Delen via


How Active Directory Functional Levels Work

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

In this section

  • The Architecture of Active Directory Functional Levels

  • Physical Structure for Active Directory Functional Levels

  • Processes and Interactions with Active Directory Functional Levels

  • Related Information

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

Different Active Directory features are available at different functional levels. Raising domain and forest functional levels is required to enable certain new features as domain controllers are upgraded from earlier versions of Windows Server to later versions. Even for a new installation of Windows Server 2003 Active Directory (as opposed to an upgrade), an administrator must raise functional levels to obtain the full capabilities of Windows Server 2003 Active Directory. However, in Windows Server 2008 and Windows Server 2008 R2, you can select a domain or forest functional level during the installation of Active Directory Domain Services (AD DS).

The Architecture of Active Directory Functional Levels

Active Directory functional levels are of two types, as shown in the following table.

Domain and Forest Functional Levels

Type of Functional Level Description

Domain functional level

Domain functional levels enable features that affect the entire domain and that domain only. They also control which Windows Server operating systems can be run on domain controllers in the domain.

Forest functional level

Forest functional levels enable features across all domains within a forest. They also control which Windows Server operating systems can be run on domain controllers in all domains in the forest.

The following table shows the relationship and dependencies between domain and forest functional levels.

Relationship Between Domain and Forest Functional Levels

Domain Functional Level Forest Functional Level

Windows 2000 mixed

Windows 2000

Windows 2000 native

Windows 2000

Windows Server 2003

Windows Server 2003

Windows Server 2008

Windows Server 2008

Windows Server 2008 R2

Windows Server 2008 R2

Another domain functional level, Windows Server 2003 interim, is available for upgrades directly from Windows NT 4.0 to Windows Server 2003.

Default Windows Server 2003 Active Directory Features Available with All Functional Levels

Although many new features in Windows Server 2003 Active Directory have operational requirements that are available only at specific functional levels, most Windows Server 2003 Active Directory features are available by default at all functional levels. When the first Windows Server 2003–based domain controller is deployed in a domain or forest, a set of default Active Directory features becomes available. The following table summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003.

Default Windows Server 2003 Active Directory Features

Feature Functionality

Multiple selection of user objects

Allows you to modify common attributes of multiple user objects at one time.

Drag and drop functionality

Allows you to move Active Directory objects from container to container by dragging one or more objects to a location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.

Efficient search capabilities

Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.

Saved queries

Allows you to save commonly used search parameters for reuse in Active Directory Users and Computers.

Active Directory command-line tools

Allows you to run new directory service commands for administration scenarios.

InetOrgPerson class

The InetOrgPerson class has been added to the base schema as a security principal. It can be used in the same manner as the user class.

Application directory partitions

Allows you to configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication.

Ability to add additional domain controllers by using backup media

Reduces the time it takes to add an additional domain controller in an existing domain by using backup media.

Universal group membership caching

Prevents the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller running Windows Server 2003.

Secure Lightweight Directory Access Protocol (LDAP) traffic

Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.

Partial synchronization of the global catalog

Provides improved replication of the global catalog when schema changes add attributes to the global catalog partial attribute set. Only the new attributes are replicated, not the entire global catalog.

Active Directory quotas

Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Members of the Domain Admins and Enterprise Admins groups are exempt from quotas.

For more information about new AD DS features in Windows Server 2008, see What's New in AD DS in Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=180673). For more information about new AD DS features in Windows Server 2008 R2, see What's New in Active Directory Domain Services (https://go.microsoft.com/fwlink/?LinkId=139655).

Domain Functional Level

Domain functional levels represent the extension of the mixed and native domain modes that were available in Windows 2000:

  • In Windows 2000 Active Directory, certain features are enabled only when all domain controllers in a domain are running Windows 2000 and the domain mode is set to native mode. Otherwise, the domain is running in mixed mode, where only features that are compatible with Windows NT 4.0–based domain controllers are operational. The domain administrator must change the mode from mixed to native and ensure that Windows NT 4.0–based domain controllers are no longer required in the domain.

  • In AD DS, the domain functional levels that correspond to mixed mode and native mode are the Windows 2000 mixed and Windows 2000 native functional levels, respectively. Raising the domain functional level from Windows 2000 mixed to Windows 2000 native is still based on the discretion of the administrator, and Active Directory does not verify that the domain has no Windows NT 4.0–based domain controllers in the domain.

