Recipe 2.13 Raising the Functional Level of a Windows Server 2003 Domain

2.13.1 Problem

You want to raise the functional level of a Windows Server 2003 domain. You should raise the functional level of a domain as soon as possible after installing a new Windows Server 2003 domain or upgrading from Windows 2000 to take advantage of the new features and enhancements.

2.13.2 Solution Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, browse to the domain you want to raise, right-click it, and select Raise Domain Functional Level.

  3. Select the new functional level and click OK.

After a few seconds you should see a message stating whether the operation was successful. Using a command-line interface

To retrieve the current functional level, use the following command:

> dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version

Or you can use the enumprop command found in the Windows 2000 Resource Kit.

> enumprop /ATTR:msDS-Behavior-Version "LDAP://<DomainDN>"

To change the functional level to Windows Server 2003, create an LDIF file called raise_domain_func_level.ldf with the following contents:

dn: <DomainDN>
changetype: modify
replace: msDS-Behavior-Version
msDS-Behavior-Version: 2

Next, run the ldifde command to import the change.

> ldifde -i -f raise_domain_func_level.ldf Using VBScript
' This code changes the functional level of the specified domain to 
' the Windows Server 2003 domain functional level
strDomain = "<DomainDNSName>"   ' e.g.
' ------ END CONFIGURATION ---------

set objDomain = GetObject("LDAP://" & strDomain)
if objDomain.Get("msDS-Behavior-Version") <> 2 then
   Wscript.Echo "Changing domain to Windows Server 2003 functional level . . . "
   objDomain.Put "msDS-Behavior-Version", 2
   Wscript.Echo "Domain already at Windows Server 2003 functional level "
end if

2.13.3 Discussion

In Windows Server 2003 Active Directory, functional levels have replaced the domain mode that was used in Windows 2000 to signify what operating systems are allowed to run on the domain controllers in the domain. With Windows Server 2003, there are functional levels for both domains and forests; whereas with Windows 2000, the domain mode only applied to domains. The msDS-Behavior-Version attribute of the domainDNS object (e.g., dc=amer,dc=rallencorp,dc=com) holds the current domain functional level. Table 2-4 shows the three functional levels, their associated msDS-Behavior-Version value, and the operating systems that can be used on domain controllers in each.

Table 2-4. Windows Server 2003 domain functional levels

Functional level


Valid operating systems

Windows 2000


Windows 2000Windows NT (when in mixed mode)Windows Server 2003

Windows Server 2003 Interim


Windows NT 4.0Windows Server 2003

Windows Server 2003


Windows Server 2003

When a domain is at the Windows 2000 functional level, the domain can be in mixed mode or native mode, as described in Recipe 2.9. Various new features of Windows Server 2003 Active Directory are enabled with each domain functional level. See Chapter 1 of Active Directory, Second Edition (O'Reilly) for more details.

The value contained in msDS-Behavior-Version is mirrored in the domainFunctionality attribute of the RootDSE. That means you can perform anonymous queries against the RootDSE of a domain to quickly determine what functional level it is currently at.

One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered.

2.13.4 See Also

Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe 2.10 for preparing a forest with adprep, Recipe 2.14 for raising the functional level of a forest, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List