Windows 2003 Forest Functional Level

Thought I’d post an informational post for folks who are moving an AD forest to Windows 2003 forest functional level (aka FFL2) as I realized today this piece of information might not be quite as well known as I might have thought. As an FYI, this change adds a number of attributes to the partial attribute set (aka the PAS or global catalog):




  • Ms-DS-Trust-Forest-Trust-Info


  • Trust-Direction


  • Trust-Attributes


  • Trust-Type


  • Trust-Partner


  • Security Identifier


  • Ms-DS-Entry-Time-To-Die


  • MSMQ-Secured-Source


  • MSMQ-Multicast-Address


  • Print-Memory


  • Print-Rate


  • Print-Rate-Unit


  • MS-DRM-Identity-Certificate

This is done when you upgrade the forest functional level because at this point there are no Windows 2000 domain controllers in the forest and thus a change to the PAS will not force a GC resync. Recall that in Windows 2000, modifying the PAS caused every global catalog in the forest to replicate the global catalog from scratch. In a large environment this could be a major undertaking. Windows 2003 removes this and only replicates the changes. By waiting until Windows 2003 FFL, you mitigate this issue of adding these attributes to the PAS.


This should be a nonevent really but if you’ve got any issues in the forest that might come out of the woodwork with a PAS modification then this could cause you some grief. Having made this change numerous times, I’ve only had an issue once and it was a replication block that worked itself out on its’ own.

Share this post: email it! | digg it! | bookmark it! | live it!

Leave a Reply

Your email address will not be published. Required fields are marked *