Raising the Functional Level of a Windows Server 2003 Forest

Raising the Functional Level of a Windows Server 2003 Forest


You want to raise the functional level of a Windows Server 2003 forest. You should raise the functional level of a forest as soon as possible after installing a new Windows Server 2003 forest or upgrading from a Windows 2000 forest to take advantage of the new features and enhancements available in Windows Server 2003.


Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in (domain.msc).

  2. In the left pane, right-click on Active Directory Domains and Trusts and select Raise Forest Functional Level.

  3. Select Windows Server 2003 Functional Level and click OK.

After a few seconds you should see a message stating whether the operation was successful.

Using a command-line interface

To retrieve the current forest functional level, use the following command:

	> dsquery * <ForestRootDN> -scope base -attr msDS-Behavior-Version

Or you can use the AdFind utility found at http://www.joeware.net, producing the following output:

	> adfind -b <ForestRootDN> -s base ms-DS-Behavior-Version
	> AdFind V01.27.00cpp Joe Richards ([email protected]) November 2005
	> Using server: dc1.rallencorp.com:389
	> Directory: Windows Server 2003
	> dn:cn=Partitions,CN=Configuration,dc=rallencorp,dc=com
	> >ms-DS-Behavior-Version: 0
	> 1 Objects returned

To change the functional level to Windows Server 2003, create an LDIF file called raise_forest_func_level.ldf with the following contents:

	dn: cn=partitions,cn=configuration,<ForestRootDN>
	changetype: modify
	replace: msDS-Behavior-Version
	msDS-Behavior-Version: 2

Next, run ldifde to import the change.

	> ldifde -i -f raise_forest_func_level.ldf

Or else you can use the AdMod utility as follows:

	> admod -b <ForestDN> "msDS-Behavior-Version::2"

This will display results similar to the following:

	> AdMod V01.06.00cpp Joe Richards ([email protected]) June 2005
	> DN Count: 1
	> Using server: dc1.rallencorp.com
	> Modifying specified objects…
	> DN: cn=Partitions,cn=Configuration,dc=rallencorp,dc=com…
	> The command completed successfully

Using VBScript
	' This code changes the functional level of the the forest the
	' user running the script is logged into to Windows Server 2003.

	set objRootDSE = GetObject("LDAP://RootDSE")
	set objDomain = GetObject("LDAP://cn=partitions," &_
	                           objRootDSE.Get("configurationNamingContext") )
	if objDomain.Get("msDS-Behavior-Version") < 2 then
	   Wscript.Echo "Attempting to change forest to " &  _
	                "Windows Server 2003 functional level … "
	   objDomain.Put "msDS-Behavior-Version", 2
	   Wscript.Echo "Forest already at Windows Server 2003 functional level"
	end if


Windows Server 2003 forest functional levels are very similar to domain functional levels. In fact, Table 2-4 applies to forest functional levels as well, except that the list of available operating systems applies to all domain controllers in the forest not just a single domain. So even if just one of the domains in the forest is at the Windows 2000 domain functional level, you cannot raise the forest above the Windows 2000 forest functional level. If you attempt to do so you will receive an error that the operation cannot be completed. After you raise the last Windows 2000 domain functional level to Windows Server 2003, you can then raise the forest functional level as well.

You may be wondering why there is a need to differentiate between forest and domain functional levels. The primary reason is new features. Some new features of Windows Server 2003 Active Directory require that all domain controllers in the forest are running Windows Server 2003. To ensure all domain controllers are running a certain operating system throughout a forest, Microsoft had to apply the functional level concept to forests as well as domains. For more information on the new features that are available with each functional level, see Chapter 1 of Active Directory, Third Edition, by Joe Richards et al. (O'Reilly).

The forest functional level is stored in the msDS-Behavior-Version attribute of the Partitions container in the Configuration NC. For example, in the rallencorp.com forest, it would be stored in cn=partitions,cn=configuration,dc=rallencorp,dc=com. The value contained in msDS-Behavior-Version is mirrored to the forestFunctionality attribute of the RootDSE, which means you can find the functional level of the forest by querying the RootDSE.

One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered.

See Also

Recipe 2.9 for changing domain mode, Recipe 2.10 for raising the functional level of a Windows Server 2003 domain, Recipe 2.12 for preparing a forest with AdPrep, Chapter 1 of Active Directory, Third Edition, by Joe Richards et al. (O'Reilly), and MS KB 322692 (How to Raise the Domain Functional Level in Windows Server 2003)

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows