Double-Secret Forest Functional Level

New! Windows admin tips, tricks, and secrets. First up: migration via the "interim" forest functional level.

• By Don Jones
• March 12, 2004

Welcome aboard! The Windows Tip Sheet will provide you with Windows administration tips, tricks, and secrets, all intended to make your life as a Windows administrator easier. Sound familiar? If you've read my print column, Windows Tips & Tricks, it's like that, only you'll get brand new, timely tips primarily on Windows Server 2003 and Windows XP Pro—but don't be surprised to see Windows 2000 tips sneaking their way in, too. I'll also try to provide links to other helpful content I've found on the Web: useful tools, articles, and so forth. And because I know your time is valuable, I'm going to keep these tips as short and to the point as possible, so you can use them and get on with the latest fire you're fighting. As always, I welcome your input and suggestions—send 'em to me at [email protected].

And without further ado, on with the show: A "secret" Windows Server 2003 forest functional level that's a real help for organizations who are migrating.

On a recent consulting gig for BrainCore.Net, my client asked about Windows Server 2003's "Interim" forest functional level. They'd heard it was ideal for a WinNT-to-Windows 2003 migration, because it would allow them to get maximum functionality from their domains, while maintaining the ability to have NT domain controllers. Problem was, they couldn't find this interim level anywhere in the Windows 2003 user interface. Not surprising, since this functional level is completely hidden.

Microsoft has an online doc at http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/proddocs/deployguide/dssbe_upnt_oqvm.asp that explains—sort of—how this additional functional level operates. The rules are as follows: All domain controllers in the forest must be running Windows 2003, but the forest functional level must still be at Windows 2000. The forest root domain must be at Windows 2000 mixed, which is the lowest functional level.

By raising the forest functional level to Interim, several cool things can happen. For one, any domain with an all-Windows 2003 domain controller can upgrade the domain functional level to Windows Server 2003, enabling maximum functionality. However, lower level domains can still exist, allowing those domains to contain NT domain controllers. Essentially, an organization can migrate domains slowly but take advantage of improved functionality sooner in fully upgraded domains—there's no need to wait for every domain to be completely upgraded.

Once your forest is in Interim level, you can still upgrade NT PDCs and join them to the existing forest when Active Directory installs. The domain that the PDC controls will be automatically set to the Interim domain functional level. However, once at the Interim level, the forest can no longer contain Windows 2000 domain controllers—it can only contain NT and Windows 2003.

Actually raising the functional level to Interim is less than intuitive. You'll need to use the ADSI Edit tool. Start by expanding the Configuration partition, and then expanding CN=Configuration, DC=(forestname), DC=(domainname), DC=com. Then, right-click CN=Partitions, and select Properties. In the dialog that appears, select the "2msDS-Behavior-Version" attribute, and click edit. In the "Value" field, type 1 for Interim level, and click OK. As with other functional level changes, this is a one-way trip, so make sure you know what you're doing!

Micro Tip Sheet If you haven't paid much attention to patch management lately, wake up! Microsoft is preparing a new release of Software Update Services that will offer tons more functionality and the ability to manage application updates (like Microsoft Office) in addition to Windows updates. Running Windows Server 2003? Did you know Microsoft didn't include the entire product on the CD? Well, they did, but a lot of functionality was released later and is available in free, downloadable feature packs from http://www.microsoft.com/ windowsserver2003/downloads/featurepacks/default.mspx. There's about a dozen and counting, so far. Did you know that Windows 2003 and Windows XP don't define a default Data Recovery Agent for the Encrypting File System? Without a DRA, encrypted files are lost forever if the encrypting user's account is deleted. Make sure your users aren't encrypting files that your company won't be able to retrieve!

More Resources
Advanced features of Windows 2003 domains and forests: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
proddocs/deployguide/dssbk_pfl_overview.asp

Overview of NT-to-Windows 2003 migration: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
proddocs/deployguide/dssbe_upnt_overview.asp