Re: Any reason not to change domain to W2k3 Functional Level?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Thanks all for the quick replies.

I understand the golder rule of leaving things alone if possible, and I
subscribe to it, but I do have at least one reason to go to Windows 2003
native level.

I should have explained what I meant by problems....
I don't see things failing, but rather some mismanagement.
For example, security:
A common account for adding computers to the domain, whose creds are known
by many, including many who no longer work for the organization.
Over 50 users in the Account Operators group (including the aforementioned
common account).
A WSUS Server that over 3000 computers are pointing to, yet is not being
managed (months worth of unapproved updates).
Operations:
Every day, someone moves new computers from the Computers folder to an OU
that was created for new computers to go to until someone can figure out
which permanent OUs to put them in.

Pursuing that last point is where I decided to check the domain functional
level. We could easily use redircmp.exe to change the default location of
newly added computers, but this only works in W2K3 Native mode.

That is just one piece of the changes I am proposing, but it would help.
The most important thing is to get rid of the common account that is being
used, remove most of the users that are in Account Operators, delegate adding
computers to the "catch all" OU (and the Computers folder if necessary), and
giving full control of the computer objects in the container(s). There would
be a group containing all users who need to add and move computers to which
permissions would be delegated. Beyond that, delegate permissions to OUs
that are managed by 1 or 2 people, who would also be included in the larger
group mentioned above. Those people would then be able to move computers out
of the main container into their own OUs only. Fortunately, we already have
several OUs set up that way. The only reason the OU admins can move
computers from other OUs is because they are also Account Operators. That
can be changed, with the small amount of work I mentioned above.

So redirecting the default container for computers would simplify things,
thus the need to go into W2K3 Native mode. I have raised the functional
level of domains countless times in test environments going back to Windows
2000 and never had a problem. It's also very quick. Being that this is a
large production environment, I need to proceed with caution, even though I
would not be the one making the decision, so I wanted confirmation from
others with experience.

Cheers!

"Paul Weterings" wrote:

Raising the Forest functional level to 2003 from 2000 native would most
likely have very little impact in the situation you describe.

Do ask yourself the following though: are there reasons for you to
change to 2003? As I'm sure you are aware of the golder rule in IT is:
if it works... don't touch it! (the wording may be a bit different in
some IT departments).

Here's a nice overview of what the benefits could be:
http://support.microsoft.com/kb/322692

regards,

Paul

Baboon wrote:
I work for a fairly large single site organization where the person who was
responsible for AD has left and hasn't been replaced yet. I believe I know
more than anyone else in the organization about AD but I don't work for
Central IT.

I have found problems in the past but felt I couldn't do much about them, so
now may be a good opportunity. I noticed today that the Domain Functional
Level is at Windows 2000 Native even though all 4 domain controllers are
Windows 2003. For that reason, I see no purpose in avoiding the change to
W2K3 Functional Level.

When all DCs in the domain are running W2K3 are there any other possible
reasons to stay at W2K Native?

Also, since we only have one domain in the forest, I am assuming that
changing the Forest Funtional Level would have no effect. Is this correct,
or is there a reason to change the forest level as well in a single domain
forest?

Thanks.

.

Relevant Pages

  • Re: Any reason not to change domain to W2k3 Functional Level?
    ... I understand the golder rule of leaving things alone if possible, and I subscribe to it, but I do have at least one reason to go to Windows 2003 native level. ... A common account for adding computers to the domain, whose creds are known by many, including many who no longer work for the organization. ... The most important thing is to get rid of the common account that is being used, remove most of the users that are in Account Operators, delegate adding computers to the "catch all" OU, and giving full control of the computer objects in the container. ... I have raised the functional level of domains countless times in test environments going back to Windows 2000 and never had a problem. ...
    (microsoft.public.windows.server.active_directory)
  • Re: OT: Ive had it with Windows - got Linux working
    ... They're better than they used to be, but there's no reason why computers should only be easy to use for experienced users. ... What's unique about operating systems and software in general is that the OS is a common denominator. ...
    (alt.guitar.bass)
  • Re: Multihomed server
    ... 157025 - Default Gateway Configuration for Multihomed Computers ... Microsoft Windows XP - Multihoming Considerations ... I suspect it is not the right reason. ... but that requires special Nics. ...
    (microsoft.public.windows.server.networking)
  • Re: Deep Blue chess computer
    ... I have several computers, in fact, but not a ... professors of greatness expound on their ideas. ... there is more of "religion" than reason to their ... consistently imagine that we do-- and ...
    (rec.games.chess.misc)
  • Re: Scanning into word
    ... Another way to annoy us so that we will get fed up and switch to computers from the Dark side. ... This nonsense about the numbers are their to make it worth their while is nonsense, When you company makes billions and billions, and billions of dollars its not going to kill your bottom line to put the same exact feature set in software for all Platforms. ... One reason that people don't buy the software is because the feature are not in there and they make silly assumptions about people that use Mac's They assume mac are just strictly used to draw and paint stuff or do Graphics,video or audio editing.People that use Mac's run business es also. ...
    (microsoft.public.mac.office.word)