Before a domain can be raised to other functional levels, all domain controllers in the domain must be running a corresponding or later version of Windows Server. For example, before a domain can be raised to the Windows Server 2008 domain functional level, all domain controllers must be running Windows Server 2008 or Windows Server 2008 R2. Before allowing the administrator to raise a domain to this functional level, AD DS verifies that all domain controllers in the domain are running an appropriate version of Windows Server.

For those organizations that are upgrading from Windows NT 4.0 directly to Windows Server 2003, another domain functional level called Windows Server 2003 interim accommodates only domain controllers that are running Windows NT 4.0 and Windows Server 2003 and it excludes Windows 2000–based domain controllers. For more information about this interim domain functional level, see “Functional Levels When Upgrading Windows NT 4.0 Domains” later in this section.

Just as in Windows 2000 where you could not revert from a native mode to a mixed mode domain, raising the domain functional level is not reversible, except for specific situations in Windows Server 2008 R2. For more information, see Active Directory Functional Level Dependencies and Rollback Options. The only changes that occur in an environment when raising the functional level is the availability of advanced Active Directory features.

The default domain functional level for a new Windows Server 2003 installation or upgrade is Windows 2000 mixed in all cases, except when you are upgrading a Windows 2000 domain that is in native mode. In this case, the default domain functional level is Windows 2000 native.

For new domain installations in Windows Server 2008 and Windows Server 2008 R2, the default domain functional level is automatically computed and set to the existing forest functional level or the value that is set for the forest functional level when you run Dcpromo.exe.

Features Enabled by the Domain Functional Level

Various features are enabled at different domain functional levels, and only certain operating systems are supported on domain controllers at each level. For more information, see Understanding AD DS Functional Levels (https://go.microsoft.com/fwlink/?LinkId=180702)

Forest Functional Level

Forest functional levels are new in Windows Server 2003. Features that become available at forest functional levels must be compatible with all domain controllers in the forest.

Features Enabled at Forest Functional Levels

Various features are enabled at different forest functional levels, and only certain operating systems are supported on domain controllers at each level. For more information, see Understanding AD DS Functional Levels (https://go.microsoft.com/fwlink/?LinkId=180702)

As a side effect of raising the forest functional level to Windows Server 2003, the following new attributes are replicated to the partial attribute set of the global catalog:

  • Ms-DS-Trust-Forest-Trust-Info

  • Trust-Direction

  • Trust-Attributes

  • Trust-Type

  • Trust-Partner

  • Security Identifier

  • Ms-DS-Entry-Time-To-Die

  • MSMQ-Secured-Source

  • MSMQ-Multicast-Address

  • Print-Memory

  • Print-Rate

  • Print-Rate-Unit

  • MS-DRM-Identity-Certificate

When the forest functional level is Windows Server 2003 or Windows Server 2003 interim, the global catalog is present on Windows Server 2003 domain controllers. Therefore, replication traffic due to the addition of these attributes to the partial attribute set is not significant. This is because of the feature, new in Windows Server 2003, that allows partial synchronization of the global catalog.

Functional Level for Windows Server 2008 and Windows Server 2008 R2 Deployments

In a new deployment of AD DS that does not involve upgrading an existing domain, if the first domain controller in the forest is running Windows Server 2008 or Windows Server 2008 R2, you can choose the forest and domain functional levels during the AD DS installation of the first domain controller in the forest root domain. You can choose the domain functional level during the AD DS installation of the first domain controller for each additional domain in the forest. You can choose different functional level values for the forest and for each domain that you create within the forest, but the domain functional level can never be lower than the forest functional level.

If you do not specify a higher value when you create the forest root domain for Windows Server 2008, the default forest functional level is Windows 2000. If you do not specify a higher value when you create the forest root domain for Windows Server 2008 R2, the default forest functional level is Windows Server 2003.

If you do not specify a higher value when you create a domain in Windows Server 2008 or Windows Server 2008 R2, the default domain functional level is set to the current value of the forest functional level or, in the case of the forest root domain, the value that you choose for the forest functional level during the installation of AD DS.

