Directory updates.
It is often just
3
easier to enforce
a more rigorous
password policy on
everyone in the
organization than
it is to create
separate domains
or Fine-Grained
Password Policies
to enable different
password policies i
n
78
c h a P t E r 4 Active Directory Domains and Forests
you could have a forest root domain named contoso.com that has child domains in the contoso.com tree named northamerica.contoso.com, europe.contoso.com and antarctica.contoso.com, but within the same forest domain you could have a sepa- rate fabrikam.com tree that includes Europe.fabrikam.com and Africa.fabrikam.com.
Creating a child domain in an existing forest, whether it is the root of a new domain tree or a child domain in an existing one, is relatively easy. To create a child domain, perform the following general steps:
1 . Run DCPROMO on a computer that will function as the first domain control- ler in the new domain. This computer needs to be configured so that it can perform name resolution against a domain controller in the domain that will function as the parent domain. Ensure that you select the Advanced Mode Installation option if you want to create a new tree in an existing forest. 2 . Select the New Domain in an Existing Forest option, shown in Figure 4-1.
You only have the option to create the new domain tree root if you select the Advanced Mode Installation option.
FigurE 4-1: New domain in existing forest
3 . Specify the name of any domain in the forest where the new domain will be installed. You may also need to provide alternate credentials at this point for that domain, depending on existing security relationships.
79
Setting Domain and Forest Functional Levels
4 . If you are creating a new domain tree, enter the fully qualified domain name (FQDN) of the new domain. If you are creating a child domain, enter the FQDN on the parent domain and the single name of the child domain.
5 . Continue the Active Directory Domain Services Installation Wizard as normal, and reboot the newly installed DC when necessary.
seTTiNg domaiN aNd ForesT FuNCTioNal levels
Domain and forest functional levels determine which Active Directory features you can use and are dependent on the domain controllers that your organization is using. For example, if you want to leverage the Windows Server 2008 R2 Active Directory Recycle Bin, you need to be running all domains in the forest at the Windows Server 2008 R2 functional level. In general, the higher your domain and forest functional level, the more advanced features you get. The cost of this is that you need to ensure that all your domain controllers are running Windows Server 2008 R2, which may be a bit of a hassle if some of your existing domain controllers have x86 processors.It is important to remember that domain and forest functional levels only limit the domain controllers that can be present in the environment and not the member servers that can be present. For example, while setting a Windows Server 2008 R2 functional level means that only Windows Server 2008 R2 domain controllers are supported, the domain itself can still have member servers running Windows Server 2003 and computers running the Windows XP operating systems.
You can see what functional level the domain and forest are set to by using the Active Directory Domains and Trusts console. Domain functional levels support the following domain controllers and features:
Windows 2000 Native:
3
3 This domain functional level supports Windows 2000,
Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2 domain controllers. You wouldn’t use this functional level unless you are unable to retire your domain controllers running Windows 2000. This func- tional level supports the fewest features compared to higher functional levels.
Windows Server 2003:
3
3 This domain functional level supports domain con-
trollers running Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2. This is the default functional level when you install a domain controller running Windows Server 2008 R2 as a new DC in a new forest. This functional level supports more features than the Windows 2000 Native
80
c h a P t E r 4 Active Directory Domains and Forests
functional level does, but doesn’t support the new Active Directory features available in Windows Server 2008, such as Fine-Grained Password Policies.
Windows Server 2008:
3
3 This domain functional level supports domain con-
trollers running Windows Server 2008 and Windows Server 2008 R2. This domain functional level supports better replication technologies than the Windows Server 2003 functional level as well as features like Last Interactive Logon information and Fine-Grained Password Policies.
Windows Server 2008 R2:
3
3 This domain functional level only supports domain
controllers running the Windows Server 2008 R2 operating system. If you raise the forest functional level to Windows Server 2008 R2, which you can only do if all domains are at that functional level, you can access the Active Directory Recycle Bin feature by configuring the Windows Server 2008 R2 for- est functional level.
You set forest functional levels based on the lowest functional level of any domain that is a part of your organization’s forest. For example, if your forest has five domains, with four of those domains set to the Windows Server 2008 R2 functional level and one set to the Windows Server 2003 functional level, you’ll only be able to use the Windows Server 2003 forest functional level. If you upgraded that final domain to the Windows Server 2008 functional level, rather than the Windows Server 2008 R2 functional level, you’d be able to set the forest to the Windows Server 2008, rather than 2008 R2 functional level.
No te Raising a domain or forest functional level is a one-way operation.
Once you’ve raised the functional level, you won’t be able to lower it in future. The only exception is that you can roll back from Windows Server 2008 R2 to Windows Server 2008 if the forest functional level is set to Windows Server 2008 or lower.
Before you raise the domain or forest functional level, you must:
Ensure that the account used to raise the domain functional level is a member 3
3
of the Domain Admins group.
Ensure that the account used to raise the forest functional level is a member 3
3
of the Enterprise Admins group.
Raise the domain functional level on the computer that hosts the 3
3 primary
domain controller (PDC) emulator role. The Active Directory Domains and
81
Setting Domain and Forest Functional Levels
on locally to the PDC emulator to perform a functional level upgrade. You will learn how to locate computers that host operations master roles later in this chapter.
Raise the forest functional level on the computer that hosts the schema mas- 3
3
ter role. The Active Directory Domains and Trusts tool does automatically target this server, but you’re probably safer logging on locally to the schema master.
Ensure all domain controllers in the domain are running operating systems 3
3
supported by that functional level. For example, you can’t upgrade to the Win- dows Server 2008 R2 functional level if you have a domain controller running Windows Server 2003.
You use the Active Directory Domains and Trusts tool to verify the current func- tional level and, if necessary, to raise it. It is also possible to use the Active Direc- tory Users and Computers console to raise the domain functional level. To raise the domain functional level or verify the current functional level, perform the following general steps:
1 . Open the Active Directory Domains and Trusts tool on the computer in the target domain that hosts the PDC emulator role.
2 . Right click on the target domain and then click on Raise Domain Functional Level.
3 . Select the target functional level.
You should wait for the change to propagate out before attempting to raise the forest functional level. If you try to raise the forest functional level too soon after raising the domain functional level, you may be blocked, as the domain might not have reached the minimum functional level required to update to the new forest functional level. To raise the forest functional level, or verify the current functional level, perform the following general steps:
1 . Log on to the computer that hosts the schema master role in the forest and open the Active Directory Domains and Trusts tool.
2 . Right click on the Active Directory Domains and Trusts item and then click on Raise Forest Functional Level.
82
c h a P t E r 4 Active Directory Domains and Forests