Like domain functional levels the forest functional level determines which additional features in Active Directory will be available. In order to raise your forest functional level all domains in the forest must be at the corresponding forest level or higher. This video looks at the features that are available at each forest level and how to raise the forest level.
Raise forest functional demo 16:04
When looking at an existing network with multiple domains, these domains may have been put in place originally due to limitations in Active Directory. Previously Active Directory was not able to support more than one password policy per domain and even though quite high there were some limits to how many users could be put into certain groups. Given these limits may have meant that more domains were created then what would be required now days. When rasing your domain and forest functional level consider if any domains can be combined together. Doing so will reduce the complexity of your network and make it easier to support.
Forest Level
Listed below are all the different forest levels and the features that each forest level adds. Remember that to raise the functional level of your forest all domains in that forest must be at that forest level or higher. In other words, the level you can raise the forest level will be determined by the domain in the forest with the lowest domain functional level.
Windows 2000 native
Basic Active Directory features
Windows Server 2003
Forest Trust: Allows a trust relationship between two forests. A forest trust allows resources to be shared between the forests.
Rename Domains: This allows you to change a domain name.
Link Value Replication: This means that only changes to group membership are replicated. Without link value replication, if a group is changed in two locations at once, the record with the newest time stamp is used replacing all others records and thus all changes in those records are lost. Using link value replication also reduces the amount of data that is sent over the network during replication.
Improved Knowledge Consistency Checker (KCC): The KCC is responsible for creating replication links between sites. With this forest functional level the KCC improved particularly working with large deployments.
Dynamic Auxiliary Class: Allows Active Directory objects to be created and have an expire time added to the object.
Convert INetOrgPerson to user: Allows an INetOrgPerson object to be converted to a user object and reverse. The INetOrgPerson object is used when importing or exporting users from Active Directory to anther 3rd party directory system. Being able to convert a user object in Active Directory to an INetOrgPerson object makes the process of exporting and importing users with Active Directory a lot easier.
Window Server 2008 RODC: This forest level is required if you want to start using Windows Server 2008 Read Only Domain Controllers in Active Directory.
Deactivation of attributes: Once you make a change to the schema of Active Directory it can't be delete. Deactivation allows you to deactivate attributes in the Schema that are no longer required.
Window Server 2008
No new features are added to Active Directory with this forest functional level.
Window Server 2008 R2
Active Directory Recycle bin: Allows deleted objects in Active Directory to be resorted.
Rasing the Forest Function Level
To raise a forest functional level, run Active Directory Domains and Trusts from administrative tools from the start menu. Right click the root of the tree and select raise forest functional level. From the dialog box select the forest functional level that you want and press raise. Remember that the process can't be reversed once done and there may be a delay while replication occurs before the changes take effect.
See http://itfreetraining.com or http://youtube.com/ITFreeTraining for our always free training videos. This is only one video of the completely free course for the 70-640 exam available for free on you tube.
Loading...
5:51
Active Directory Conceptsby computingstudies19,426 views
I have a Windows 2008 server running Active Directory (Domain functional level is 2003) the only domain controller on the network.
Now, I want to add a new Server running Windows 2008 R2 as the backup domain controller.
How can i get this done or what is the best way to handle this project?
christianrevival 1 month ago
@christianrevival Certain can. Just add the Windows Server 2008 R2 domain controller like you would at Windows Server 2008 domain controller. We have a video in the next 24 hours coming old on this subject. I will post it here as a video response for you to look at.
itfreetraining 1 month ago
@itfreetraining So, the process should be
1. Join the Windows Server 2008 R2 to the existing domain
2. Run dcpromo
3. select join an existing domain
christianrevival 1 month ago
@christianrevival That's is correct. Regardless of wheather you have Windows Server 2008 or Windows Server 2008 R2 the procedure is the same. There are no changes that are required to Active Directory either before you add a Windows Server 2008 R2 DC. Different story however if you had a Windows Server 2003 DC.
itfreetraining 1 month ago
@itfreetraining We made a mistake with this one. Before you install and additional Windows Server 2008 R2 domain control you need to run the following.
run ADPrep /ForestPrep (On the DC holding the schema operational master role)
run ADPrep /DomainPrep (On the DC holding the infrastructure operational master role)
Once this is done you can add a Windows Server 2008 R2 domain controller to a Windows Server 2008 network.
itfreetraining 1 month ago
Another great Video! Thank you very much. I am sitting and (hopefully) passing the 70-640 exam this year and I find these videos very easy to follow along with to improve my understanding! Keep up the good work!
Schmylie1 1 month ago
@Schmylie1 Thanks for the comment. Glad you like the video. More to come.
itfreetraining 1 month ago