Functional Level for Windows Server 2003 Deployments

In a new deployment of Windows Server Active Directory that does not involve upgrading an existing domain, the first domain controller is created by installing Active Directory on a server that is running Windows Server 2003 and it becomes the domain controller for the forest root domain. The forest functional level of the newly created forest is Windows 2000 and the domain functional level is Windows 2000 mixed. Immediately raising the domain level and then the forest level to Windows Server 2003 provides full Windows Server 2003 functionality with no further intervention. All domains created subsequently in the forest are created at the Windows Server 2003 functional level.

Functional Level When Upgrading Windows NT 4.0 Domains

Active Directory provides an intermediate functional level called Windows Server 2003 interim for user environments that currently have only Windows NT 4.0-based domain controllers and that have the following domain upgrade plans:

  • Plan to upgrade to a Windows Server 2003 forest directly from Windows NT 4.0.

  • Do not plan to install domain controllers running Windows 2000 at any time.

Moving to the Windows Server 2003 interim forest functional level is especially useful for large groups (greater than 5,000 members) in an existing deployment for which upgrading to Windows 2000 would require breaking those groups into smaller groups. Windows 2000 replication limits the size of Windows 2000 groups; Windows Server 2003 replication supports large groups (greater than 5,000 members) because of the link-valued replication feature, which is available only if the forest functional level is Windows Server 2003 interim or higher.

Note

  • The Windows Server 2003 interim functional level does not support domain controllers that are running Windows 2000, Windows Server 2008, or Windows Server 2008 R2. For this reason, if domain controllers that run Windows 2000, Windows Server 2008, or Windows Server 2008 R2 are in your current deployment or there are plans to install them in the future, do not use the Windows Server 2003 interim functional level.

Physical Structure for Active Directory Functional Levels

Each functional level has requirements that are enforced by AD DS. AD DS includes an attribute that enables domain controllers to recognize the current functional level of any domain and of the forest. A numbering system identifies the different functional levels. The Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 operating systems also use these level numbers as built-in indicators that enable domain controllers to identify the highest and lowest supported levels.

Internal Representation of Functional Levels

Internally, functional levels are represented as positive integers. The following table lists the domain and forest functional levels that are available in AD DS and their corresponding integer values.

Active Directory Domain and Forest Functional Levels

Domain Functional Levels Forest Functional Levels

0 — Windows 2000 mixed

0 — Windows 2000

0 — Windows 2000 native

0 — Windows 2000

1 — Windows Server 2003 interim

1 — Windows Server 2003 interim

2 — Windows Server 2003

2 — Windows Server 2003

3 —Windows Server 2008

3 —Windows Server 2008

4 —Windows Server 2008 R2

4 —Windows Server 2008 R2

Both Windows 2000 mixed and Windows 2000 native domain functional levels are internally represented by the integer 0.

Storage of Functional Levels

In an AD DS forest, the value of the functional levels of domain controllers, domains, and forests are stored in an msDSBehaviorVersion attribute. This attribute is present on three different objects in the directory, each of which is authoritative for identifying the functional level of one of these three respective scopes (domain controller, domain, or forest). When enforcing domain and forest functional levels, Active Directory uses the value of msDSBehaviorVersion on the appropriate object to detect the current functional level.

Note

  • The functional level of a domain controller cannot be raised. Its functional level is fixed by the operating system.

The following table summarizes the storage of functional levels in the msDSBehaviorVersion attribute on the three defining objects and directory partition locations for the three respective scopes.

Storage of Functional Levels in msDSBehaviorVersionAttribute

Functional Level Scope Object Directory Partition Where Object Is Located

Domain controller

NTDS Settings object (class nTDSDSA)

Configuration

Domain

Domain object (class domainDNS)

Domain

Forest

Partitions container object (class crossRefContainer)

Configuration

Storage of Domain Controller Functional Levels

Beginning with Windows Server 2003, the operating system has two built-in, fixed values that identify the functional levels of AD DS with which it is compatible, as follows:

  • A fixed value that indicates the highest functional level that is supported by the current product release. Windows Server 2003 operating systems have a value of 2, indicating that Windows Server 2003 is the highest functional level supported. Because Windows 2000 and Windows NT 4.0 do not recognize functional levels, a domain controller running one of these operating systems has an implied highest functional level value of 0.

  • A fixed value that indicates the lowest functional level that is supported by the current product release. Windows Server 2003 operating systems have a value of 0, indicating that they support both Windows 2000 and Windows NT 4.0. Windows 2000 and earlier operating systems have an implied lowest functional level value of 0.

AD DS uses these values to prohibit introduction of domain controllers that are running incompatible operating systems into the domain or forest.

When AD DS is installed to create a domain controller, the highest fixed value that is present in the operating system is stored in the msDSBehaviorVersion attribute of the NTDS Settings object (class nTDSDSA) associated with the domain controller. This value indicates the functional level of the domain controller. The NTDS Settings object is stored in the configuration directory partition (cn=NTDS Settings,cn=ServerName,cn=servers,cn=sites,cn=configuration,dc=ForestRootDomainName). Because every domain controller holds a copy of the configuration directory partition, any domain controller can discover the functional level of any other domain controller in the forest.

Absence of this attribute on the NTDS Settings object indicates that the domain controller is running Windows 2000, and is treated as having a value of 0. Windows NT 4.0–based domain controllers do not have an NTDS Settings object.

Storage of Domain Functional Levels

The functional level of a domain is identified by the value in the msDSBehaviorVersion attribute on the domain object (class domainDNS) in the domain directory partition (dc=DomainName,dc=ForestRootDomainName). On the basis of this value, certain features are enabled that have an impact in the scope of a single domain only. Absence of this attribute on a domain object is equivalent to domain functional level 0.

Storage of Forest Functional Levels

The functional level of a forest is identified by the value in the msDSBehaviorVersion attribute on the Partitions container object (class crossRefContainer) in the configuration directory partition (cn=partitions,cn=configuration,dc=ForestRootDomainName). On the basis of this value, certain features are enabled that affect the entire forest. Absence of this attribute on the Partitions container is interpreted as forest level 0.

Processes and Interactions with Active Directory Functional Levels

Functional levels protect against incompatibility. Before raising a functional level, AD DS verifies that all domain controllers are running the correct version of the operating system. After raising the functional level, AD DS no longer allows the introduction of a domain controller that is running an incompatible version of Windows Server.

Forest and domain functional levels are restrictive for domain controllers only. Clients can interact with Active Directory regardless of the domain or forest functional level that is in effect. In a domain that has a functional level of Windows Server 2008 R2, domain controllers can still authenticate computers that are running earlier versions of Windows.

Raising Domain Functional Levels

The domain functional level can be raised by using Active Directory Domains and Trusts or Active Directory Users and Computers, which are Active Directory administrative tools that are available on each domain controller. The ability to raise the domain functional level depends on the operating systems that are running on domain controllers in the environment:

  • If an environment has domain controllers running Windows NT 4.0 as well as domain controllers running Windows 2000 in the domain, Windows Server 2003–based domain controllers can be introduced, but the domain functionality is essentially that of a Windows 2000 mixed-mode domain. Domain controllers that run Windows Server 2008 or Windows Server 2008 R2 cannot be installed in a domain that has domain controllers running Windows NT 4.0.

    It is possible to raise the domain functional level directly to Windows Server 2003 from Windows 2000 mixed after all domain controllers in the domain are upgraded to Windows Server 2003.

  • After all Windows NT 4.0–based domain controllers in an environment are upgraded to either Windows 2000 or Windows Server 2003, the domain functional level can be raised to Windows 2000 native, which provides functionality that is essentially that of a Windows 2000 native-mode domain.

  • After all domain controllers in the domain are upgraded to Windows Server 2003, the domain functional level can be raised to Windows Server 2003, which provides all Windows Server 2003 domain-level features.

  • After all domain controllers in the domain are upgraded to Windows Server 2008, the domain functional level can be raised to Windows Server 2008, which provides all Windows Server 2008 domain-level features.

  • After all domain controllers in the domain are upgraded to Windows Server 2008 R2, the domain functional level can be raised to Windows Server 2008 R2, which provides all Windows Server 2008 R2 domain-level features.

Note

  • Raising the domain functional level cannot be reversed, except for specific situations in Windows Server 2008 R2. In all other cases, after the domain functional level is raised, domain controllers that are not supported at that level can no longer be introduced. For more information, see Active Directory Functional Level Dependencies and Rollback Options.

The following requirements apply to raising all domain functional levels:

  • Raising the domain functional level requires Domain Admins credentials.

  • The domain functional level can be raised on only the primary domain controller (PDC) emulator operations master. AD DS administrative tools (Active Directory Domains and Trusts and Active Directory Users and Computers) automatically target the PDC emulator when the domain functional level is raised.

