Data Centers

Preparing for a forest level trust in Windows Server 2003

A forest level trust relationship, which is unique to Windows Server 2003, allows two entire forests to share resources and allows selected users to access select resources. Here's what you need to know about getting your system ready for a forest level trust relationship.

Windows Server 2003 Active Directory implementations allow administrators to create relationships between domains and even between forests.

A forest level trust relationship, which is unique to Windows Server 2003, allows two entire forests to share resources and allows selected users to access select resources. An example of when a forest level trust might be of considerable value is in a partnership between two organizations.

Let's suppose that two companies, Cogswell Cogs and Spacely Sprockets, join forces to create a partnership. The contracts are in place and things are moving along, but sharing documents and designs becomes increasingly difficult due to some red tape between these longtime competitors. To make it easier to access resources, Cogswell Cogs' network administrator suggests a network partnership to facilitate collaboration. A forest level trust would allow users at Cogswell Cogs and Spacely Sprockets to access each other's resources just by logging into their own domain.

Before creating a forest level trust, you must take care of the following prerequisite items:

  1. Ensure both forests, Cogswell Cogs and Spacely Sprockets, are operating at the Windows Server 2003 Active Directory functional level.
  2. Configure a Domain Name Server (DNS) root server that is authoritative over both forest DNS servers involved in the partnership. Alternately, you can create a DNS forwarder on both forest DNS servers, as long as they are authoritative for the trusting forests. (Keep in mind that DNS forwarders are not dependent on forest level trusts, but forest level trusts are dependent on DNS forwarders because the systems in one forest need access to resources in other forests. They pass requests onto DNS servers within their forest/domain and that server can then point them to the trusted forest.)

To raise a forest to the Windows Server 2003 functional level, all the domain controllers must be running Windows Server 2003. The domains contained within a forest raised to the Windows Server 2003 functional level automatically get elevated to the Windows Server 2003 domain functional level, which allows more implementation of Active Directory features.

To raise the forest functional level, complete the following steps:

  1. Open the Active Directory Domains And Trusts snap-in from Administrative Tools.
  2. Right-click the Active Directory Domains And Trusts node in the Tree view.
  3. Choose Raise Forest Functional Level. If any domains are not configured to at least the Windows 2000 domain functional level, you will not be able to elevate the functional level of the forest. If all domains are on the correct level and you are ready to proceed, click Raise.
  4. In the Raise Forest Functional Level message box, click OK.

You can view the forest functional level by right-clicking the Active Directory Domains And Trusts node and selecting View Current Functional Level.

Next week, I will explain the process of creating DNS configurations, which are necessary for the Windows Server 2003 forest functional level to work. From there, I will create a forest level trust relationship and get Spacely and Cogswell one step closer to working well together.

Miss a column?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks