Subtitles section Play video Print subtitles Here is the next free video for the Active Directory course. In the last video I looked at domain functional levels. In this video I will look at forest functional levels. If you are not familiar with Active Directory forests, please see are previous video Forest and Trees. Before I get started with forest functional levels, let’s have a quick look at an example of two forests to understand how the forest levels work. On the left side you can see IT Free Training with two child domains, sales and marketing. When working with networks that have been around since the NT days, you may see separate domains that make no sense. In the NT days there were limits on how many users could be in a domain. With the early days of Windows Server 2000, there were limits on how many users could be in certain groups. Also, if you wanted to configure different password requirements, you could only do it on the domain level. What does all this mean? Well, it means that when you are working on a production network, the number of domains and the layout of the domains may not make sense. When you consider what can be done with a Windows Domain now compared with 10 years ago, it makes sense that extra domains in the past may have been needed to be created. If you also take into account company restructures, acquisitions, and mergers, the number of domains and the design of the network may not always make sense. In this example, the IT Free Training domain is at the Windows Server 2008 R2 domain functional level since IT Free training likes to be at the forefront of technology. The sales domain is at the Windows Server 2008 domain functional level. The marketing domain is at Windows server 2003 domain functional level. There is also another forest called high cost training with one domain. They did not put the money into upgrading their technology so they are still at domain functional level of Windows 2000. So now you have two forests. Both forests are currently at Windows Server 2000 forest functional level. The point to remember with forests is that the higher the forest level, the more features you will have. In order to raise your forest level, all domain functional levels must be at that level or higher. In other words, the level to which you can raise your forest level will be determined by the lowest domain functional level in your forest. This may sound a little confusing right now, so let’s have a look at the features of each forest level and come back to this example shortly. The first forest level that I want to look at is Windows Server 2000 forest level. This forest level gives basic Active Directory functionality. In order to have this level, all of your domains in your forest must be Windows Server 2000 native or above. In other words, you can’t have any NT 4 domain controllers. The next forest functional level is Windows Server 2003. In order to raise your forest level to Windows Server 2003, all your domains in your forest must be domain functional level Windows Server 2003, which means that all of your domain controllers must be Windows Server 2003 or above. Remember that the forest and domain functional levels do not affect which clients can join your domain. Once you raise your forest level, you gain additional features. The first feature gained by having Windows Server 2003 forest functional level is the forest trust feature. A forest trust allows you to share resources between two forests easily. If I go back to my example, let’s say I want to put a forest trust between high cost training and IT Free Training. In order to do this, I would first need to raise the forest level of both forests to Windows Server 2003. Currently in the IT Free training forest, the lowest domain functional level is Windows Server 2003. In order to raise the forest level to Windows Server 2003, all I need to do is raise the forest level to Windows Server 2003. No more work needs to be done because all of the domains are already Windows Server 2003 domain functional level or higher. On the high cost training forest I have a Windows Server 2000 native domain and a Windows Server 2000 forest. In order to raise the forest level to Windows Server 2003 I need to first raise the domain level to Windows Server 2003. To do this, I first need to upgrade all the domain controllers in the high cost training domain to Windows Server 2003. Once this is done, I can raise the domain functional level to Windows Server 2003. Now that all the domain functional levels in the high cost training forest are Windows Server 2003, I can raise the forest functional level to Windows Server 2003. Now that both forests are at the Windows Server 2003 forest functional level, I can put in place a forest trust between the two forests. The forest trust allows easy resources sharing between the two forests. This is the first feature of the Windows Server 2003 forest level. The second feature of the Windows Server 2003 forest level is that you can rename domains. If your company decided to change its name you may also need to rename the domain. Before attempting this I would do your research on the effects of renaming a domain. The third feature of the Windows Server 2003 forest level is linked value replication. This applies to groups in Active Directory. Consider the group sales on two different domain controllers separated by a wide area network. Users are added to the group from both domain controllers. Later on a replication occurs. Before linked value replication, Windows would use a last write wins policy. Basically this means that whoever updated the record last would be considered the newest and thus correct record. You can see in this example that two users who were added to the group have been lost when the replication occurred. Linked value replication in comparison replicates only the changes in group membership. In this example the users that have been added to the group are replicated. This is a much better system because it means the groups are more accurate and there is less network traffic because only the changes are replicated, not the entire group. The fourth feature of the Windows Server 2003 forest level is an improved Knowledge Consistency Checker. I will cover this in more detail later in the course, but for the present you need to know that the job of the Knowledge Consistency Checker or KCC is to create links that allow multiple sites replication over wan links to occur. The KCC in Windows Server 2003 has been improved so this means that it is better at handling large Active Directory deployments over more sites. The fifth feature is called Dynamic Auxiliary Class. This is basically the ability to create an object in Active Directory that has a time to live value associated with it. This is also referred to as dynamic entry. Having a dynamic entry means an application can store an object in Active Directory and have it expire after a certain period of time, say, after a day. Active Directory would then automatically remove the object after 1 day without the application having to do anything. The sixth feature of the Windows Server 2003 forest level allows you to convert an INetOrgPerson object into a user object or do the reverse. An INetOrgPerson object is used by 3rd party directory systems. This