In-Depth

Understanding Mixed and Native Domain Functional Levels

Understanding the three domain functional levels of Windows Active Directory is key to taking advantage of its advanced features

Once you have Windows Active Directory, you must choose a domain functional level. The functional level controls which features of Active Directory are available. If you've been running in the functional level that limits Active Directory features, you might not know what you're missing. On the other hand, you might be wondering why other domains you see have more features and capabilities than yours.

First, let's define the functional levels:

  • Mixed domain: A Windows 2000 or 2003 domain that has the ability to have Windows NT 4.0 domain controllers.

  • Interim domain: Same as a Windows 2000 mixed domain but no Windows 2000 domain controllers can be added to the domain.

  • Native domain: A Windows 2000 domain native does not have the ability to run Windows NT 4.0 domain controllers. A Windows Server 2003 native domain cannot include Windows NT 4.0 or Windows 2000 domain controllers.

These definitions most likely differ from those you have seen before. That's because they don't mention client computers. In fact, the domain functional level has nothing to do with the client or server operating system version. This means that all three domain functional levels can have Windows 95, 98, and NT Workstation clients. In addition, Windows NT 4.0 Servers can exist in any of the domain functional levels. This means that the domain functional level is solely dependent upon the domain controller operating system version.

Default Domain Functional Levels

When you install Active Directory (2000 or 2003) for the first time, the default domain functional level is mixed . This provides the most flexibility and backwards compatibility. If you are in this situation, you only have one option for moving the domain functional level: native. (The only way to configure an interim functional level is to upgrade from Windows NT 4.0 to Windows Server 2003, during which you'll be asked to pick the functional level you want.)

The move to native functional level is a simple one in terms of configuring the domain to move to this level. Before proceeding, verify which functional level you are working in:

  1. Open Active Directory Users and Computers.

  2. Right-click on the domain node and select Properties.

The result is a dialog box that shows you the domain functional level, as shown in Figure 1.


Figure 1. Domain functional level is displayed in the domain
properties from Active Directory Users and Computers

Moving to a higher domain functional level is just a couple of clicks away. To move the level up:

  1. Open Active Directory Users and Computers.

  2. Right-click on the domain node and select Raise Domain Functional Level.

The result is a dialog box that shows you the options that you can select for the new domain functional level, as shown in Figure 2.


Figure 2. You can raise the domain functional level from mixed
to Windows 2000 native or Windows Server 2003 (native)

Mixing Domain Functional Levels in the Forest

The domain functional level is unique for each domain. This means that a single Active Directory forest can have a mixture of domain functional levels. For example, if the first domain that creates the forest is a mixed functional level domain, the child domains of this domain can be at either a mixed or native functional level.

This is possible because the domains don’t share anything that would break the forest if there was a mixed and native functional level domain working together.

Active Directory Database Size Limitations

One of the main reasons that you might want to move to one of the native functional levels is that the Active Directory database is not limited to the old Windows NT 4.0 size limitations. Windows NT 4.0's initial database size limitation was 40MB. This could have been expanded, but the upper limit was about 200MB. With a large domain, you can use up 40MB very quickly with user, group, and computer accounts. Group Policy objects, organizational units, and other Active Directory objects also play a factor in the size of the database. Therefore, you may need to move to a native-level domain to accommodate all objects.

Once you have a native-level domain, the Active Directory database can expand to over one million objects, which can be expanded further with help from Microsoft.

Group Limitations

At mixed- or interim-domain levels, the groups that you have to work with are limited. Since the Windows NT 4.0 domain controllers are included in the domain, the groups must adhere to the rules that Windows NT 4.0 domain controllers know, including:

  • Universal groups: These groups can only be configured as Distribution groups, not as security groups. This means that you can’t add universal groups to an access control list (ACL) of a resource.

  • Domain Local groups: These groups are only visible to the domain controllers.

Also, groups must follow group nesting rules from Windows NT 4.0: global groups can only have users as members, while domain local groups can contain users and global groups.

As soon as you move to a native functional level, these rules change. This means that universal groups can be security groups, and that domain local groups can be seen by all computers that have joined the domain. Finally, groups can have “like group nesting.” For example, domain local groups can contain other domain local groups.

Remote Access Permissions

When a domain is still in a mixed or interim functional level, users ability to connect to a remote access server is controlled by the user properties in Active Directory. You can see this from the interface which allows you to configure Allow or Deny permissions, as shown in Figure 3.


Figure 3. A mixed or interim level domain only provides
remote access permissions for Allow and Deny

When the domain is moved to native functional level, remote access is shifted from the user properties in Active Directory to the Remote Access Policies stored in the Remote Access Service configuration. The Remote Access Policies control access through conditions and a profile, as you can see in Figure 4.


Figure 4. Remote Access Policies control access in a
native functional level domain

Summary

When you install your Active Directory domain, you already have a domain functional level selected for you. From there, you can either keep the domain at that level, or increase the level to gain additional features. If you want to increase the size of the Active Directory database to support all of the users, groups, computers, group policy objects, etc, you will need to move to native functional level. Also, control of groups and remote access permissions differs greatly from the different domain levels.

Before you make your move, be sure to research and test what it will do to your environment, since the move is one directional. There's no easy "undo" feature.

About the Author

Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.

Must Read Articles