41 2.11.4 See Also Chapter 14 of Active Directory, Second Edition for upgrading to Windows Server 2003, and Recipe 2.10 for running adprep Recipe 2.12 Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows Server 2003 2.12.1 Problem You want to determine if a domain controller is ready to be upgraded to Windows Server 2003. 2.12.2 Solution Insert a Windows Server 2003 CD into the Windows 2000 domain controller or map a drive to the files contained on the CD. Run the following command from the \i386 directory: > winnt32 /checkupgradeonly 2.12.3 Discussion The /checkupgradeonly switch simulates the initial steps for upgrading a server to Windows Server 2003. It verifies, among other things, that adprep has completed and that any installed applications are compatible with the new operating system. 42 2.12.4 See Also Recipe 2.11 for determining if adprep has completed and MS KB 331161 (List of Fixes to Use on Windows 2000 Domain Controllers Before You Run the Adprep/Forestprep Command) Recipe 2.13 Raising the Functional Level of a Windows Server 2003 Domain 2.13.1 Problem You want to raise the functional level of a Windows Server 2003 domain. You should raise the functional level of a domain as soon as possible after installing a new Windows Server 2003 domain or upgrading from Windows 2000 to take advantage of the new features and enhancements. 2.13.2 Solution 2.13.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, browse to the domain you want to raise, right-click it, and select Raise Domain Functional Level. 3. Select the new functional level and click OK. After a few seconds you should see a message stating whether the operation was successful. 2.13.2.2 Using a command-line interface To retrieve the current functional level, use the following command: > dsquery * <DomainDN> -scope base -attr msDS-Behavior-Version Or you can use the enumprop command found in the Windows 2000 Resource Kit. > enumprop /ATTR:msDS-Behavior-Version "LDAP://<DomainDN>" To change the functional level to Windows Server 2003, create an LDIF file called raise_domain_func_level.ldf with the following contents: dn: <DomainDN> changetype: modify replace: msDS-Behavior-Version msDS-Behavior-Version: 2 - Next, run the ldifde command to import the change. 43 > ldifde -i -f raise_domain_func_level.ldf 2.13.2.3 Using VBScript ' This code changes the functional level of the specified domain to ' the Windows Server 2003 domain functional level ' SCRIPT CONFIGURATION strDomain = "<DomainDNSName>" ' e.g. amer.rallencorp.com ' END CONFIGURATION set objDomain = GetObject("LDAP://" & strDomain) objDomain.GetInfo if objDomain.Get("msDS-Behavior-Version") <> 2 then Wscript.Echo "Changing domain to Windows Server 2003 functional level . . . " objDomain.Put "msDS-Behavior-Version", 2 objDomain.SetInfo else Wscript.Echo "Domain already at Windows Server 2003 functional level " end if 2.13.3 Discussion In Windows Server 2003 Active Directory, functional levels have replaced the domain mode that was used in Windows 2000 to signify what operating systems are allowed to run on the domain controllers in the domain. With Windows Server 2003, there are functional levels for both domains and forests; whereas with Windows 2000, the domain mode only applied to domains. The msDS-Behavior-Version attribute of the domainDNS object (e.g., dc=amer,dc=rallencorp,dc=com) holds the current domain functional level. Table 2-4 shows the three functional levels, their associated msDS-Behavior-Version value, and the operating systems that can be used on domain controllers in each. Table 2-4. Windows Server 2003 domain functional levels Functional level msDS-Behavior- Version Valid operating systems Windows 2000 0 Windows 2000Windows NT (when in mixed mode)Windows Server 2003 Windows Server 2003 Interim 1 Windows NT 4.0Windows Server 2003 Windows Server 2003 2 Windows Server 2003 When a domain is at the Windows 2000 functional level, the domain can be in mixed mode or native mode, as described in Recipe 2.9. Various new features of Windows Server 2003 Active Directory are enabled with each domain functional level. See Chapter 1 of Active Directory, Second Edition (O'Reilly) for more details. 44 The value contained in msDS-Behavior-Version is mirrored in the domainFunctionality attribute of the RootDSE. That means you can perform anonymous queries against the RootDSE of a domain to quickly determine what functional level it is currently at. One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered. 2.13.4 See Also Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe 2.10 for preparing a forest with adprep, Recipe 2.14 for raising the functional level of a forest, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003) Recipe 2.14 Raising the Functional Level of a Windows Server 2003 Forest 2.14.1 Problem You want to raise the functional level of a Windows Server 2003 forest. You should raise the functional level of a forest as soon as possible after installing a new Windows Server 2003 forest or upgrading from a Windows 2000 forest to take advantage of the new features and enhancements. 2.14.2 Solution 2.14.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click on Active Directory Domains and Trusts and select Raise Forest Functional Level. 3. Select Windows Server 2003 Functional Level and click OK. After a few seconds you should see a message stating whether the operation was successful. 2.14.2.2 Using a command-line interface To retrieve the current forest functional level, use the following command: > dsquery * <ForestRootDN> -scope base -attr msDS-Behavior-Version Or you can use the enumprop command found in the Windows 2000 Resource Kit. > enumprop /ATTR:msDS-Behavior-Version "LDAP://<ForestRootDN>" 45 To change the functional level to Windows Server 2003, create an LDIF file called raise_forest_func_level.ldf with the following contents: dn: cn=partitions,cn=configuration,<ForestRootDN> changetype: modify replace: msDS-Behavior-Version msDS-Behavior-Version: 2 - Next, run the ldifde command to import the change. > ldifde -i -f raise_forest_func_level.ldf 2.14.2.3 Using VBScript ' This code changes the functional level of the the forest the ' user running the script is logged into to Windows Server 2003. set objRootDSE = GetObject("LDAP://RootDSE") set objDomain = GetObject("LDAP://cn=partitions," & _ objRootDSE.Get("configurationNamingContext") ) if objDomain.Get("msDS-Behavior-Version") <> 2 then Wscript.Echo "Attempting to change forest to " & _ "Windows Server 2003 functional level . . . " objDomain.Put "msDS-Behavior-Version", 2 objDomain.SetInfo else Wscript.Echo "Forest already at Windows Server 2003 functional level" end if 2.14.3 Discussion Windows Server 2003 forest functional levels are very similar to domain functional levels. In fact, Table 2-4 applies to forest functional levels as well, except that the list of available operating systems applies to all domain controllers in the forest not just a single domain. So even if just one of the domains in the forest is at the Windows 2000 domain functional level, you cannot raise the forest above the Windows 2000 forest functional level. If you attempt to do so you will receive an error that the operation cannot be completed. After you raise the last Windows 2000 domain functional level to Windows Server 2003, you can then raise the forest functional level as well. You may be wondering why there is a need to differentiate between forest and domain functional levels. The primary reason is new features. Some new features of Windows Server 2003 Active Directory require that all domain controllers in the forest are running Windows Server 2003. To ensure all domain controllers are running a certain operating system throughout a forest, Microsoft had to apply the functional level concept to forests as well as domains. For more information on the new features that are available with each functional level, see Chapter 1 of Active Directory, Second Edition (O'Reilly). The forest functional level is stored in the msDS-Behavior-Version attribute of the Partitions container in the Configuration NC. For example, in the rallencorp.com forest, it would be stored 46 in cn=partitions,cn=configuration,dc=rallencorp,dc=com. The value contained in msDS- Behavior-Version is mirrored to the forestFunctionality attribute of the RootDSE, which means you can find the functional level of the forest by querying the RootDSE. One of the benefits of the GUI solution is that if a problem is encountered, you can save and view the output log, which will contain information on any errors that were encountered. 