Lesson 1: Configuring domains and also forests

As an experienced administrator you’re probably quite acquainted with the construction of single domain active Directory forests. In this lesson, you uncover out more about multidomain and multiforest environments. You find how to upgrade an present domain and also forest so the it uses only home windows Server 2012 domain controllers, and also you find out how to configure UPN suffixes.

You are watching: Which of the following features is not present in windows server 2003 domain functional level?

After this lesson, you will be able to

Understand multidomain active Directory environments

Understand multiforest energetic Directory environments

Upgrade existing domains and forests

Configure multiple user primary name (UPN) suffixes

Estimated lesson time: 45 minutes

Multidomain energetic Directory environments

The majority of current energetic Directory deployments in small- and medium-sized enterprises have a single domain. This hasn’t always been the case because earlier versions of the home windows Server operating system, together as windows NT4, supported much fewer user accounts. Sustaining a smaller variety of accounts often necessitated the use of multiple domains, and it wasn’t unusual to check out medium-sized organizations that used complex domain structures.

Each windows Server 2012 domain controller have the right to create around 2.15 exchange rate objects throughout its lifetime, and also each domain supports the development of up to around 2.15 billion family member identifiers (RIDs). Offered these statistics, few administrators implement many domain forests since they should support a big number of users. Of course, in very big organizations, the replication load between sites can make a domain with several hundred thousand user accounts problematic, yet site and replication considerations space covered in thing 2.

There are numerous reasons why establishments implement multidomain forests. These have the right to include yet are not limited to:

Historical domain structure. Also though newer versions the the home windows Server operating mechanism handle big numbers the objects more efficiently, some organizations have actually retained the woodland structure that was developed when the organization very first adopted active Directory.Organizational or political reasons. Some establishments are conglomerates, and also they might be written of separate providers that share a usual administrative and management core. An example of this is a college faculty in Europe or Australia, such together a Faculty the Science, that is composed of different departments or schools, such as the school of physics and also the room of botany. Because that political or business reasons it could have been determined that each department or institution should have its own domain that is a part of the in its entirety faculty forest. Active Directory gives organizations the capacity to create domain namespaces that satisfy their needs, also if those needs could not straight map to the many efficient method of accomplishing a goal from a strict technical perspective.Security reasons. Domains enable you to create security borders so that you can have one set of administrators who space able to manage computers and also users in their very own domain, but who room not may be to manage computers and also users in a different domain. Return it’s feasible to achieve a similar goal by delegating privileges, many organizations like to usage separate domains to achieve this goal.

Real World: politics Trumps Technology

It is very important to recognize that geeks often see modern technology as something fully separate from business politics, through the most reliable technical systems being the best, yet everyone rather doesn’t have to share this perception. As soon as I functioned as a equipment administrator in ~ an Australian University, there to be a shared room in one structure that hosted two different printers used by different departments, also though the departments were part of the very same faculty. People in every department feeling strongly that the printer have to be labeled with a departmental identification on the network and also that users from one room should, under no circumstances, have the ability to print come the printer owned by the various other department. Although the machinations the interdepartmental politics are usually of small interest come the geeks in the information an innovation (IT) department, administrators who disregard unclearly defined boundaries do so in ~ their very own peril.

A domain tree is a set of names that share a common root domain name. For example contoso.com deserve to have pacific.contoso.com and atlantic.contoso.com as child domains, and these domains can have actually child domain names themselves. A woodland can have multiple domain trees. As soon as you develop a new tree in a forest, the root of the brand-new tree is a child domain of the initial root domain. In figure 1-1, adatum.com is the root of brand-new domain tree in the contoso.com forest.


Figure 1-1 Contoso.com as the source domain in a two-tree forest

The depth the a domain tree is minimal by a maximum totally qualified domain name (FQDN) length for a organize of 64 characters. This way that the host name and also the domain name merged cannot exceed 64 characters, including the periods that different each ingredient of the name. Because that example, the name 3rd-floor-printer might not be provided in the melbourne. Victoria.australia.pacific.contoso.com domain since it cannot be supplied as a hostname in an energetic Directory forest as the hostname over the 64-character limit.

Intra-forest authentication

All domains within the very same forest automatically trust one another. This method that in the environment presented in number 1-1, you deserve to assign a user in the Australia.pacific.contoso.com permissions to a source in the arctic.adatum.com domain without performing any extra configuration.

Because of the integrated automatic trust relationships, a solitary forest implementation is not ideal for separate organizations, also when they room in partnership v one another. A solitary forest renders it possible for one or an ext users come have bureaucratic control. Most organizations aren’t comfortable even with reliable partners having bureaucratic control over their IT environments. As soon as you do require to permit users indigenous partner institutions to have accessibility to resources, you have the right to configure trust relationships or federation. Friend read more about trust relationship in great 2 of this chapter and much more about federation in thing 10.

Domain practical levels

Domain useful levels identify the active Directory functionality and also features that space available. The greater the domain functional level is, the more functionality and features room available. You deserve to use windows Server 2012 domain controllers v the complying with domain sensible levels:

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

The limiting element on a domain practical level is the domain controllers supplied to host active Directory. If her organization has actually Windows Server 2003 domain controllers, friend aren’t able come raise the practical level till you change or upgrade those domain controllers to a much more recent variation of the home windows Server operating system.

You can change the domain practical level making use of the active Directory Users and Computers console, the active Directory Domains and Trusts console as shown in figure 1-2, or the Set-ADDomainMode windows PowerShell cmdlet. Her account requirements to it is in a member the the Domain Admins or companies Admins groups to do this operation.

Windows Server 2003 practical Level

The home windows Server 2003 domain practical level is the shortest level in ~ which you deserve to introduce domain controllers running the home windows Server 2012 operation system. Girlfriend can set this sensible level if you have actually domain controllers to run the home windows Server 2003, home windows Server 2003 R2, windows Server 2008, windows Server 2008 R2, or home windows Server 2012 operating systems. The home windows Server 2003 domain sensible level includes the following features, which space also easily accessible at greater domain practical levels:

The LastLogonTimestamp attribute records a user’s last domain logon.

Constrained Delegation permits applications to securely delegate user credentials.

Selective authentication allows you come configure particular resources in the forest so that only specific users and groups can authenticate. The default is to permit all customers in the woodland to authenticate prior to permissions to those resources are checked.

Support because that storing DNS area in practice application partitions enables you to selectively replicate DNS zones to specific domain controllers that room enrolled in the custom partitions, fairly than requiring that you configure replication to all domain controllers in the domain or the forest.

Attribute-level replication for group and also other multivalued attributes. Rather than replicating the whole energetic Directory object, only changed attributes will be replicated.

Windows Server 2008 practical Level

The home windows Server 2008 domain functional level calls for that all domain controllers be to run the windows Server 2008, home windows Server 2008 R2, or home windows Server 2012 operation systems. The windows Server 2008 domain sensible level includes all the features accessible at the home windows Server 2003 practical level and also the following:

Improvements in Distributed document System (DFS) replication the make it feasible for replication come occur more efficiently

Support because that fine-grained password policies, which permits you to apply multiple different password plans within the same domain

Support for personal Virtual Desktops v RemoteApp and also Remote desktop computer when offered with Hyper-V

AES (Advanced Encryption Services) 128 and 256 Kerberos support

Windows Server 2008 R2 sensible Level

The home windows Server 2008 R2 domain functional level needs that every domain controllers are running the home windows Server 2008 R2 or windows Server 2012 operating systems. This sensible level supports the attributes of the windows Server 2003 and also Windows Server 2008 domain functional levels also as:

Managed business account support, which enables you to immediately manage service account passwords quite than manually controlling them

Support for command-line-based active Directory Recycle Bin if the woodland functional level is raised to home windows Server 2008 R2

Windows Server 2012 functional Level

The home windows Server 2012 domain useful level needs that all domain controllers be to run the windows Server 2012 operating system. This sensible level support the features of every the reduced functional levels as well as:

Group managed company accounts, which enable you to install a single managed company account on multiple computers.

Fine-Grained Password plans through the active Directory governmental Center rather than by modifying them utilizing ADSI Edit.

Active magazine Recycle Bin through active Directory bureaucratic Center rather than with command-line utilities if the forest is configured in ~ the home windows Server 2012 forest functional level.

