Placeholder Image

Subtitles section Play video

  • Here is the next free video for the Active Directory course. In the last video I looked

  • at domain functional levels. In this video I will look at forest functional levels. If

  • you are not familiar with Active Directory forests, please see are previous video Forest

  • and Trees. Before I get started with forest functional

  • levels, let’s have a quick look at an example of two forests to understand how the forest

  • levels work. On the left side you can see IT Free Training

  • with two child domains, sales and marketing. When working with networks that have been

  • around since the NT days, you may see separate domains that make no sense. In the NT days

  • there were limits on how many users could be in a domain. With the early days of Windows

  • Server 2000, there were limits on how many users could be in certain groups. Also, if

  • you wanted to configure different password requirements, you could only do it on the

  • domain level. What does all this mean? Well, it means that

  • when you are working on a production network, the number of domains and the layout of the

  • domains may not make sense. When you consider what can be done with a Windows Domain now

  • compared with 10 years ago, it makes sense that extra domains in the past may have been

  • needed to be created. If you also take into account company restructures, acquisitions,

  • and mergers, the number of domains and the design of the network may not always make

  • sense. In this example, the IT Free Training domain

  • is at the Windows Server 2008 R2 domain functional level since IT Free training likes to be at

  • the forefront of technology. The sales domain is at the Windows Server 2008 domain functional

  • level. The marketing domain is at Windows server 2003 domain functional level.

  • There is also another forest called high cost training with one domain. They did not put

  • the money into upgrading their technology so they are still at domain functional level

  • of Windows 2000. So now you have two forests. Both forests are currently at Windows Server

  • 2000 forest functional level. The point to remember with forests is that

  • the higher the forest level, the more features you will have. In order to raise your forest

  • level, all domain functional levels must be at that level or higher. In other words, the

  • level to which you can raise your forest level will be determined by the lowest domain functional

  • level in your forest. This may sound a little confusing right now, so let’s have a look

  • at the features of each forest level and come back to this example shortly.

  • The first forest level that I want to look at is Windows Server 2000 forest level. This

  • forest level gives basic Active Directory functionality. In order to have this level,

  • all of your domains in your forest must be Windows Server 2000 native or above. In other

  • words, you can’t have any NT 4 domain controllers. The next forest functional level is Windows

  • Server 2003. In order to raise your forest level to Windows Server 2003, all your domains

  • in your forest must be domain functional level Windows Server 2003, which means that all

  • of your domain controllers must be Windows Server 2003 or above. Remember that the forest

  • and domain functional levels do not affect which clients can join your domain.

  • Once you raise your forest level, you gain additional features. The first feature gained

  • by having Windows Server 2003 forest functional level is the forest trust feature. A forest

  • trust allows you to share resources between two forests easily. If I go back to my example,

  • let’s say I want to put a forest trust between high cost training and IT Free Training. In

  • order to do this, I would first need to raise the forest level of both forests to Windows

  • Server 2003. Currently in the IT Free training forest,

  • the lowest domain functional level is Windows Server 2003. In order to raise the forest

  • level to Windows Server 2003, all I need to do is raise the forest level to Windows Server

  • 2003. No more work needs to be done because all of the domains are already Windows Server

  • 2003 domain functional level or higher. On the high cost training forest I have a

  • Windows Server 2000 native domain and a Windows Server 2000 forest. In order to raise the

  • forest level to Windows Server 2003 I need to first raise the domain level to Windows

  • Server 2003. To do this, I first need to upgrade all the domain controllers in the high cost

  • training domain to Windows Server 2003. Once this is done, I can raise the domain functional

  • level to Windows Server 2003. Now that all the domain functional levels in the high cost

  • training forest are Windows Server 2003, I can raise the forest functional level to Windows

  • Server 2003. Now that both forests are at the Windows Server

  • 2003 forest functional level, I can put in place a forest trust between the two forests.

  • The forest trust allows easy resources sharing between the two forests. This is the first

  • feature of the Windows Server 2003 forest level.

  • The second feature of the Windows Server 2003 forest level is that you can rename domains.

  • If your company decided to change its name you may also need to rename the domain. Before

  • attempting this I would do your research on the effects of renaming a domain.

  • The third feature of the Windows Server 2003 forest level is linked value replication.

  • This applies to groups in Active Directory. Consider the group sales on two different

  • domain controllers separated by a wide area network.

  • Users are added to the group from both domain controllers. Later on a replication occurs.

  • Before linked value replication, Windows would use a last write wins policy. Basically this

  • means that whoever updated the record last would be considered the newest and thus correct

  • record. You can see in this example that two users who were added to the group have been

  • lost when the replication occurred. Linked value replication in comparison replicates

  • only the changes in group membership. In this example the users that have been added to

  • the group are replicated. This is a much better system because it means the groups are more

  • accurate and there is less network traffic because only the changes are replicated, not

  • the entire group. The fourth feature of the Windows Server 2003

  • forest level is an improved Knowledge Consistency Checker. I will cover this in more detail

  • later in the course, but for the present you need to know that the job of the Knowledge

  • Consistency Checker or KCC is to create links that allow multiple sites replication over

  • wan links to occur. The KCC in Windows Server 2003 has been improved so this means that

  • it is better at handling large Active Directory deployments over more sites.

