at domain functional levels. In this video I will look at forest functional levels. If

you are not familiar with Active Directory forests, please see are previous video Forest

and Trees. Before I get started with forest functional

levels, let’s have a quick look at an example of two forests to understand how the forest

levels work. On the left side you can see IT Free Training

with two child domains, sales and marketing. When working with networks that have been

around since the NT days, you may see separate domains that make no sense. In the NT days

there were limits on how many users could be in a domain. With the early days of Windows

Server 2000, there were limits on how many users could be in certain groups. Also, if

you wanted to configure different password requirements, you could only do it on the

domain level. What does all this mean? Well, it means that

when you are working on a production network, the number of domains and the layout of the

domains may not make sense. When you consider what can be done with a Windows Domain now

compared with 10 years ago, it makes sense that extra domains in the past may have been

needed to be created. If you also take into account company restructures, acquisitions,

and mergers, the number of domains and the design of the network may not always make

sense. In this example, the IT Free Training domain

is at the Windows Server 2008 R2 domain functional level since IT Free training likes to be at

the forefront of technology. The sales domain is at the Windows Server 2008 domain functional

level. The marketing domain is at Windows server 2003 domain functional level.

There is also another forest called high cost training with one domain. They did not put

the money into upgrading their technology so they are still at domain functional level

of Windows 2000. So now you have two forests. Both forests are currently at Windows Server

2000 forest functional level. The point to remember with forests is that

the higher the forest level, the more features you will have. In order to raise your forest

level, all domain functional levels must be at that level or higher. In other words, the

level to which you can raise your forest level will be determined by the lowest domain functional

level in your forest. This may sound a little confusing right now, so let’s have a look

at the features of each forest level and come back to this example shortly.

The first forest level that I want to look at is Windows Server 2000 forest level. This

forest level gives basic Active Directory functionality. In order to have this level,

all of your domains in your forest must be Windows Server 2000 native or above. In other

words, you can’t have any NT 4 domain controllers. The next forest functional level is Windows

Server 2003. In order to raise your forest level to Windows Server 2003, all your domains

in your forest must be domain functional level Windows Server 2003, which means that all

of your domain controllers must be Windows Server 2003 or above. Remember that the forest

and domain functional levels do not affect which clients can join your domain.

Once you raise your forest level, you gain additional features. The first feature gained

by having Windows Server 2003 forest functional level is the forest trust feature. A forest

trust allows you to share resources between two forests easily. If I go back to my example,

let’s say I want to put a forest trust between high cost training and IT Free Training. In

order to do this, I would first need to raise the forest level of both forests to Windows

Server 2003. Currently in the IT Free training forest,

the lowest domain functional level is Windows Server 2003. In order to raise the forest

level to Windows Server 2003, all I need to do is raise the forest level to Windows Server

2003. No more work needs to be done because all of the domains are already Windows Server

2003 domain functional level or higher. On the high cost training forest I have a

Windows Server 2000 native domain and a Windows Server 2000 forest. In order to raise the

forest level to Windows Server 2003 I need to first raise the domain level to Windows

Server 2003. To do this, I first need to upgrade all the domain controllers in the high cost

training domain to Windows Server 2003. Once this is done, I can raise the domain functional

level to Windows Server 2003. Now that all the domain functional levels in the high cost

training forest are Windows Server 2003, I can raise the forest functional level to Windows

Server 2003. Now that both forests are at the Windows Server

2003 forest functional level, I can put in place a forest trust between the two forests.

The forest trust allows easy resources sharing between the two forests. This is the first

feature of the Windows Server 2003 forest level.

The second feature of the Windows Server 2003 forest level is that you can rename domains.

If your company decided to change its name you may also need to rename the domain. Before

attempting this I would do your research on the effects of renaming a domain.

The third feature of the Windows Server 2003 forest level is linked value replication.

This applies to groups in Active Directory. Consider the group sales on two different

domain controllers separated by a wide area network.

Users are added to the group from both domain controllers. Later on a replication occurs.

Before linked value replication, Windows would use a last write wins policy. Basically this

means that whoever updated the record last would be considered the newest and thus correct

record. You can see in this example that two users who were added to the group have been

lost when the replication occurred. Linked value replication in comparison replicates

only the changes in group membership. In this example the users that have been added to

the group are replicated. This is a much better system because it means the groups are more

accurate and there is less network traffic because only the changes are replicated, not

the entire group. The fourth feature of the Windows Server 2003

forest level is an improved Knowledge Consistency Checker. I will cover this in more detail

later in the course, but for the present you need to know that the job of the Knowledge

Consistency Checker or KCC is to create links that allow multiple sites replication over

wan links to occur. The KCC in Windows Server 2003 has been improved so this means that

it is better at handling large Active Directory deployments over more sites.

The fifth feature is called Dynamic Auxiliary Class. This is basically the ability to create

an object in Active Directory that has a time to live value associated with it. This is

also referred to as dynamic entry. Having a dynamic entry means an application can store

an object in Active Directory and have it expire after a certain period of time, say,

after a day. Active Directory would then automatically remove the object after 1 day without the

application having to do anything. The sixth feature of the Windows Server 2003

forest level allows you to convert an INetOrgPerson object into a user object or do the reverse.

An INetOrgPerson object is used by 3rd party directory systems. This forest level allows

you to store the user password and other data for that user in the INetOrgPerson object.

To understand why you would do so, let’s consider a real world example. Let’s say

you have two directory systems, Active Directory and a 3rd party system. You want to migrate

from the 3rd party system to Active Directory. To do this, the user details are imported

from the 3rd party system into the INetOrgPerson object found in Active Directory. This allows

Active Directory to access this data. Once the 3rd party system has been retired you

want to take the information out of the INetOrgPerson object and store it in the user account in

Active Directory. Previously you could not do this. Now you

can copy all the data from the INetOrgPerson object into the user account in Active Directory,

including passwords. This saves the user from needing to have their password reset during

a migration or losing settings. You could also do the reverse. The user account details

could be copied from Active Directory into the INetOrgPerson object. This makes Active

Directory work a lot better in companies that have two directory systems.

The seventh feature of the Windows Server 2003 forest level is that it supports Windows

Server 2008 read only domain controllers. This is a new feature of Windows Server 2008

that I will cover in a later video. This feature allows you to deploy a domain controller with

a read only copy of the Active Directory database. This is usually done where there is a concern

for physical security of the domain controller. If the domain controller were to be compromised

or stolen, having a read only copy of the database reduces the amount of damage an attacker

could do. The last feature of the Windows Server 2003

forest level is the ability to deactivate and redefine attributes and classes in the

schema. Previously when you created a new attribute or class in the schema you were

stuck with it. There is still no delete key for the Active Directory schema but if you

do make a mistake you can deactivate it. You can also redefine objects which allow you

in some cases to change a mistake into something more useful. Even with this feature you should

be careful when making changes to the schema. That’s a lot of features for the Windows

Server 2003 forest level. Are you ready for all the features of the Windows Server 2008

forest level? Once you have raised all your domain functional levels to Windows Server

2008, you can raise your forest level to Windows Server 2008. The new features of Windows Server

2008 forest functional level are… nothing. That’s right, absolutely nothing new.

Raising your forest functional level to Windows Server 2008 gives you no new features. The

only thing that it does is stop domain controllers lower than Windows Server 2008 from being

added to the forest. It also ensures that all new domains are created at the Windows

Server 2008 domain functional level. The last forest functional level is Windows

Server 2008 R2. Once you have raised all your domain functional levels to Windows Server

2008 R2 you can raise your forest functional level to Windows Server 2008 R2. How many

new features do you get for doing this? Wait for it… one.

Even though there is only one feature, it is the one feature which we have been waiting

on for a very long time. The Active Directory recycle bin allows you to restore Active Directory

objects that have been deleted. Previously you would have had to boot the domain controller

into Active Directory Recovery Mode and perform an authority restore in order to recover a

deleted object. This is not the most straight forward or easy process.

With the Active Directory recycle bin you can recover objects without having to reboot

the server. This makes it a lot easier to recover user accounts that have been deleted

by accident. O.K. now, let’s go back to the example and have a look at upgrading the

domain and forest functional levels one last time.

Let’s consider that we want to upgrade all forest levels to Windows Server 2008 R2. To

upgrade high cost training is quite easy. All we need to do is upgrade all the domain

controllers in the domain to Windows Server 2008 R2. Once done, the domain functional

level is raised to Windows Server 2008 R2. Once that is done we raise the forest functional

level to Windows Server 2008 R2. Easy. The IT Free training forest is a little bit

more difficult. In order to upgrade the forest functional level you need to ensure that all

domains are first at Windows Server 2008 R2 domain functional level. Once you have done

this you can upgrade the forest to Windows Server 2008 R2. If one domain is not at the

Windows Server 2008 R2 domain functional level, it will prevent you from raising the functional

level of the forest. I won’t go into too much detail here about

forest deign. The 70-647 course covers forest design in a lot of detail. In this case, have

a look at the domains and see if they can be reduced.

The sales domain was created because they needed more complex password policies than

the parent domain. Windows domain functional level Windows Server 2008 supports multiple

password policies. So what can happen here is the sales domain can be migrated into the

root domain IT Free training and simply made into it into an OU.

In the case of the marketing domain, this was created because a particular person who

used to work at IT Free training wanted his own network. In other words, it was done more

for political reasons than for business need. For this reason, you would merge this domain

with IT Free Training, making it its own OU because that person does not work for IT Free

Training any more. Now we have two forests with one domain per

forest. When looking at raising forest functional levels, consider the reasons why you have

so many domains in the first place. Merging domains together is often cheaper than upgrading

all of your domain controllers to a particular operating system.

To finish, I will now change to my Windows Server 2008 computer and look at how to raise

the forest functional level. From the start menu, run Active Directory

Domains and Trusts from administrative tools. From here you want to right click the forest

name at the top and select the option raise forest functional level. At the top the current

forest functional level is indicated as Windows Server 2003. To raise the forest functional

level, simple select the forest level you want to raise it to and then press the raise

button. Windows will give you a warning reminding

you that the change cannot be reversed and will affect all the domains in the forest.

Once I press o.k. the forest level will be raised.

That’s it for forest functional levels. In the next video I will look at upgrading

to Active Directory. In some cases, you may be running Windows Server 2000 or Windows

Server 2003 and want to start using Windows Server 2008 or Windows Server 2008 R2 Domain

controllers. This video will show what you need to do before you can start using these

domain controllers. Once again, thanks for watching another free video in this completely

free course for Active Directory.