The Windows Server 2003 interim forest functional level is the preferred method of supporting Windows NT environments during the course of an upgrade.This level only applies to a transition from Windows NT to Windows Server 2003 because it does not allow for the presence of Windows 2000 DCs anywhere in the forest. It is characterized by lowered security features and defaults, but provides many efficiency improvements over the Windows 2000 forest functional level. In the Windows Server 2003 interim forest functional level, unlike the Windows Server 2003 interim domain functional level, many new features are activated while still allowing Windows NT 4.0 BDC replication.This mode is only used during the upgrade of a Windows NT 4.0 domain to a Windows Server 2003 forest. If a Windows 2000 Active Directory forest already exists, then the Windows Server 2003 interim forest level cannot be achieved. To revert your Windows Server 2003 forest back to the interim level for an upgrade, you must manually configure the forest level with LDAP tools such as Ldp.exe or Adsiedit.msc. Remember that any domain joined to an existing forest inherits its domain functional level from the child, top- level, or root-level domain that it connects to during the joining process.The default forest level of Windows 2000 only applies when you create a new forest. Windows Server 2003 Forest Functional Level The Windows Server 2003 forest functional level is the ideal level.This level does not allow for the presence of Windows NT or Windows 2000 DCs anywhere in the forest. It starts out with the best security defaults and capabilities, and the least compatibility with earlier versions of Windows. All new 2003 Active Directory forest features are enabled at this level, providing the most efficient and productive environment. In the Windows Server 2003 forest functional level, only Windows Server 2003 DCs can exist. Raising the Functional Level of a Domain and Forest Before increasing a functional level, you should prepare for it by performing the following tasks. First, inventory your entire forest for earlier versions of DCs.The Active Directory Domains and Trusts MMC snap-in can generate a detailed report should you need it.You can also perform a custom LDAP query from the Active Directory Users and Computers MMC snap-in that will dis- cover Windows NT DC objects within the forest. Use the following search string: (&(objectCategory=computer)(operatingSystem Version=4*) (userAccountControl:1.2.840.113556.1.4.803:=8192)) There should be no spaces in the query, and type it in all on one line.The search string is shown on two lines for readability. 462 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 462 Second, you need to physically locate all down-level DCs for the new functional level in the domain or forest as needed, and either upgrade or remove them. Third, verify that end-to-end replication is working in the forest using the Windows Server 2003 versions of Repadmin.exe and Replmon.exe. Finally, verify the compatibility of your applications and services with the version of Windows that your DCs will be running, and specifically their compatibility with the target functional level. Use a lab environment to test for compatibility issues, and contact the appropriate vendors for com- patibility information. Domain Functional Level Before raising the functional level of a domain, all DCs must be upgraded to the minimum OS level as shown in Table 12.2. Remember that when you raise the domain functional level to Windows 2000 native or Windows Server 2003, it can never be changed back to Windows 2000 mixed mode. The steps that follow take you systematically through the process of verifying the current domain functional level.Then, we’ll step through the process of raising the domain functional level.To raise the level, you must be an enterprise administrator, a domain administrator in the domain you want to raise, or have the appropriate authority. Verify the domain functional level 1. Log on as a Domain Admin of the domain you are checking. 2. Click on Start | Control Panel | Performance and Maintenance | Administrative Tools | Active Directory Users and Computers, or use the Microsoft Management Console (MMC) preconfigured with the Active Directory Users and Computers snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. In the Raise Domain Functional Level dialog box, the current domain functional level appears under Current domain functional level. This check can also be performed using the Active Directory Domains and Trusts MMC snap-in. Raise the domain fuctional level 1. Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the domain you are raising. 2. Click on Start | Administrative Tools | Active Directory Domains and Trusts,or use the MMC preconfigured with the Active Directory Domain and Trusts snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. A dialog box will appear entitled Select an available domain functional level.There are only two possible choices, although both might not be available. Working with Forests and Domains • Chapter 12 463 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 463 ■ Select Windows 2000 native, and then click the Raise button to raise the domain functional level to Windows 2000 native. ■ Select Windows Server 2003, and then click the Raise button to raise the domain functional level to Windows Server 2003. Forest Functional Level Before raising the functional level of a forest, all DCs in the forest must be upgraded to the min- imum OS level as shown in Table 12.2. In practice, since the only forest functional level that will be available to you is Windows Server 2003, all DCs in the forest must be running Windows Server 2003. Locate all down-level DCs and either upgrade them or remove them from the domain.You do not have to upgrade the domain functional level before the forest functional level.The reason for this is that all domains in the forest will automatically raise to the level of Windows Server 2003 to match the forest level after Active Directory replicates the changes.The forest Schema Master per- forms this operation.The steps below take you through the process of verifying the current forest functional level.You can then step through the process of raising the forest functional level.To raise the forest level, you must be an enterprise administrator, a domain administrator at the forest root, or have the appropriate authority. Verify the forest functional level 1. Log on as an Enterprise Administrator in the forest you are checking. 2. Click on Start | Administrative Tools | Active Directory Domains and Trusts,or use the MMC preconfigured with the Active Directory Domains and Trusts snap-in. 3. In the console tree, right-click the Active Directory Domains and Trusts folder and select Raise Forest Functional Level. 4. In the Raise Forest Functional Level dialog box, the current forest functional level appears under Current forest functional level. Raise the forest functional level 1. Log on locally as an Enterprise Administrator on the PDC Emulator FSMO of the forest root domain you are raising. 2. Click on Start | All Programs | Administrative Tools | Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domains and Trusts snap-in. 3. In the console tree, right-click the Active Directory Domains and Trusts folder and select Raise Forest Functional Level. 4. Where it asks you to Select an available forest functional level, click Windows Server 2003, and then click the Raise button. 464 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 464 Optimizing Your Strategy for Raising Functional Levels There are two basic strategies for traveling the path from the Windows 2000 native level and Windows 2000 mixed-mode levels to the goal of Windows Server 2003 functional levels across your forest. ■ The Windows 2000 native mode path. ■ Raise the level of all domains to the Windows 2000 native functional level. ■ Raise the forest level to Windows Server 2003. Benefits of this method include: ■ You do not have to perform the domain level-raising procedure on every domain before raising the forest level. ■ It automatically does the work of tracking down all down-level domains and DCs for you. The process fails if these exist, but then you have a ready list of preparation work to do. This is helpful if your forest is not well documented. See the sidebar If Raising the Forest Functional Level Fails for more information. ■ The Windows Server 2003 level path. ■ Raise the level of all domains to the Windows 2000 native functional level. ■ Raise the level of all domains to the Windows Server 2003 functional level. ■ Raise the forest level to Windows Server 2003. The benefits of this method are: ■ All of the new Windows Server 2003 domain-level features are turned on before you make the commitment to raising the level of the forest. ■ You can perform integration and interoperability testing on a smaller scale without com- mitting the forest to the functional upgrade. There are three basic approaches for the use of interim modes when upgrading Windows NT to Windows Server 2003. Interim level should be avoided if you will ever have a need to implement Windows 2000 DCs. Here are the three strategies: ■ When upgrading the Windows NT PDC into a new Windows Server 2003 forest, select the interim level from the dcpromo utility. ■ When upgrading the Windows NT PDC into an existing Windows Server 2003 forest, manually set the interim level with Ldp.exe or Adsiedit.msc, and join the forest during the upgrade.The upgraded domain inherits the interim setting from the forest. ■ Upgrade or remove all Windows NT BDCs, and then upgrade the Windows NT PDC. Since no Windows NT DCs remain in the domain, the Windows Server 2003 interim functionality level is not needed. Working with Forests and Domains • Chapter 12 465 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 465 . information. ■ The Windows Server 2003 level path. ■ Raise the level of all domains to the Windows 2000 native functional level. ■ Raise the level of all domains to the Windows Server 2003 functional. summary of the capabilities of the new Windows Server 2003 forest functional levels. Table 12.4 New Forest Functional Level Features Windows Server Windows Server Forest Feature Windows 2000 2003. to during the joining process .The domain level of Windows 2000 is only the default when you create a new forest root. Windows Server 2003 Domain Functional Level The Windows Server 2003 domain