Windows Server

Preparing for a forest level trust in Windows Server 2003

A forest level trust relationship, which is unique to Windows Server 2003, allows two entire forests to share resources and allows selected users to access select resources. Here's what you need to know about getting your system ready for a forest level trust relationship.

Windows Server 2003 Active Directory implementations allow administrators to create relationships between domains and even between forests.

A forest level trust relationship, which is unique to Windows Server 2003, allows two entire forests to share resources and allows selected users to access select resources. An example of when a forest level trust might be of considerable value is in a partnership between two organizations.

Let's suppose that two companies, Cogswell Cogs and Spacely Sprockets, join forces to create a partnership. The contracts are in place and things are moving along, but sharing documents and designs becomes increasingly difficult due to some red tape between these longtime competitors. To make it easier to access resources, Cogswell Cogs' network administrator suggests a network partnership to facilitate collaboration. A forest level trust would allow users at Cogswell Cogs and Spacely Sprockets to access each other's resources just by logging into their own domain.

Before creating a forest level trust, you must take care of the following prerequisite items:

  1. Ensure both forests, Cogswell Cogs and Spacely Sprockets, are operating at the Windows Server 2003 Active Directory functional level.
  2. Configure a Domain Name Server (DNS) root server that is authoritative over both forest DNS servers involved in the partnership. Alternately, you can create a DNS forwarder on both forest DNS servers, as long as they are authoritative for the trusting forests. (Keep in mind that DNS forwarders are not dependent on forest level trusts, but forest level trusts are dependent on DNS forwarders because the systems in one forest need access to resources in other forests. They pass requests onto DNS servers within their forest/domain and that server can then point them to the trusted forest.)

To raise a forest to the Windows Server 2003 functional level, all the domain controllers must be running Windows Server 2003. The domains contained within a forest raised to the Windows Server 2003 functional level automatically get elevated to the Windows Server 2003 domain functional level, which allows more implementation of Active Directory features.

To raise the forest functional level, complete the following steps:

  1. Open the Active Directory Domains And Trusts snap-in from Administrative Tools.
  2. Right-click the Active Directory Domains And Trusts node in the Tree view.
  3. Choose Raise Forest Functional Level. If any domains are not configured to at least the Windows 2000 domain functional level, you will not be able to elevate the functional level of the forest. If all domains are on the correct level and you are ready to proceed, click Raise.
  4. In the Raise Forest Functional Level message box, click OK.

You can view the forest functional level by right-clicking the Active Directory Domains And Trusts node and selecting View Current Functional Level.

Next week, I will explain the process of creating DNS configurations, which are necessary for the Windows Server 2003 forest functional level to work. From there, I will create a forest level trust relationship and get Spacely and Cogswell one step closer to working well together.

Miss a column?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

6 comments
Gangadhar_perala
Gangadhar_perala

Yes, Above mentioned steps are fie, And How to Migrate the users from one domain to Another Domain (I used the ADMT Tools) to migrate the users From the source domain it is not accepting the source domain. And how to Bridge the More than Two server 3 Domain Cotrollers 1 is Main DC with active Directory 2 is SQL server and Project Server 3 is SharePoint server I made the Forest wide Trust Relation between these server. I want this if User changes the Password under any domain it should refelct to the next two server of any Kindly Help me out (GANGADHAR) gangadhar_perala@hotmail.com

lhansfor
lhansfor

I have inherited a system that is of interest regarding this thread. There are 3 Server 2003 DC's, with the one running Exchange 2003 being the PDC and Infrastructure master. It is at the 2003 functional level, and all seems well, until I try to join another 2003 server to the domain. The AD wizard says that it cannot join the domain because the version isn't compatible with the Forest AD. Why? How is this corrected? I need to add 2 new 2003 Servers to the domain, but have been unable to get the wizard to complete the server task.

cousintroy
cousintroy

I have no experience in true forest to forest trusts (aside from my study network at home) so wouldn't it be better from a bandwidth standpoint to have the pointers in each DNS server instead of having one DNS be authoritative to both forests? Considering its more than likely that you will be creating this trust over a WAN? Great article by the way...when I see these types of articles that help me understand things for both my certifications and real world possibilities I save them so I can come back and re-read if I need to. So thanks!

tanstaafl99
tanstaafl99

Also, in my experience, all the DCs in either forest must be available to the member servers in the other forest. When you authenticate to a member server in forest A it will contact the DCs in forest B directly. Supposedly you can implement a federated trust to avoid this but I'm not entirely sure that the federated trust would be useful for anything beyond web authentication. If anyone knows better please feel free to jump right in...

Tom_geraghty
Tom_geraghty

It should probably just be noted that raising the domain functional level is a one-way street. You can't subsequently lower the level back to mixed or lower. If you currently have only 2003 servers, but there's a chance that you may need to later integrate older servers (from a different organisation or something), then raising the functional level should be very carefully considered. In most cases though, that seems pretty unlikely.

Editor's Picks