none
Join Server 2008 to Server 2000 Domain RRS feed

  • Question

  • Hi,
     
    We are purchasing a new server that will be used as a management server to help centralize several utility functions and to act as a communication server with a 3rd party using VPN (this will be a VPN client machine). 

    We currently run Server 2000 and have two servers, one a 2000 domain controller running Exchange 2000, SQL Server 2000, DNS, DHCP, IIS, etc. 

    Can I run Server 2008 on the management server and then join the management server to our Server 2000 domain?  Just because I can doesn't always mean I should.  Assuing it can be done; are there any signficant security or functional issues that I should be aware of?  Is there any reason to implement Server 2003 rather than 2008 on the management server?

    There are no plans to upgrade the 2000 domain server to a newer version of Windows Server.  I don't know if it matters but all workstations that are part of the domain are either Windows 2000 or Windows  XP.

    Thanks for the help.
    Tuesday, June 24, 2008 1:50 AM

Answers

  • Yes, you can run 2008 and join it to your domain. If you're not planning on upgrading your DC there's little additional functional features available. Here's a table from http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-c600f723b31f1033.mspx?mfr=true showing the differences:

    Features enabled at domain functional levels

    The following table shows which features are enabled at each domain functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

    Domain functional level Enabled features Supported domain controller operating systems

    Windows 2000 native

    All default Active Directory features and the following features:

    Universal groups are enabled for both distribution groups and security groups.

    Group nesting.

    Group conversion is enabled, which makes conversion between security groups and distribution groups possible.

    Security identifier (SID) history.

    Windows 2000

    Windows Server 2003

    Windows Server 2008

    Windows Server 2003

    All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:

    The availability of the domain management tool, netdom.exe, to prepare for domain controller rename.

    Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.

    The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.

    The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.

    Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).

    Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.

    Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

    Windows Server 2003

    Windows Server 2008

    Windows Server 2008

    All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:

    Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

    Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

    Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

    Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

    Windows Server 2008

    Features enabled at forest functional levels

    The following table shows which features are enabled at each forest functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

    Forest functional level Enabled features Supported domain controllers

    Windows 2000

    All default Active Directory features.

    Windows Server 2008

    Windows Server 2003

    Windows 2000

    Windows Server 2003

    All default Active Directory features, and the following features:

    Forest trust.

    Domain rename.

    Linked-value replication (changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

    The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

    Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.

    An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).

    The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

    The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

    The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

    Deactivation and redefinition of attributes and classes in the schema.

    Windows Server 2003

    Windows Server 2008

    Windows Server 2008

    This functional level provides all the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

    Windows Server 2008



    Technet Forums Moderator | Solution Specialist | Ask The Experts IT-forum
    Tuesday, June 24, 2008 7:05 AM
    Moderator

All replies

  • Yes, you can run 2008 and join it to your domain. If you're not planning on upgrading your DC there's little additional functional features available. Here's a table from http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-c600f723b31f1033.mspx?mfr=true showing the differences:

    Features enabled at domain functional levels

    The following table shows which features are enabled at each domain functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

    Domain functional level Enabled features Supported domain controller operating systems

    Windows 2000 native

    All default Active Directory features and the following features:

    Universal groups are enabled for both distribution groups and security groups.

    Group nesting.

    Group conversion is enabled, which makes conversion between security groups and distribution groups possible.

    Security identifier (SID) history.

    Windows 2000

    Windows Server 2003

    Windows Server 2008

    Windows Server 2003

    All default Active Directory features, all features from the Windows 2000 native domain functional level, and the following features:

    The availability of the domain management tool, netdom.exe, to prepare for domain controller rename.

    Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain.

    The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects.

    The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts.

    Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD DS).

    Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services.

    Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

    Windows Server 2003

    Windows Server 2008

    Windows Server 2008

    All default Active Directory features, all features from the Windows Server 2003 domain functional level, and the following features:

    Distributed File System Replication support for SYSVOL, which provides more robust and detailed replication of SYSVOL contents.

    Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

    Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon.

    Fine-grained password policies, which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

    Windows Server 2008

    Features enabled at forest functional levels

    The following table shows which features are enabled at each forest functional level. It also shows the operating systems for domain controllers that are supported at each functional level.

    Forest functional level Enabled features Supported domain controllers

    Windows 2000

    All default Active Directory features.

    Windows Server 2008

    Windows Server 2003

    Windows 2000

    Windows Server 2003

    All default Active Directory features, and the following features:

    Forest trust.

    Domain rename.

    Linked-value replication (changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers.

    The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.

    Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.

    An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the forest).

    The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition.

    The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.

    The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization.

    Deactivation and redefinition of attributes and classes in the schema.

    Windows Server 2003

    Windows Server 2008

    Windows Server 2008

    This functional level provides all the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

    Windows Server 2008



    Technet Forums Moderator | Solution Specialist | Ask The Experts IT-forum
    Tuesday, June 24, 2008 7:05 AM
    Moderator
  • Thank you for the info, the link and just as importantly the clarification.  The fact this is true should make admin much simpler. 

    I appreciate your time.
    Wednesday, June 25, 2008 4:22 AM