forest level allows you to store the user password and other data for that user in the INetOrgPerson object. To understand why you would do so, let’s consider a real world example. Let’s say you have two directory systems, Active Directory and a 3rd party system. You want to migrate from the 3rd party system to Active Directory. To do this, the user details are imported from the 3rd party system into the INetOrgPerson object found in Active Directory. This allows Active Directory to access this data. Once the 3rd party system has been retired you want to take the information out of the INetOrgPerson object and store it in the user account in Active Directory. Previously you could not do this. Now you can copy all the data from the INetOrgPerson object into the user account in Active Directory, including passwords. This saves the user from needing to have their password reset during a migration or losing settings. You could also do the reverse. The user account details could be copied from Active Directory into the INetOrgPerson object. This makes Active Directory work a lot better in companies that have two directory systems. The seventh feature of the Windows Server 2003 forest level is that it supports Windows Server 2008 read only domain controllers. This is a new feature of Windows Server 2008 that I will cover in a later video. This feature allows you to deploy a domain controller with a read only copy of the Active Directory database. This is usually done where there is a concern for physical security of the domain controller. If the domain controller were to be compromised or stolen, having a read only copy of the database reduces the amount of damage an attacker could do. The last feature of the Windows Server 2003 forest level is the ability to deactivate and redefine attributes and classes in the schema. Previously when you created a new attribute or class in the schema you were stuck with it. There is still no delete key for the Active Directory schema but if you do make a mistake you can deactivate it. You can also redefine objects which allow you in some cases to change a mistake into something more useful. Even with this feature you should be careful when making changes to the schema. That’s a lot of features for the Windows Server 2003 forest level. Are you ready for all the features of the Windows Server 2008 forest level? Once you have raised all your domain functional levels to Windows Server 2008, you can raise your forest level to Windows Server 2008. The new features of Windows Server 2008 forest functional level are… nothing. That’s right, absolutely nothing new. Raising your forest functional level to Windows Server 2008 gives you no new features. The only thing that it does is stop domain controllers lower than Windows Server 2008 from being added to the forest. It also ensures that all new domains are created at the Windows Server 2008 domain functional level. The last forest functional level is Windows Server 2008 R2. Once you have raised all your domain functional levels to Windows Server 2008 R2 you can raise your forest functional level to Windows Server 2008 R2. How many new features do you get for doing this? Wait for it… one. Even though there is only one feature, it is the one feature which we have been waiting on for a very long time. The Active Directory recycle bin allows you to restore Active Directory objects that have been deleted. Previously you would have had to boot the domain controller into Active Directory Recovery Mode and perform an authority restore in order to recover a deleted object. This is not the most straight forward or easy process. With the Active Directory recycle bin you can recover objects without having to reboot the server. This makes it a lot easier to recover user accounts that have been deleted by accident. O.K. now, let’s go back to the example and have a look at upgrading the domain and forest functional levels one last time. Let’s consider that we want to upgrade all forest levels to Windows Server 2008 R2. To upgrade high cost training is quite easy. All we need to do is upgrade all the domain controllers in the domain to Windows Server 2008 R2. Once done, the domain functional level is raised to Windows Server 2008 R2. Once that is done we raise the forest functional level to Windows Server 2008 R2. Easy. The IT Free training forest is a little bit more difficult. In order to upgrade the forest functional level you need to ensure that all domains are first at Windows Server 2008 R2 domain functional level. Once you have done this you can upgrade the forest to Windows Server 2008 R2. If one domain is not at the Windows Server 2008 R2 domain functional level, it will prevent you from raising the functional level of the forest. I won’t go into too much detail here about forest deign. The 70-647 course covers forest design in a lot of detail. In this case, have a look at the domains and see if they can be reduced. The sales domain was created because they needed more complex password policies than the parent domain. Windows domain functional level Windows Server 2008 supports multiple password policies. So what can happen here is the sales domain can be migrated into the root domain IT Free training and simply made into it into an OU. In the case of the marketing domain, this was created because a particular person who used to work at IT Free training wanted his own network. In other words, it was done more for political reasons than for business need. For this reason, you would merge this domain with IT Free Training, making it its own OU because that person does not work for IT Free Training any more. Now we have two forests with one domain per forest. When looking at raising forest functional levels, consider the reasons why you have so many domains in the first place. Merging domains together is often cheaper than upgrading all of your domain controllers to a particular operating system. To finish, I will now change to my Windows Server 2008 computer and look at how to raise the forest functional level. From the start menu, run Active Directory Domains and Trusts from administrative tools. From here you want to right click the forest name at the top and select the option raise forest functional level. At the top the current forest functional level is indicated as Windows Server 2003. To raise the forest functional level, simple select the forest level you want to raise it to and then press the raise button. Windows will give you a warning reminding you that the change cannot be reversed and will affect all the domains in the forest. Once I press o.k. the forest level will be raised. That’s it for forest functional levels. In the next video I will look at upgrading to Active Directory. In some cases, you may be running Windows Server 2000 or Windows Server 2003 and want to start using Windows Server 2008 or Windows Server 2008 R2 Domain controllers. This video will show what you need to do before you can start using these domain controllers. Once again, thanks for watching another free video in this completely free course for Active Directory.
B1 US forest server domain functional directory level MCITP 70-640: Active Directory Forest Functional Levels 63 4 Chrisene Chang posted on 2015/03/18 More Share Save Report Video vocabulary