Double-Secret Forest Functional Level
New! Windows admin tips, tricks, and secrets. First up: migration via the "interim" forest functional level.
- By Don Jones
- March 12, 2004
The Windows Tip Sheet
will provide you
with Windows administration tips, tricks, and secrets, all intended to
make your life as a Windows administrator easier. Sound familiar? If you've
read my print column, Windows
Tips & Tricks
, it's like that, only you'll get brand new,
timely tips primarily on Windows Server 2003 and Windows XP Pro—but
don't be surprised to see Windows 2000 tips sneaking their way in, too.
I'll also try to provide links to other helpful content I've found on
the Web: useful tools, articles, and so forth. And because I know your
time is valuable, I'm going to keep these tips as short and to the point
as possible, so you can use them and get on with the latest fire you're
fighting. As always, I welcome your input and suggestions—send 'em
to me at firstname.lastname@example.org
And without further ado, on with the show: A "secret" Windows
Server 2003 forest functional level that's a real help for organizations
who are migrating.
On a recent consulting gig for BrainCore.Net,
my client asked about Windows Server 2003's "Interim" forest
functional level. They'd heard it was ideal for a WinNT-to-Windows 2003
migration, because it would allow them to get maximum functionality from
their domains, while maintaining the ability to have NT domain controllers.
Problem was, they couldn't find this interim level anywhere in the Windows
2003 user interface. Not surprising, since this functional level is completely
Microsoft has an online doc at http://www.microsoft.com/technet/prodtechnol/
windowsserver2003/proddocs/deployguide/dssbe_upnt_oqvm.asp that explains—sort
of—how this additional functional level operates. The rules are as
follows: All domain controllers in the forest must be running Windows
2003, but the forest functional level must still be at Windows 2000. The
forest root domain must be at Windows 2000 mixed, which is the lowest
By raising the forest functional level to Interim, several cool things
can happen. For one, any domain with an all-Windows 2003 domain controller
can upgrade the domain functional level to Windows Server 2003, enabling
maximum functionality. However, lower level domains can still exist, allowing
those domains to contain NT domain controllers. Essentially, an organization
can migrate domains slowly but take advantage of improved functionality
sooner in fully upgraded domains—there's no need to wait for every
domain to be completely upgraded.
Once your forest is in Interim level, you can still upgrade NT PDCs and
join them to the existing forest when Active Directory installs. The domain
that the PDC controls will be automatically set to the Interim domain
functional level. However, once at the Interim level, the forest can no
longer contain Windows 2000 domain controllers—it can only contain
NT and Windows 2003.
Actually raising the functional level to Interim is less than intuitive.
You'll need to use the ADSI Edit tool. Start by expanding the Configuration
partition, and then expanding CN=Configuration, DC=(forestname), DC=(domainname),
DC=com. Then, right-click CN=Partitions, and select Properties. In the
dialog that appears, select the "2msDS-Behavior-Version" attribute,
and click edit. In the "Value" field, type 1 for Interim level,
and click OK. As with other functional level changes, this is a one-way
trip, so make sure you know what you're doing!
If you haven't paid much attention to patch management
lately, wake up! Microsoft is preparing a new release
of Software Update Services that will offer tons more
functionality and the ability to manage application
updates (like Microsoft Office) in addition to Windows
Running Windows Server 2003? Did you know Microsoft
didn't include the entire product on the CD? Well, they
did, but a lot of functionality was released later and
is available in free, downloadable feature packs from
There's about a dozen and counting, so far.
Did you know that Windows 2003 and Windows XP don't
define a default Data Recovery Agent for the Encrypting
File System? Without a DRA, encrypted files are
lost forever if the encrypting user's account is deleted.
Make sure your users aren't encrypting files that your
company won't be able to retrieve!
Advanced features of Windows 2003 domains and forests: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
Overview of NT-to-Windows 2003 migration: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.