If the key Distribution center (KDC) assistance for claims, compound authentication, and Kerberos armoring is set to Always carry out Claims or fail Unarmored Authentication Requests, these alternatives aren’t obtainable unless the domain is raised to the windows Server 2012 sensible level.

Forest practical levels

A forest can host domain names running at various domain functional levels. Forest sensible level is dependency on the minimum domain sensible level of any type of domain in your forest. Because that example, if your organization has actually one domain to run at the home windows Server 2008 practical level and also all other domain names running at the home windows Server 2012 sensible level, you can’t progressive the forest functional level beyond Windows Server 2008. After you raise the one domain from the windows Server 2008 sensible level to the home windows Server 2012 domain practical level, you’re likewise able come raise the woodland functional level to home windows Server 2012.

More Info: useful Levels

To learn much more about practical levels, consult the complying with link: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx.

You have the right to raise the forest functional level making use of the energetic Directory Domains and also Trusts console, as shown in number 1-3, or using the Set-ADForestMode windows PowerShell cmdlet. You should use a user account that is a member of the enterprise Admins group to do this task. In general you can’t lower the forest functional level after you’ve increased it. The exemption to this dominance is the you deserve to lower the forest functional level from home windows Server 2012 to windows Server 2008 R2 if girlfriend haven’t enabled active Directory Recycle Bin.

Although energetic Directory Recycle Bin becomes obtainable at the home windows Server 2008 R2 forest functional level, you require to have configured your organization’s woodland to run at the windows Server 2012 woodland functional level to have the ability to use the active Directory bureaucratic Center user interface as opposed to the command-line interface. Setup the windows Server 2012 woodland functional level walk not introduce other features, however it limits the woodland to using only domain controllers running home windows Server 2012 or much more recent execution of the home windows Server operating system.

Quick check

What is the minimum woodland functional level that permits you to implement energetic Directory Recycle Bin?

Quick examine answer

You have the right to implement energetic Directory Recycle Bin in ~ the home windows Server 2008 R2 woodland functional level.

Multiforest energetic Directory environments

Not just do plenty of organizations have much more than one domain in their forest, however some organizations have actually multiple active Directory forests. Multiple forests often an outcome when establishments merge, during the duration before the acquiring organization has subsumed the got organization’s infrastructure.

Other factors for having actually multiple active Directory forests within a solitary organization include:

Security requirements. You deserve to ensure the administrators of one component of the organization have actually no civil liberties over another component of the organization by having each component of the company in a different forest.Incompatible schemas. All domains in a forest share a schema. If two separate schemas are compelled for two various parts the the organization, the is essential to implement many forests.Political requirements. Multinational organizations could have to deal with different jurisdictional requirements. It could be less complicated to accomplish these needs by having actually separate woodlands with trust relationships 보다 it is to attempt to configure domain names within the same woodland to accomplish these various compliance benchmarks.

Upgrading existing domains and forests

You deserve to use among two strategies as soon as upgrading an present domain so the you can configure it at the windows Server 2012 practical level:

The first strategy is to update the operating equipment on each domain controller to windows Server 2012. This method can it is in problematic due to the fact that many institutions are running home windows Server 2003 ~ above domain controllers, and you can’t directly upgrade windows Server 2003 to windows Server 2012. It’s additionally likely that existing domain controllers room running an x86 variation of a home windows Server operation system. Windows operating systems never ever support direct upgrades indigenous x86 versions to x64 versions.

You can introduce home windows Server 2012 domain controllers right into an currently domain and also then decommission existing domain controllers running earlier versions the the home windows Server operation system. This technique is less facility than performing a direct upgrade. If the hardware supports it, you deserve to repurpose the existing hardware so the the decommissioned domain controllers have a brand-new purpose as windows Server 2012 domain controllers (although an increasing number of organizations have actually domain controllers run on online machines).

Unlike previous domain controller upgrades, friend don’t must run adprep.exe directly to prepare active Directory for the arrival of domain controllers running home windows Server 2012. Instead, if you encourage the first Windows Server 2012 domain controller utilizing an account the is a member of the Schema Admins and Enterprise Admins group, the schema upgrade occurs automatically. You have to run adprep.exe individually only if you are performing an in-place upgrade of a domain controller to run an x64 variation of windows Server 2008 or windows Server 2008 R2 and also if this upgraded domain controller will certainly be the first Windows Server 2012 domain controller in the domain.


Active brochure Migration Tool

The energetic Directory migration Tool deserve to assist you in migrating from an existing energetic Directory environment rather than upgrading an existing environment. Variation 3.2 that the energetic Directory Migration device isn’t supported on home windows Server 2012.

contoso.com, the UPN suffix is the domain surname contoso.com. UPN suffixes allow users to authorize on using an account name that consists of the name of their domains. Since UPN suffixes look choose email addresses, users find them simple to remember. This is useful in complicated environments wherein users might be logging ~ above to computers that room members of domains that are various from the domains that organize their accounts. Because that example, Kim Aker’s user account can be situated in the accounts.contoso.com domain, however she requirements to sign on come a computer that is a member the the computers.contoso.com domain. Quite than having to authorize on as accounts\kim_akers together her user name, or choosing the account domain from a list, she deserve to instead authorize on making use of the UPN of kim_akers

By default, every users use the UPN suffix the is the name of the source domain, even if their accounts room in a child domain. This is why Kim is able to authorize on together kim_akers
contoso.com as contoso.com is the UPN suffix that the root domain. Friend configure UPN suffixes utilizing the energetic Directory Domains and Trusts console as shown in number 1-4.

You can configure the UPN suffix connected with a particular user account ~ above the Account tab of the user account’s properties through the active Directory Users and also Computers console as displayed in number 1-5. Once you space configuring woodland trusts, you have the right to block or allow user authentication based on UPN suffix.

More Info: UPN Suffixes

To learn much more about UPN suffixes, top the following attach http://technet.microsoft.com/en-us/library/cc772007.aspx.

Lesson summary

A woodland can save multiple domains. Domain trees construct on the very same namespace. A woodland can save multiple domain trees.

No hostname in an active Directory woodland can exceed 64 characters.

The domain sensible level is dependent on the earliest variation of the windows Server operating system used top top a domain controller in a domain.

A domain functional level defines the minimum variation of the windows Server operating mechanism that deserve to be provided on domain controllers.

Each domain in a forest can have a various functional level. The forest functional level counts on the lowest domain practical level in the forest.

You have the right to configure practice UPN suffixes to simplify the sign-on procedure for users in multidomain and multiforest environments.

See more: Driving Distance From Waco To San Antonio To Waco, Driving Distance From Waco, Tx To San Antonio, Tx

Lesson review

Answer the following questions to test your understanding of the info in this lesson. You can discover the answers to this questions and explanations of each answer choice in the Answers ar at the finish of this chapter.

You space in the process of designing a brand-new Active magazine implementation for her organization. Two various departments in your company will it is in adopting applications that have actually separate and also mutually exclusive active Directory schema requirements. I m sorry of the following active Directory structures must you use in your style to accommodate this requirements?

A solitary forest with a solitary domain tree

A single forest with multiple domain trees

Multiple forests

A solitary domain forest

You space the solution administrator because that Tailspin Toys and its subsidiary firm Wingtip Toys. You space in the process of making a new Active brochure structure. You’ve been asked to ensure that employees who work in the Tailspin Toys component of the organization log into a domain called tailspintoys.com and that employees who job-related in the Wingtip Toys part of the organization log right into a domain named wingtiptoys.com. You desire to perform this in the simplest method possible and minimize the creation of trust relationships. I beg your pardon of the following energetic Directory structures must you usage in your style to accommodate this requirements?

A solitary domain forest

Multiple forests

A single forest v multiple domain trees

A solitary forest through a solitary domain tree

You desire to deploy several domain controllers running the windows Server 2012 operating system. Friend will ultimately decommission present domain controllers and bring the domain approximately the windows Server 2012 domain sensible level. What is the minimum domain sensible level compelled to assistance the advent of domain controllers running the windows Server 2012 operation system?

Windows Server 2003 domain functional level

Windows Server 2008 domain useful level

Windows Server 2008 R2 domain practical level

Windows Server 2012 domain functional level

At which forest functional levels is the energetic Directory Recycle Bin available? (Choose all that apply.)