Raising Forest Functional Levels

When Windows Server 2003 is installed on the first domain controller in the forest, the forest functional level is set to Windows 2000. The forest retains this level until an administrator changes it. Raising the forest level to Windows Server 2003 has the following requirements:

  • All domain controllers in the forest are running Windows Server 2003.

  • All domains in the forest have either the Windows 2000 native or the Windows Server 2003 functional level.

Therefore, if any domains are operating at the Windows 2000 mixed domain functional level, even if all domain controllers are running Windows Server 2003, AD DS does not allow the forest functional level to be raised to Windows Server 2003.

If all domain controllers in the forest are running Windows Server 2003, but some or all domains in the forest are still operating at the Windows 2000 native domain functional level, AD DS automatically raises the functional level of those domains to Windows Server 2003 when the forest functional level is raised to Windows Server 2003. This same behavior occurs at when the forest functional level is raised to higher values. In other words, if you raise the forest functional level to Windows Server 2008 R2, if all domains have domain controllers running Windows Server 2008 R2, they are automatically raised to the Windows Server 2008 R2 domain functional level.

Active Directory Domains and Trusts can be used to raise the forest functional level.

Note

  • Raising the forest functional level cannot be reversed, except for specific situations in Windows Server 2008 R2. In all other cases, after the forest functional level is raised, domain controllers that run earlier versions of Windows Server can no longer be introduced into the forest. For more information, see Active Directory Functional Level Dependencies and Rollback Options.

The following requirements apply to raising all forest functional levels:

  • Raising the forest functional level requires Enterprise Admins credentials.

  • The forest functional level can be raised on only the schema operations master. Active Directory Domains and Trusts automatically targets the schema operations master when the forest functional level is raised.

Enforcing Functional Levels

To ensure consistent functionality across the domain controllers in a domain or forest, AD DS checks for functional levels, as follows:

  • At domain controller creation.

  • After a directory restore.

  • At domain controller startup.

  • When raising functional levels.

The Active Directory Domain Services Installation Wizard, the application that installs AD DS when a new domain controller is created, ensures that a domain controller is not created in a domain or forest that cannot support it. The wizard verifies whether the current domain or forest functional level falls within the highest and lowest fixed values for the operating system on the new domain controller. If the values are not compatible, the AD DS installation fails. For example, if the domain has the functional level Windows Server 2003 (domain level 2), an attempt to install AD DS on a Windows 2000–based server to create an additional domain controller fails because the highest and lowest fixed value supported by Windows 2000 is 0. Similarly, if the forest has a functional level of Windows Server 2003 (forest level 2), an attempt to install AD DS to create a new domain on a Windows 2000–based server fails.

AD DS likewise prevents restoring a domain controller into a domain or forest that has an incompatible functional level.

When a domain controller starts, an additional test is performed to verify whether the highest fixed value of the operating system matches the value of the msDSBehaviorVersion attribute on the NTDS Settings object of the domain controller.

Checks for Raising Domain and Forest Functional Levels

AD DS determines whether the functional level can be raised, as follows:

  • The ability to raise the domain functional level depends on the functional levels of all domain controllers in the domain. In general, the functional level of the domain can be no higher than the lowest functional level of any domain controller in the domain.

  • The ability to raise the forest functional level depends on the functional level of all domain controllers in the forest. In general, the forest level can be no higher than the lowest functional level of any domain controller in the forest.

Note

  • The ability to raise domain and forest functional levels is provided in the administrative tools Active Directory Users and Computers (raise domain functional level) and Active Directory Domains and Trusts (raise domain and forest functional levels).
Verifying the Minimum Required Functional Level of Domain Controllers

When an administrator attempts to raise the functional level of the forest or domain, AD DS checks the value of msDSBehaviorVersion on the NTDS Settings object of every domain controller within the scope (forest or domain) to determine if that value is equal to or greater than the desired functional level. If it is not, AD DS prevents raising the functional level.

For example, if the request is received to raise the domain level to 2 (Windows Server 2003), AD DS checks that the value of msDSBehaviorVersion on the NTDS Settings object on all domain controllers in the domain is 2 or higher before making the change. If all domain controllers are running Windows Server 2003, the value of msDSBehaviorVersion on the NTDS Settings object of each domain controller is 2, and thus AD DS allows raising the functional level of the domain to Windows Server 2003.

