Distribution Groups
Distribution Groups, unlike Security Groups, are not primarily used for access control, although they
can be used in an ACL at the application layer. Distribution groups are designed to be used with e-
mail applications only.You can convert a Distribution Group to a Security Group (or vice versa), if
the functional level is Windows 2000 native or higher.You have to be a domain or enterprise
admin, or a member of the Account Operators Group (or have the appropriate authority delegated)
to convert a group. Changing the group type is as simple as right-clicking the group in Active
Directory Users and Computers, clicking Properties, and clicking the desired group type on
the General tab.
Domain Trees
A domain tree can be thought of as a DNS namespace composed of one or more domains. If you
plan to create a forest with discontiguous namespaces, you must create more than one tree.
Referring back to Figure 12.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a
contiguous namespace because each domain in the hierarchy is directly related to the domains above
and below it in each tree.The forest has a discontiguous namespace because it contains two unrelated
top-level domains.
Forest and Domain Functional Levels
Functional levels are a mechanism that Microsoft uses to remove obsolete backward compatibility
within the Active Directory. It is a feature that helps improve performance and security. In Windows
2000, each domain had two functional levels (which were called “modes”), native mode and mixed
mode, while the forest only had one functional level. In Windows Server 2003, there are two more
levels to consider in both domains and forests.To enable all Windows Server 2003 forest and
domainwide features, all DCs must be running Windows Server 2003 and the functional levels must
be set to Windows Server 2003.Table 12.2 summarizes the levels, DCs supported in each level, and
each level’s primary purpose.
Table 12.2 Domain and Forest Functional Levels
Type Functional Level Supported DCs Purpose
Domain Default Windows 2000 mixed NT, 2000, 2003 Supports mixed envi-
ronments during
upgrade; low secu-
rity, high compati-

bility
Domain Windows 2000 native 2000, 2003 Supports upgrade
from 2000 to 2003
Domain Windows Server NT, 2003 Supports upgrade
2003 interim from NT to 2003; low
security, no new
features
456 Chapter 12 • Working with Forests and Domains
Continued
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 456
Table 12.2 Domain and Forest Functional Levels
Type Functional Level Supported DCs Purpose
Domain Windows Server 2003 2003 Ideal level, best secu-
rity, least compati-
bility, all new Active
Directory features are
enabled
Forest Default Windows 2000 NT, 2000, 2003 Supports mixed envi-
ronments during
upgrade; low secu-
rity, high compati-
bility
Forest Windows Server NT, 2003 Supports upgrade
2003 interim from NT to 2003; low
security, some new
features
Forest Windows Server 2003 2003 Ideal level, best secu-
rity, least compati-
bility, all new Active
Directory features are

enabled
Domain Functionality
When considering raising the domain functionality level, remember that the new features will
directly affect only the domain being raised. Once the domain functional level has been raised, no
prior version DCs can be added to the domain. In the case of the Windows Server 2003 domain
functional level, no Windows 2000 servers can be promoted to DC status after the functionality has
been raised.Table 12.2 summarizes the levels, DCs supported in each level, and the level’s primary
purpose. See Table 12.3 for a summary of the capabilities of the current Windows 2000 and new
Windows Server 2003 domain functional levels.
Working with Forests and Domains • Chapter 12 457
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 457
Table 12.3 Domain Functional Level Features
Windows
Windows 2000 Windows 2000 Windows Server Server 2003
Domain Feature Mixed Native 2003 Interim Native
Local and Global Enabled Enabled Enabled Enabled
Groups
Distribution Groups Enabled Enabled Enabled Enabled
GC support Enabled Enabled Enabled Enabled
Number of domain 40,000 1,000,000 40,000 1,000,000
objects supported
Kerberos KDC key Disabled Disabled Disabled Enabled
version numbers
Security Group Disabled Enabled Disabled Enabled
nesting
Distribution Group Enabled Enabled Enabled Enabled
nesting
Universal Groups Disabled Enabled Disabled Enabled
SIDHistory Disabled Enabled Disabled Enabled
Converting groups Disabled Enabled Disabled Enabled

between Security
Groups and Dis-
tribution Groups
DC rename Disabled Disabled Disabled Enabled
Logon timestamp Disabled Disabled Disabled Enabled
attribute updated
and replicated
User password Disabled Disabled Disabled Enabled
support on the
InetOrgPerson
objectClass
Constrained Disabled Disabled Disabled Enabled
delegation
Users and Disabled Disabled Disabled Enabled
Computers
container
redirection
458 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 458
Windows 2000 Mixed Domain Functional Level
The Windows 2000 mixed domain functional level is primarily designed to support mixed environ-
ments during the course of an upgrade.Typically, this applies to a transition from Windows NT to
Windows 2000, although it is also the default mode for a newly created Windows Server 2003
domain. It is characterized by lowered security features and defaults, and the highest compatibility
level possible for Active Directory.
In the Windows 2000 mixed functional level, which is the default level, Windows 2000 and
greater DCs can exist, as well as Windows NT backup domain controllers (BDCs). Newly created
Windows Server 2003 domains always start at this level. Windows NT primary domain controllers
(PDCs) do not exist in any version of Active Directory.
Windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level is primarily intended to support an upgrade
from Windows 2000 to Server 2003.Typically, this applies to existing Active Directory implementa-
tions since mixed and interim modes support the upgrade from Windows NT. It is characterized by
better security features and defaults, and an average compatibility level.
In Windows 2000 native functional level, DCs have all been upgraded to Windows 2000 or
Windows Server 2003. Native mode enables Universal Security Groups, nested groups, group con-
version between distribution and security types, and SIDHistory.
Windows Server 2003 Interim Domain Functional Level
The Windows Server 2003 interim domain functional level is the preferred method of supporting
Windows NT environments during the course of an upgrade.This level only applies to a transition
from Windows NT to Windows Server 2003 because it does not allow for the presence of Windows
2000 DCs. It is characterized by lowered security features and defaults, similar to the Windows 2000
mixed domain functional level, and a high compatibility level for Windows NT.
In the Windows Server 2003 interim domain functional level, no domainwide features are acti-
vated, although many forest level features are activated at this level (see the section Windows Server
2003 Interim Forest Functional Level later in the chapter).This mode is only used during the upgrade
of Windows NT 4.0 DCs to Windows Server 2003 DCs. If a Windows 2000 Active Directory
domain already exists, then the Windows Server 2003 interim domain level cannot be achieved.
Remember that any domain joined to an existing forest inherits its domain functional level
from the child, top-level, or root-level domain that it connects to during the joining process.The
domain level of Windows 2000 is only the default when you create a new forest root.
Windows Server 2003 Domain Functional Level
The Windows Server 2003 domain functional level is the ideal level.This level does not allow
for the presence of Windows NT or Windows 2000 DCs. It starts out with the best security defaults
and capabilities, and the least compatibility with earlier versions of windows. All new 2003 Active
Directory domain features are enabled at this level, providing the most efficient and productive envi-
ronment. In the Windows Server 2003 domain functional level, only Windows Server 2003 DCs
can exist.
Working with Forests and Domains • Chapter 12 459
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 459

Forest Functionality
The Windows Server 2003 forest functional levels are named similarly to the domain levels. Windows
2000 originally had only one level, and that level was carried over into Windows 2003.The two
other available functional levels are Windows Server 2003 interim and Windows Server 2003, some-
times referred to as Windows Server 2003 native mode.Table 12.2 summarizes the levels, DCs sup-
ported in each level, and the level’s primary purpose. See Table 12.4 for a summary of the
capabilities of the new Windows Server 2003 forest functional levels.
Table 12.4 New Forest Functional Level Features
Windows Server Windows Server
Forest Feature Windows 2000 2003 Interim 2003 Native
Support for more Not available Enabled Enabled
than 5000
members per group
Universal Group Enabled Enabled Enabled
caching
Application Enabled Enabled Enabled
partitions
Install from Enabled Enabled Enabled
backups
Quotas Enabled Enabled Enabled
Rapid GC demotion Enabled Enabled Enabled
SIS for system Enabled Enabled Enabled
access control lists
(SACL) in the Jet
Database Engine
Improve topology Enabled Enabled Enabled
generation event
logging
Windows Server Enabled Enabled Enabled
2003 DC assumes

the Intersite
Topology Generator
(ISTG) role
Efficient group Disabled Enabled Enabled
member replication
using linked value
replication
Improved KCC Disabled Enabled Enabled
inter-site replication
topology generator
algorithms
460 Chapter 12 • Working with Forests and Domains
Continued
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 460
Table 12.4 New Forest Functional Level Features
Windows Server Windows Server
Forest Feature Windows 2000 2003 Interim 2003 Native
ISTG aliveness no Disabled Enabled Enabled
longer replicated
Attributes added to Disabled Enabled Enabled
the GC, such as:
ms-DS-Entry-Time-
To-Die,
Message Queuing-
Secured-Source,
Message Queuing-
Multicast-Address,
Print-Memory,
Print-Rate,
and Print-Rate-Unit

Defunct schema Disabled Disabled Enabled
objects
Cross-forest trust Disabled Disabled Enabled
Domain rename Disabled Disabled Enabled
Dynamic auxiliary Disabled Disabled Enabled
classes
InetOrgPerson Disabled Disabled Enabled
objectClass change
Application groups Disabled Disabled Enabled
15-second intrasite Disabled Disabled Enabled
replication frequen-
cy for Windows
Server 2003 DCs
upgraded from
Windows 2000
Reduced NTDS.DIT Disabled Disabled Enabled
size
Unlimited site Disabled Disabled Enabled
management
Windows 2000 Forest Functional Level (default)
The Windows 2000 forest functional level is primarily designed to support mixed environments
during the course of an upgrade.Typically, this applies to a transition from Windows 2000 to
Windows Server 2003. It is also the default mode for a newly created Windows Server 2003
domain. It is characterized by relatively lower security features and reduced efficiency, but maintains
the highest compatibility level possible for Active Directory.The Windows 2003 interim forest func-
tional level handles upgrades from Windows NT to Windows Server 2003.
Working with Forests and Domains • Chapter 12 461
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 461
In the Windows 2000 functional level, which is the default level, Windows 2000 and greater
DCs can exist, as well as Windows NT BDCs. Newly created Windows Server 2003 forests always

start at this level. Windows NT PDCs do not exist in any version of Active Directory. Features avail-
able in the Windows 2000 forest functional level of Windows Server 2003 carry over the old fea-
tures and add many new ones.
Windows Server 2003 Interim Forest Functional Level
The Windows Server 2003 interim forest functional level is the preferred method of supporting
Windows NT environments during the course of an upgrade.This level only applies to a transition
from Windows NT to Windows Server 2003 because it does not allow for the presence of Windows
2000 DCs anywhere in the forest. It is characterized by lowered security features and defaults, but
provides many efficiency improvements over the Windows 2000 forest functional level.
In the Windows Server 2003 interim forest functional level, unlike the Windows Server 2003
interim domain functional level, many new features are activated while still allowing Windows NT
4.0 BDC replication.This mode is only used during the upgrade of a Windows NT 4.0 domain to
a Windows Server 2003 forest. If a Windows 2000 Active Directory forest already exists, then the
Windows Server 2003 interim forest level cannot be achieved.
To revert your Windows Server 2003 forest back to the interim level for an upgrade, you must
manually configure the forest level with LDAP tools such as Ldp.exe or Adsiedit.msc. Remember
that any domain joined to an existing forest inherits its domain functional level from the child, top-
level, or root-level domain that it connects to during the joining process.The default forest level of
Windows 2000 only applies when you create a new forest.
Windows Server 2003 Forest Functional Level
The Windows Server 2003 forest functional level is the ideal level.This level does not allow for
the presence of Windows NT or Windows 2000 DCs anywhere in the forest. It starts out with the
best security defaults and capabilities, and the least compatibility with earlier versions of Windows.
All new 2003 Active Directory forest features are enabled at this level, providing the most efficient
and productive environment. In the Windows Server 2003 forest functional level, only Windows
Server 2003 DCs can exist.
Raising the Functional Level of a Domain and Forest
Before increasing a functional level, you should prepare for it by performing the following tasks.
First, inventory your entire forest for earlier versions of DCs.The Active Directory Domains and
Trusts MMC snap-in can generate a detailed report should you need it.You can also perform a

custom LDAP query from the Active Directory Users and Computers MMC snap-in that will dis-
cover Windows NT DC objects within the forest. Use the following search string:
(&(objectCategory=computer)(operatingSystem Version=4*)
(userAccountControl:1.2.840.113556.1.4.803:=8192))
There should be no spaces in the query, and type it in all on one line.The search string is
shown on two lines for readability.
462 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 462
Second, you need to physically locate all down-level DCs for the new functional level in the
domain or forest as needed, and either upgrade or remove them.
Third, verify that end-to-end replication is working in the forest using the Windows Server
2003 versions of Repadmin.exe and Replmon.exe.
Finally, verify the compatibility of your applications and services with the version of Windows
that your DCs will be running, and specifically their compatibility with the target functional level.
Use a lab environment to test for compatibility issues, and contact the appropriate vendors for com-
patibility information.
Domain Functional Level
Before raising the functional level of a domain, all DCs must be upgraded to the minimum OS level
as shown in Table 12.2. Remember that when you raise the domain functional level to Windows
2000 native or Windows Server 2003, it can never be changed back to Windows 2000 mixed mode.
The steps that follow take you systematically through the process of verifying the current domain
functional level.Then, we’ll step through the process of raising the domain functional level.To raise
the level, you must be an enterprise administrator, a domain administrator in the domain you want
to raise, or have the appropriate authority.
Verify the domain functional level
1. Log on as a Domain Admin of the domain you are checking.
2. Click on Start | Control Panel | Performance and Maintenance |
Administrative Tools | Active Directory Users and Computers, or use the
Microsoft Management Console (MMC) preconfigured with the Active Directory Users
and Computers snap-in.

