Domain Modes and Functional Levels
Let us first discuss certain general domain and forest functionalities that, to some degree, are common for both Windows 2000 and Windows .NET domains.
Windows 2000 domains can operate in either default mixed mode (when a domain can contain Windows 4.0 Backup Domain Controllers, BDC) or native mode (when a domain contains only Windows 2000-based domain controllers).
When a domain's mode is changed to native, the following considerations should be taken into account:
■ Domain controllers (DC) no longer support NTLM replication; as a result, the domain's PDC Emulator (a DC that performs the role of Windows NT 4.0 Primary Domain Controller, PDC) cannot replicate data to Windows NT 4.0 BDCs, and Windows NT 4.0-based DCs cannot be added to the domain.
■ Domain controllers provide pass-through authentication that allows users and computers using pre-Windows 2000 systems to be authenticated in any domain in the forest (notwithstanding the fact that these systems do not support the Kerberos V5 protocol). Thus, they can use transitive trusts existing in an Active Directory forest and access resources in any domain.
In Windows .NET domains, a new term, functional level, is introduced. Functional levels are defined for a domain as well as for the forest.
The following table lists three available domain functional levels and DC types supported (or that can be introduced into the domain) at these levels:
Domain functional level Domain controllers supported
Windows 2000 mixed (default) Windows NT 4.0, Windows 2000, and Windows .NET Windows 2000 native Windows 2000 and Windows .NET
Windows .NET Windows .NET only
Two first levels correspond to the Windows 2000 modes, and aforementioned considerations for the native mode domains are applicable to the Windows 2000 native functional level, too.
Among features that require the Windows .NETdomain functional level is the Domain Controller Rename option (see later). Native mode Windows 2000 domains as well as Windows .NET domains at the Windows 2000 native or Windows .NETdomain functional level support the following features: universal groups; group nesting; converting group types, and the SID History option (discussed in Chapter 13, "Migration and Directory Reorganization Tools").
Forest functional levels define features available across all domains within a forest. The following table lists two available forest functional levels and DC types supported at these levels:
Forest Domain controllers Domain functional levels functional level supported permitted for existing or new domains
Windows 2000 Windows NT 4.0, Windows Any level (default) 2000, and Windows .NET
Windows .NET Windows .NET only Windows .NET only
There is also a special Windows .NET Interim forest functional level that is only available when a Windows NT 4.0 domain is upgraded to a new Windows .NET forest, which does not contain domain controllers running Windows 2000. (When upgrading a Windows NT 4.0 domain, you might also be interested in the Q284937 and Q298713 articles from the Microsoft Knowledge Base.)
The forest-wide features available at the Windows .NET forest functional level are listed later in this chapter.
Keep in mind the following information regarding the domain modes or forest/domain functional levels:
■ It is impossible to change a domain mode from native to mixed mode or to lower a functional level without re-installing Active Directory in this domain or in the entire forest.
■ Domains in a forest are not required to operate in the same mode or at the same functional level.
■ The native mode or a functional level higher then Windows 2000 mixed level has no impact (except the pass-trough authentication ability) on down-level clients such as Windows 9x/ME or Windows NT (with or without the Active Directory Client extension). This is also the case with trusts between the local domain and any external domains (Windows NT 4.0, Windows 2000 or Windows .NET). However, remember that any external trust is always explicit, unidirectional (one-way), and non-transitive (except for forest trusts).
To learn how to change a domain mode or to raise a domain/forest functional level, see Chapter 5, "Installing Active Directory".
Post a comment