Leschild 1: Configuring domains and also forests

As an proficient administrator you’re probably fairly acquainted with the configuration of single doprimary Active Directory forests. In this lesson, you discover out more around multidomajor and multiwoodland atmospheres. You uncover just how to upgrade an existing doprimary and also woodland so that it supplies just Windows Server 2012 R2 doprimary controllers, and also you discover out how to connumber UPN suffixes.

You are watching: Why might you need to configure multiple forests?

After this lesboy, you will be able to:

Understand also multidomajor Active Directory environmentsUnderstand multiwoodland Active Directory environmentsUpgrade existing domain names and also forestsConfigure multiple user principal name (UPN) suffixes

Estimated lesson time: 45 minutes

Multidomajor Active Directory environments

The majority of existing Active Directory de ployments in small-sized and medium-sized enterprises have actually a solitary domain. This hasn’t constantly been the instance because earlier versions of the Windows Server operating mechanism, such as Windows NT 4.0, supported far fewer accounts. Supporting a smaller variety of accounts often demanded the usage of multiple domains, and also it wasn’t inexplicable to watch medium-sized organizations that supplied complicated domain structures.

Each Windows Server 2012 and Windows Server 2012 R2 doprimary controller deserve to produce roughly 2.15 billion objects throughout its life time, and also each doprimary supports the creation of up to about 2.15 billion relative identifiers (RIDs). Given this, but, few administrators implement multiple domain woodlands because they need to assistance a big number of individuals. Of course, in extremely huge organizations, the replication fill in between sites can make a domain via a number of hundred thousand also user accounts problematic, yet website and also replication considerations are spanned in Chapter 2, “Active Directory Sites and Replication.”

There are many kind of reasons why establishments implement multidomain woodlands. These can encompass however are not restricted to:

Historical domain structure Even though more recent versions of the Windows Server operating mechanism manage huge numbers of objects more effectively, some organizations have actually preserved the forest framework that was establimelted when the company first embraced Active Directory.Organizational or political reasons Some establishments are conglomerates, and also they can be comprised of separate suppliers that share a prevalent governmental and administration core. An instance of this is a university faculty in Europe or Australia, such as a Faculty of Science, that is comprised of various departments or institutions, such as the college of physics and the department of botany kind of. For political or business factors it might have actually been chose that each department or school should have its very own doprimary that is a component of the in its entirety faculty forest. Active Directory offers organizations the capability to create domain namespaces that accomplish their demands, even if those needs could not directly map to the a lot of reliable means of accomplishing a goal from a strict technical perspective.Security reasons Domains enable you to develop authentication and also authorization borders. You deserve to also use domain names to partition administrative privileges so that you have the right to have actually one set of administrators that are able to regulate computer systems and customers in their own domain, but that are not able to control computers and customers in a sepaprice doprimary. Although it’s feasible to achieve a comparable goal by delegating privileges, many kind of establishments prefer to usage separate domains to accomplish this goal.

Real World: Politics trumps technology

It is extremely crucial to understand also that geeks often view innovation as somepoint entirely sepaprice from business politics, through the many effective technological solution being the ideal, yet everyone else doesn’t necessarily share this perception. When I operated as a systems administrator at an Australian University, there was a common room in one building that held 2 various printers provided by various departments, even though the departments were part of the exact same faculty. People in each department felt strongly that the printer have to be labeled via a departmental identity on the netjob-related and that individuals from one department should, under no situations, be able to print to the printer owned by the other department. Although the machinations of interdepartpsychological politics are usually of little bit interest to the geeks in the information technology (IT) department, administrators who overlook unplainly characterized borders carry out so at their very own hazard.

Domajor trees

A domain tree is a set of names that share a common root domain name. For example contoso.com can have pacific.contoso.com and also atlantic.contoso.com as son domains, and these domains deserve to have actually child domains themselves. A woodland have the right to have actually multiple domajor trees. When you develop a brand-new tree in a woodland, the root of the brand-new tree is a child domain of the original root doprimary. In Figure 1-1, adatum.com is the root of new doprimary tree in the contoso.com forest.


FIGURE 1-1 Contoso.com as the root doprimary in a two-tree forest

The depth of a domain tree is limited by a domain having maximum totally qualified doprimary name (FQDN) length for a organize of 64 personalities.

Intraforest authentication

All domain names within the very same forest immediately trust one one more. This implies that in the environment shown in Figure 1-1, you can assign a user in the Australia.pacific.contoso.com perobjectives to a source in the arctic.adatum.com domain without performing any kind of added configuration.

Because of the built-in automatic trust relationships, a solitary woodland implementation is not correct for separate establishments, even as soon as they are in partnership through one an additional. A single forest renders it feasible for one or more users to have actually bureaucratic regulate. Many establishments aren’t comfortable even with trusted partners having actually administrative manage over their IT atmospheres. When you do have to enable individuals from partner establishments to have access to sources, you deserve to configure trust relationships or federation. You read more about trust relationships in Leschild 2 of this chapter and even more about federation in Chapter 10, “Active Directory Federation Services.”

Domajor sensible levels

Doprimary functional levels identify the Active Directory functionality and also functions that are accessible. The better the domajor practical level is, the more usability and features are accessible.

You can usage Windows Server 2012 domajor controllers through the complying with domain useful levels:

Windows Server 2003Windows Server 2008Windows Server 2008 R2Windows Server 2012

You can usage Windows Server 2012 R2 doprimary controllers through the adhering to doprimary sensible levels:

Windows Server 2003Windows Server 2008Windows Server 2008 R2Windows Server 2012Windows Server 2012 R2

The limiting element on a doprimary practical level is the doprimary controllers provided to hold Active Directory. If your company has actually Windows Server 2003 domain controllers, you aren’t able to raise the practical level till you rearea or upgrade those domajor controllers to a much more current version of the Windows Server operating mechanism.

You have the right to change the domain useful level using the Active Directory Users And Computers console, the Active Directory Domains And Trusts consingle as shown in Figure 1-2, or the SetADDomainMode Windows PowerShell cmdlet. Your account needs to be a member of the Doprimary Admins or Enterpclimb Admins teams to percreate this procedure.


FIGURE 1-2 Raise or verify the domain sensible level

Windows Server 2003 Functional Level

The Windows Server 2003 domain functional level is the lowest level at which you can introduce domain controllers running the Windows Server 2012 or Windows Server 2012 R2 operating system. You have the right to collection this sensible level if you have domain controllers running the Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 operating systems. The Windows Server 2003 domain functional level consists of the complying with functions, which are likewise available at greater doprimary useful levels:

The LastLogonTimestamp attribute records a user’s last doprimary logon.Constrained delegation enables applications to secucount delegate user credentials.Selective authentication allows you to configure specific resources in the forest so that only certain users and also teams deserve to authenticate. The default is to enable all customers in the woodland to authenticate before pergoals to those resources are checked.Support for storing DNS areas in custom application partitions permits you to selectively replicate DNS areas to certain doprimary controllers that are enrolled in the custom partitions, quite than requiring that you connumber replication to all doprimary controllers in the domain or the forest.Attribute-level replication for team and also various other multivalued features. Rather than replicating the totality Active Directory object, only changed features will certainly be replicated.Windows Server 2008 Functional Level

The Windows Server 2008 doprimary useful level calls for that all domajor controllers be running the Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 operating systems. The Windows Server 2008 doprimary sensible level includes all of the attributes accessible at the Windows Server 2003 sensible level as well as the following:

Improvements in Distributed Documents System (DFS) replication that make it possible for replication to happen even more efficientlySupport for fine-grained password policies, which enables you to apply multiple separate password plans within the very same domainSupport for individual virtual desktops through RemoteApp and also Remote Desktop when used with Hyper-VAES (Modern Encryption Services) 128 and 256 Kerberos supportWindows Server 2008 R2 Functional Level

The Windows Server 2008 R2 domain useful level needs that all domajor controllers are running the Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2 operating units. This functional level supports the attributes of the Windows Server 2003 and also Windows Server 2008 domajor useful levels too as:

Managed business account assistance, which permits you to instantly control business account passwords quite than manually controlling themSupport for command-line-based Active Directory Recycle Bin if the woodland practical level is raised to Windows Server 2008 R2Windows Server 2012 Functional Level

The Windows Server 2012 doprimary useful level calls for that all doprimary controllers be running the Windows Server 2012 or Windows Server 2012 R2 operating system. This practical level supports the features of all the lower practical levels too as:

Group Managed Service Accounts Enables you to install a single regulated company account on multiple computers.Fine-Grained Password Policies Supports the Active Directory Administrative Center fairly than by modifying them using ADSI Edit.Active Directory Recycle Bin Supports via Active Directory Administrative Center quite than with command-line utilities if the forest is configured at the Windows Server 2012 woodland useful level.Key Distribution Center (KDC) In enhancement to support for claims, compound authentication, and also Kerberos armoring is collection to constantly administer clintends or fail unarmored authentication repursuits, and they aren’t accessible unless the domajor is elevated to the Windows Server 2012 functional level.Windows Server 2012 R2 Functional Level

The Windows Server 2012 R2 doprimary sensible level needs that all doprimary controllers be running the Windows Server 2012 R2 operating system. This useful level supports the features of all the reduced practical levels too as:

Domain controller side protection for Protected Users Protected Users authenticating against a Windows Server 2012 R2 doprimary controller are not able to use NTLM authentication, DES or RC4 cipher suites, cannot be delegated via constrained or unconstrained delegation, and also cannot renew user tickets beyond the initial four-hour lifetime.Authentication policies These are brand-new forest-based plans, which you have the right to use to accounts in domains that manage the member computer systems that a user or service account can sign-on from. These policies likewise enable you to use access regulate problems for authentication to solutions running as an account.

See more: Why Is Just Cause 2 Rated M E Review, Parents Guide

Authentication plan silos These silos permit you to create relationships between user, computer, and also controlled service accounts for the purposes of using authentication policies or implementing authentication isolation.Foremainder functional levels

A forest can host domain names running at various domain sensible levels. Foremainder practical level is dependent on the minimum domajor sensible level of any kind of domajor in your forest. For instance, if your organization has actually one doprimary running at the Windows Server 2008 sensible level and also all other domains running at the Windows Server 2012 sensible level, you can’t raise the woodland practical level beyond Windows Server 2008. After you raise that one domain from the Windows Server 2008 sensible level to the Windows Server 2012 domajor practical level, you’re additionally able to raise the forest functional level to Windows Server 2012. When you raise the woodland functional level, you limit the domain useful levels that have the right to be included to the woodland later. For instance, if the woodland useful level is collection to Windows Server 2012 R2, all new domain names added to the woodland need to also be collection to the Windows Server 2012 R2 domain useful level. The Windows Server 2012 and also Windows Server 2012 R2 forest practical levels don’t present any new functions beyond those that were accessible at the Windows Server 2008 R2 sensible level. The Windows Server 2008 R2 functional level introduced the capability to implement the Active Directory Recycle Bin, however otherwise has the exact same functions as the Windows Server 2003 and Windows Server 2008 forest functional levels.