If any domain controller is running Windows 2000, the fact that msDSBehaviorVersion attribute is missing on the NTDS Settings object indicates Windows 2000 and an implied value of 0, and AD DS will prevent raising the domain functional level to Windows Server 2003. However, Windows NT 4.0–based domain controllers do not have an NTDS Settings object, so AD DS cannot check these computers directly for functional level. For this reason, AD DS performs an additional check to rule out the existence of Windows NT 4.0–based domain controllers.

Ruling out Windows NT 4.0–Based Domain Controllers When Raising the Forest Level to Windows Server 2003

When a member of the Enterprise Admins group attempts to raise the forest functional level to Windows Server 2003 (level 2), AD DS checks for the absence of Windows NT 4.0–based domain controllers by checking the ntMixedDomain attribute of the domain object. The ntMixedDomain attribute identifies a Windows 2000 domain as being in mixed mode or native mode.

The ntMixedDomain attribute on the domain object indicates the status of mixed or native domain mode as follows:

  • ntMixedDomain value of 1 indicates mixed mode (Windows NT 4.0–based domain controllers can be present in the domain).

  • ntMixedDomain value of 0 indicates native mode (no Windows NT 4.0–based domain controllers can be present in the domain).

To rule out the existence of Windows NT 4.0–based domain controllers when raising the forest functional level to Windows Server 2003 (level 2), AD DS verifies that the ntMixedDomain attribute has a value of 0 for every domain in the forest.

Ruling out Windows NT 4.0 Domain Controllers When Raising the Domain Level to Windows Server 2003

Unlike the behavior when raising the forest functional level, AD DS does not check for the absence of Windows NT 4.0–based domain controllers at the time an administrator raises the domain functional level. Just as in Windows 2000, a domain administrator is responsible for ensuring that no Windows NT 4.0–based domain controllers are running in the domain before raising the domain functional level from Windows 2000 mixed to Windows 2000 native or Windows Server 2003.

Note

  • If an administrator changes the mode of a Windows 2000 domain from mixed to native mode or raises the domain functional level from Windows 2000 mixed to Windows 2000 native (or Windows Server 2003) when Windows NT 4.0–based domain controllers are present in the domain, the remaining Windows NT 4.0–based domain controllers no longer participate in the Active Directory forest. Therefore, the domain administrator must be absolutely sure that no Windows NT 4.0–based domain controllers are operating in the domain before raising the domain functional level to Windows 2000 native or Windows Server 2003.

When the domain functional level is raised to Windows Server 2003, AD DS not only raises the domain functional level to 2, but also changes the ntMixedDomain value from 1 to 0. When the domain functional level is raised to Windows 2000 native, AD DS only changes the ntMixedDomain value from 1 to 0.

Checks for Raising the Functional Level to Windows Server 2003 Interim (Level 1)

When attempting to raise the forest functional level to Windows Server 2003 interim, AD DS verifies that all domain controllers in the forest are at level 1 or higher (by checking the msDSBehaviorVersion attribute on the NTDS Settings object for each domain controller in the forest, to ensure that it is at level 1 or higher). However, it does not verify that all domains have a Windows 2000 native functional level (the ntMixedDomain attribute value of the domain object is 0).

The absence of this check allows Windows NT 4.0–based domain controllers to coexist with Windows Server 2003–based domain controllers, but it precludes future introduction of Windows 2000–based domain controllers into the domain or forest. This is because the highest and lowest functional level supported by Windows 2000 is 0 (which is less than 1), and when you attempt to install AD DS on a Windows 2000 server, the Active Directory Domain Services Installation Wizard will determine that the forest is at level 1 and it will prevent the installation.

When the forest functional level is raised to Windows Server 2003 interim, AD DS raises the forest functional level to 1. Consequently, every domain also raises its functional level (the domain functional level) to 1 (and therefore every domain is also at Windows Server 2003 interim level), but leaves the ntMixedDomain value at 1, thus allowing Windows NT 4.0-based domain controllers to coexist with Windows Server 2003–based domain controllers.

There is no administrative user interface (UI) for raising the forest and domain functional levels to Windows Server 2003 interim. An LDAP application, such as ADSI Edit or Ldp in Windows Support Tools, can be used, or a script can be used. In either case, the value of the msDSBehaviorVersion attribute should be modified to 1.

The following resources contain additional information that is relevant to this section: