Thought I'd post an informational post for folks who are moving an AD forest to Windows 2003 forest functional level (aka FFL2) as I realized today this piece of information might not be quite as well known as I might have thought. As an FYI, this change adds a number of attributes to the partial attribute set (aka the PAS or global catalog):
- Ms-DS-Trust-Forest-Trust-Info
- Trust-Direction
- Trust-Attributes
- Trust-Type
- Trust-Partner
- Security Identifier
- Ms-DS-Entry-Time-To-Die
- MSMQ-Secured-Source
- MSMQ-Multicast-Address
- Print-Memory
- Print-Rate
- Print-Rate-Unit
- MS-DRM-Identity-Certificate
This is done when you upgrade the forest functional level because at this point there are no Windows 2000 domain controllers in the forest and thus a change to the PAS will not force a GC resync. Recall that in Windows 2000, modifying the PAS caused every global catalog in the forest to replicate the global catalog from scratch. In a large environment this could be a major undertaking. Windows 2003 removes this and only replicates the changes. By waiting until Windows 2003 FFL, you mitigate this issue of adding these attributes to the PAS.
This should be a nonevent really but if you've got any issues in the forest that might come out of the woodwork with a PAS modification then this could cause you some grief. Having made this change numerous times, I've only had an issue once and it was a replication block that worked itself out on its' own.
Windows 2000 Server domain controllers configured as Global Catalog servers will perform a full synchronization of the entire Global Catalog database after a schema update that adds to the Partial Attribute Set (PAS). During the full synchronization the global catalog service will be available, however, the global catalog service (and network) will be degraded due to the load of the full synchronization.
Sync, as in comparsion of what it has versus what it should have. It's not full replication of the entire GC. Either way, it is a lot of traffic on the network.