2.14.4 See Also Chapter 1 of Active Directory, Second Edition, Recipe 2.9 for changing domain mode, Recipe 2.10 for preparing a forest with adprep, Recipe 2.13 for raising the functional level of a domain, and MS KB 322692 (HOW TO: Raise the Domain Functional Level in Windows Server 2003) Recipe 2.15 Creating a Trust Between a Windows NT Domain and an AD Domain 2.15.1 Problem You want to create a one-way or two-way nontransitive trust from an AD domain to a Windows NT domain. 2.15.2 Solution 2.15.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click the domain you want to add a trust for and select Properties. 3. Click on the Trusts tab. 4. Click the New Trust button. 5. After the New Trust Wizard opens, click Next. 6. Type the NetBIOS name of the NT domain and click Next. 7. Assuming the NT domain was resolvable via its NetBIOS name, the next screen will ask for the Direction of Trust. Select Two-way, One-way incoming, or One-way outgoing, and click Next. 8. If you selected Two-way or One-way Outgoing, you'll need to select the scope of authentication, which can be either Domain-wide or Selective, and click Next. 9. Enter and re-type the trust password and click Next. 10. Click Next twice to finish. 2.15.2.2 Using a command-line interface > netdom trust <NT4DomainName> /Domain:<ADDomainName> /ADD[RETURN] [/UserD:<ADDomainName>\ADUser> /PasswordD:*][RETURN] [/UserO:<NT4DomainName>\NT4User> /PasswordO:*][RETURN] [/TWOWAY] 47 For example, to create a trust from the NT4 domain RALLENCORP_NT4 to the AD domain RALLENCORP, use the following command: > netdom trust RALLENCORP_NT4 /Domain:RALLENCORP /ADD[RETURN] /UserD:RALLENCORP\administrator /PasswordD:*[RETURN] /UserO:RALLENCORP_NT4\administrator /PasswordO:* You can make the trust bidirectional, i.e., two-way, by adding a /TwoWay switch to the example. 2.15.3 Discussion It is common when migrating from a Windows NT environment to Active Directory to set up trusts to down-level master account domains or resource domains. This allows AD users to access resources in the NT domains without providing alternate credentials. Windows NT does not support transitive trusts and, therefore, your only option is to create a nontransitive trust. That means you'll need to set up individual trusts between the NT domain and every Active Directory domain that contains users that need to access the NT resources. 2.15.4 See Also MS KB 306733 (HOW TO: Create a Trust Between a Windows 2000 Domain and a Windows NT 4.0 Domain), MS KB 308195 (HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows 2000), MS KB 309682 (HOW TO: Set up a One-Way Non-Transitive Trust in Windows 2000), MS KB 325874 (HOW TO: Establish Trusts with a Windows NT-Based Domain in Windows Server 2003), and MS KB 816301 (HOW TO: Create an External Trust in Windows Server 2003) Recipe 2.16 Creating a Transitive Trust Between Two AD Forests This recipe requires the Windows Server 2003 forest functional level in both forests. 2.16.1 Problem You want to create a transitive trust between two AD forests. This causes the domains in both forests to trust each other without the need for additional trusts. 2.16.2 Solution 2.16.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right click the forest root domain and select Properties. 3. Click on the Trusts tab. 4. Click the New Trust button. 48 5. After the New Trust Wizard opens, click Next. 6. Type the DNS name of the AD forest and click Next. 7. Select Forest trust and click Next. 8. Complete the wizard by stepping through the rest of the configuration screens. 2.16.2.2 Using a command-line interface > netdom trust <Forest1DNSName> /Domain:<Forest2DNSName> /Twoway /Transitive /ADD[RETURN] [/UserD:<Forest2AdminUser> /PasswordD:*][RETURN] [/UserO:<Forest1AdminUser> /PasswordO:*] For example, to create a two-way forest trust from the AD forest rallencorp.com to the AD forest othercorp.com, use the following command: > netdom trust rallencorp.com /Domain:othercorp.com /Twoway /Transitive /ADD[RETURN] /UserD:administrator@othercorp.com /PasswordD:*[RETURN] /UserO:administrator@rallencorp.com /PasswordO:* 2.16.3 Discussion A new type of trust called a forest trust was introduced in Windows Server 2003. Under Windows 2000, if you wanted to create a fully trusted environment between two forests, you would have to set up individual external two-way trusts between every domain in both forests. If you have two forests with three domains each and wanted to set up a fully trusted model, you would need nine individual trusts. Figure 2-4 illustrates how this would look. Figure 2-4. Trusts necessary for two Windows 2000 forests to trust each other With a forest trust, you can define a single one-way or two-way transitive trust relationship that extends to all the domains in both forests. You may want to implement a forest trust if you merge or acquire a company and you want all of the new company's Active Directory resources to be accessible for users in your Active Directory environment and vice versa. Figure 2-5 shows a forest trust scenario. To create a forest trust, you need to use accounts from the Enterprise Admins group in each forest. 49 Figure 2-5. Trust necessary for two Windows Server 2003 forests to trust each other Recipe 2.17 Creating a Shortcut Trust Between Two AD Domains 2.17.1 Problem You want to create a shortcut trust between two AD domains in the same forest or in different forests. Shortcut trusts can make the authentication process more efficient between two domains in a forest. 2.17.2 Solution 2.17.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click the domain you want to add a trust for, and select Properties. 3. Click on the Trusts tab. 4. Click the New Trust button. 5. After the New Trust Wizard opens, click Next. 6. Type the DNS name of the AD domain and click Next. 7. Assuming the AD domain was resolvable via DNS, the next screen will ask for the Direction of Trust. Select Two-way and click Next. 8. For the Outgoing Trust Properties, select all resources to be authenticated and click Next. 9. Enter and retype the trust password and click Next. 10. Click Next twice. 2.17.2.2 Using a command-line interface > netdom trust <Domain1DNSName> /Domain:<Domain2DNSName> /Twoway /ADD[RETURN] [/UserD:<Domain2AdminUser> /PasswordD:*][RETURN] [/UserO:<Domain1AdminUser> /PasswordO:*] To create a shortcut trust from the emea.rallencorp.com domain to the apac.rallencorp.com domain, use the following netdom command: > netdom trust emea.rallencorp.com /Domain:apac.rallencorp.com /Twoway /ADD[RETURN] 50 /UserD:administrator@apac.rallencorp.com /PasswordD:*[RETURN] /UserO:administrator@emea.rallencorp.com /PasswordO:* 2.17.3 Discussion Consider the forest in Figure 2-6. It has five domains in a single domain tree. In order for authentication requests for Domain 3 to be processed by Domain 5, the request must traverse the path from Domain 3 to Domain 2 to Domain 1 to Domain 4 to Domain 5. If you create a shortcut trust between Domain 3 and Domain 5, the authentication path is just a single hop from Domain 3 to Domain 5. To create a shortcut trust, you must be a member of the Domain Admins group in both domains, or a member of the Enterprise Admins group. Figure 2-6. Shortcut trust Recipe 2.18 Creating a Trust to a Kerberos Realm 2.18.1 Problem You want to create a trust to a Kerberos realm. 2.18.2 Solution 2.18.2.1 Using a graphical user interface 1. Open the Active Directory Domains and Trusts snap-in. 2. In the left pane, right-click the domain you want to add a trust for and select Properties. 3. Click on the Trusts tab. 4. Click the New Trust button. 5. After the New Trust Wizard opens, click Next. 6. Type the name of the Kerberos realm. 7. Select the radio button beside Realm Trust and click Next. 8. Select either Transitive or Nontransitive and click Next. 9. Select Two-way, One-way incoming, or One-way outgoing and click Next. 10. Enter and retype the trust password and click Next. 11. Click Next and click Finish. . mixed mode )Windows Server 2003 Windows Server 2003 Interim 1 Windows NT 4. 0Windows Server 2003 Windows Server 2003 2 Windows Server 2003 When a domain is at the Windows 2000 functional level,. Active Directory, Second Edition for upgrading to Windows Server 2003, and Recipe 2.10 for running adprep Recipe 2.12 Checking Whether a Windows 2000 Domain Controller Can Be Upgraded to Windows. 2-4. Windows Server 2003 domain functional levels Functional level msDS-Behavior- Version Valid operating systems Windows 2000 0 Windows 200 0Windows NT (when in mixed mode )Windows Server