3. Locate the domain in the console tree that you are going to raise in functional level.
Right-click the domain and select Raise Domain Functional Level.
4. In the Raise Domain Functional Level dialog box, the current domain functional level
appears under Current domain functional level.
This check can also be performed using the Active Directory Domains and Trusts MMC snap-in.
Raise the domain fuctional level
1. Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the
domain you are raising.
2. Click on Start | Administrative Tools | Active Directory Domains and Trusts,or
use the MMC preconfigured with the Active Directory Domain and Trusts snap-in.
3. Locate the domain in the console tree that you are going to raise in functional level.
Right-click the domain and select Raise Domain Functional Level.
4. A dialog box will appear entitled Select an available domain functional level.There
are only two possible choices, although both might not be available.
Working with Forests and Domains • Chapter 12 463
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 463
■
Select Windows 2000 native, and then click the Raise button to raise the domain
functional level to Windows 2000 native.
■
Select Windows Server 2003, and then click the Raise button to raise the domain
functional level to Windows Server 2003.
Forest Functional Level
Before raising the functional level of a forest, all DCs in the forest must be upgraded to the min-
imum OS level as shown in Table 12.2. In practice, since the only forest functional level that will be
available to you is Windows Server 2003, all DCs in the forest must be running Windows Server
2003. Locate all down-level DCs and either upgrade them or remove them from the domain.You
do not have to upgrade the domain functional level before the forest functional level.The reason for
this is that all domains in the forest will automatically raise to the level of Windows Server 2003 to
match the forest level after Active Directory replicates the changes.The forest Schema Master per-

forms this operation.The steps below take you through the process of verifying the current forest
functional level.You can then step through the process of raising the forest functional level.To raise
the forest level, you must be an enterprise administrator, a domain administrator at the forest root, or
have the appropriate authority.
Verify the forest functional level
1. Log on as an Enterprise Administrator in the forest you are checking.
2. Click on Start | Administrative Tools | Active Directory Domains and Trusts,or
use the MMC preconfigured with the Active Directory Domains and Trusts snap-in.
3. In the console tree, right-click the Active Directory Domains and Trusts folder and
select Raise Forest Functional Level.
4. In the Raise Forest Functional Level dialog box, the current forest functional level appears
under Current forest functional level.
Raise the forest functional level
1. Log on locally as an Enterprise Administrator on the PDC Emulator FSMO of the forest
root domain you are raising.
2. Click on Start | All Programs | Administrative Tools | Active Directory
Domains and Trusts, or use the MMC preconfigured with the Active Directory
Domains and Trusts snap-in.
3. In the console tree, right-click the Active Directory Domains and Trusts folder and
select Raise Forest Functional Level.
4. Where it asks you to Select an available forest functional level, click Windows Server 2003,
and then click the Raise button.
464 Chapter 12 • Working with Forests and Domains
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 464
Optimizing Your Strategy for Raising Functional Levels
There are two basic strategies for traveling the path from the Windows 2000 native level and Windows
2000 mixed-mode levels to the goal of Windows Server 2003 functional levels across your forest.
■
The Windows 2000 native mode path.
■

Raise the level of all domains to the Windows 2000 native functional level.
■
Raise the forest level to Windows Server 2003.
Benefits of this method include:
■
You do not have to perform the domain level-raising procedure on every domain before
raising the forest level.
■
It automatically does the work of tracking down all down-level domains and DCs for you.
The process fails if these exist, but then you have a ready list of preparation work to do.
This is helpful if your forest is not well documented. See the sidebar If Raising the Forest
Functional Level Fails for more information.
■
The Windows Server 2003 level path.
■
Raise the level of all domains to the Windows 2000 native functional level.
■
Raise the level of all domains to the Windows Server 2003 functional level.
■
Raise the forest level to Windows Server 2003.
The benefits of this method are:
■
All of the new Windows Server 2003 domain-level features are turned on before you
make the commitment to raising the level of the forest.
■
You can perform integration and interoperability testing on a smaller scale without com-
mitting the forest to the functional upgrade.
There are three basic approaches for the use of interim modes when upgrading Windows NT
to Windows Server 2003. Interim level should be avoided if you will ever have a need to implement
Windows 2000 DCs. Here are the three strategies:

■
When upgrading the Windows NT PDC into a new Windows Server 2003 forest, select
the interim level from the dcpromo utility.
■
When upgrading the Windows NT PDC into an existing Windows Server 2003 forest,
manually set the interim level with Ldp.exe or Adsiedit.msc, and join the forest during the
upgrade.The upgraded domain inherits the interim setting from the forest.
■
Upgrade or remove all Windows NT BDCs, and then upgrade the Windows NT PDC.
Since no Windows NT DCs remain in the domain, the Windows Server 2003 interim
functionality level is not needed.
Working with Forests and Domains • Chapter 12 465
301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 465