  • The fifth feature is called Dynamic Auxiliary Class. This is basically the ability to create

  • an object in Active Directory that has a time to live value associated with it. This is

  • also referred to as dynamic entry. Having a dynamic entry means an application can store

  • an object in Active Directory and have it expire after a certain period of time, say,

  • after a day. Active Directory would then automatically remove the object after 1 day without the

  • application having to do anything. The sixth feature of the Windows Server 2003

  • forest level allows you to convert an INetOrgPerson object into a user object or do the reverse.

  • An INetOrgPerson object is used by 3rd party directory systems. This forest level allows

  • you to store the user password and other data for that user in the INetOrgPerson object.

  • To understand why you would do so, let’s consider a real world example. Let’s say

  • you have two directory systems, Active Directory and a 3rd party system. You want to migrate

  • from the 3rd party system to Active Directory. To do this, the user details are imported

  • from the 3rd party system into the INetOrgPerson object found in Active Directory. This allows

  • Active Directory to access this data. Once the 3rd party system has been retired you

  • want to take the information out of the INetOrgPerson object and store it in the user account in

  • Active Directory. Previously you could not do this. Now you

  • can copy all the data from the INetOrgPerson object into the user account in Active Directory,

  • including passwords. This saves the user from needing to have their password reset during

  • a migration or losing settings. You could also do the reverse. The user account details

  • could be copied from Active Directory into the INetOrgPerson object. This makes Active

  • Directory work a lot better in companies that have two directory systems.

  • The seventh feature of the Windows Server 2003 forest level is that it supports Windows

  • Server 2008 read only domain controllers. This is a new feature of Windows Server 2008

  • that I will cover in a later video. This feature allows you to deploy a domain controller with

  • a read only copy of the Active Directory database. This is usually done where there is a concern

  • for physical security of the domain controller. If the domain controller were to be compromised

  • or stolen, having a read only copy of the database reduces the amount of damage an attacker

  • could do. The last feature of the Windows Server 2003

  • forest level is the ability to deactivate and redefine attributes and classes in the

  • schema. Previously when you created a new attribute or class in the schema you were

  • stuck with it. There is still no delete key for the Active Directory schema but if you

  • do make a mistake you can deactivate it. You can also redefine objects which allow you

  • in some cases to change a mistake into something more useful. Even with this feature you should

  • be careful when making changes to the schema. That’s a lot of features for the Windows

  • Server 2003 forest level. Are you ready for all the features of the Windows Server 2008

  • forest level? Once you have raised all your domain functional levels to Windows Server

  • 2008, you can raise your forest level to Windows Server 2008. The new features of Windows Server

  • 2008 forest functional level arenothing. That’s right, absolutely nothing new.

  • Raising your forest functional level to Windows Server 2008 gives you no new features. The

  • only thing that it does is stop domain controllers lower than Windows Server 2008 from being

  • added to the forest. It also ensures that all new domains are created at the Windows

  • Server 2008 domain functional level. The last forest functional level is Windows

  • Server 2008 R2. Once you have raised all your domain functional levels to Windows Server

  • 2008 R2 you can raise your forest functional level to Windows Server 2008 R2. How many

  • new features do you get for doing this? Wait for itone.

  • Even though there is only one feature, it is the one feature which we have been waiting

  • on for a very long time. The Active Directory recycle bin allows you to restore Active Directory

  • objects that have been deleted. Previously you would have had to boot the domain controller

  • into Active Directory Recovery Mode and perform an authority restore in order to recover a

  • deleted object. This is not the most straight forward or easy process.

  • With the Active Directory recycle bin you can recover objects without having to reboot

  • the server. This makes it a lot easier to recover user accounts that have been deleted

  • by accident. O.K. now, let’s go back to the example and have a look at upgrading the

  • domain and forest functional levels one last time.

  • Let’s consider that we want to upgrade all forest levels to Windows Server 2008 R2. To

  • upgrade high cost training is quite easy. All we need to do is upgrade all the domain

  • controllers in the domain to Windows Server 2008 R2. Once done, the domain functional

  • level is raised to Windows Server 2008 R2. Once that is done we raise the forest functional

  • level to Windows Server 2008 R2. Easy. The IT Free training forest is a little bit

  • more difficult. In order to upgrade the forest functional level you need to ensure that all

  • domains are first at Windows Server 2008 R2 domain functional level. Once you have done

  • this you can upgrade the forest to Windows Server 2008 R2. If one domain is not at the

  • Windows Server 2008 R2 domain functional level, it will prevent you from raising the functional

  • level of the forest. I won’t go into too much detail here about

  • forest deign. The 70-647 course covers forest design in a lot of detail. In this case, have

  • a look at the domains and see if they can be reduced.

  • The sales domain was created because they needed more complex password policies than

  • the parent domain. Windows domain functional level Windows Server 2008 supports multiple

  • password policies. So what can happen here is the sales domain can be migrated into the

  • root domain IT Free training and simply made into it into an OU.

  • In the case of the marketing domain, this was created because a particular person who

  • used to work at IT Free training wanted his own network. In other words, it was done more

  • for political reasons than for business need. For this reason, you would merge this domain

  • with IT Free Training, making it its own OU because that person does not work for IT Free

  • Training any more. Now we have two forests with one domain per

  • forest. When looking at raising forest functional levels, consider the reasons why you have

  • so many domains in the first place. Merging domains together is often cheaper than upgrading

  • all of your domain controllers to a particular operating system.

  • To finish, I will now change to my Windows Server 2008 computer and look at how to raise

  • the forest functional level. From the start menu, run Active Directory