Microsoft Active Directory

Contents
Overview 1
Lesson: Creating a Forest and Domain
Structure 2
Lesson: Examining and Configuring
Active Directory Integrated DNS 22
Lesson: Raising Forest and Domain
Functional Levels 38
Lesson: Creating Trust Relationships 44
Lesson: Securing Trusts by Using SID
Filtering 57
Lab A: Implementing Active Directory 61

Module 2: Implementing
an Active Directory
Forest and Domain
Structure

This course is based on the Release Candidate 2 version of Microsoft Windows Server 2003. All
labs in the course are to be completed with the Release Candidate 2 version of Windows Server 2003.
The components of this course are still in development. Content in the final release of the course may
be different from the content included in this prerelease version.

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

! 2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, MSDN, PowerPoint, Visio, and
Visual Basic are either registered trademarks or trademarks of Microsoft Corporation in the United
States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.

Module 2: Implementing an Active Directory Forest and Domain Structure 1

Overview

This module presents installation requirements for Active Directory directory
service and explains how to create a forest and domain structure by using the
Active Directory Installation Wizard. You will learn how to configure Domain
Name System (DNS) in an Active Directory environment, raise forest and
domain functional levels, create trust relationships, and secure trusts by using
SID filtering.
After completing this module, you will be able to:
! Create a forest and domain structure.
! Configure DNS in an Active Directory environment.
! Raise the functional level of a forest and a domain.
! Create trust relationships between domains.
! Secure trusts by using SID filtering.

Introduction
Objectives
2 Module 2: Implementing an Active Directory Forest and Domain Structure

Lesson: Creating a Forest and Domain Structure

This lesson provides you with the skills and knowledge necessary for creating a
forest and domain structure. You will learn how to verify a successful
installation of Active Directory, common problems that may arise during
Active Directory installation, and how to resolve these problems.
After completing this lesson, you will be able to:
! Identify the requirements for installing Active Directory.
! Describe the Active Directory installation process.
! Create a forest and domain structure.
! Add a replica domain controller to a domain.
! Rename a domain controller.
! Remove a domain controller from Active Directory.
! Verify an Active Directory installation.
! Troubleshoot an installation of Active Directory.

Introduction
Lesson objectives

Requirements for Installing Active Directory

Before you install Active Directory, you must ensure that the computer that is
to be configured as a domain controller meets certain hardware and operating
system requirements. In addition, the domain controller must be able to access a
DNS server that meets certain requirements to support integration with Active
Directory.
The following list identifies the requirements for Active Directory installation:
! A computer running Microsoft Windows Server 2003 Standard edition,
Enterprise edition, or Datacenter edition. The Windows Server 2003, Web
edition does not support Active Directory.
! A minimum of 250 megabytes (MB) of disk space200 MB for the Active
Directory database and 50 MB for the Active Directory database transaction
log files. File size requirements for the Active Directory database and log
files depend on the number and type of objects in the domain. Additional
disk space is required if the domain controller is also a global catalog server.
! A partition or volume that is formatted with the NTFS file system. This is
required for the SYSVOL folder.
! The necessary administrative privileges for creating a domain if you are
creating a domain in an existing Windows Server 2003 network.
! Transmission Control Protocol/Internet Protocol (TCP/IP) installed and
configured to use DNS.
Introduction
Requirements for
domain controllers

! A DNS server that is authoritative for the DNS domain and supports the
following:
# SRV resource records
SRV records are DNS records that are used to identify computers that
host specific services on a Windows Server 2003 network. For more
information about SRV records, see What Are SRV Records in this
module. The DNS server used to support Active Directory deployment
must support SRV resource records. If your DNS software does not
support SRV resource records, you must configure DNS locally during
the Active Directory installation process or configure DNS manually
after Active Directory is installed.
# Dynamic updates
Microsoft highly recommends that DNS servers also support dynamic
updates. The dynamic update protocol enables servers and clients in a
DNS environment to add and modify records in the DNS database
automatically, thereby reducing administrative efforts. If you are using
DNS software that supports SRV resource records but does not support
the dynamic update protocol, you must enter the SRV resource records
manually in the DNS database.
# Incremental zone transfers
In an incremental zone transfer, changes made to a zone on a master
DNS server must be replicated to the secondary DNS servers for that
zone. Incremental zone transfers are optional, but they are recommended
because they save network bandwidth. They do this by allowing only
new or modified resource records to be replicated between DNS servers,
instead of allowing the entire zone database file to be replicated.

For more information about SRV resource records, dynamic updates,
and incremental zone transfers, see Windows 2000 DNS under Additional
Reading on the Web page on the Student Materials compact disc.

Note

The Active Directory Installation Process

The Active Directory installation process is started by running the Active
Directory Installation Wizard. The installation process makes a number of
changes to the Windows Server 2003 server on which Active Directory is being
installed. Understanding these changes will help you troubleshoot problems that
may arise post-installation.
The installation process performs the following tasks:
! Starts the Kerberos version 5 authentication protocol, and sets the Local
Security Authority (LSA) policy to indicate that this server is a domain
controller.
! Creates Active Directory Partitions.
A directory partition is a portion of the directory namespace. Each directory
partition contains a hierarchy or subtree of directory objects in the directory
tree. During installation the schema directory partition, configuration
directory partition, domain directory partition, the Forest DNS zone, and the
domain DNS zone partition are created on the first domain controller in a
forest and are updated through replication on each subsequent domain
controller that is created in the forest.
! Creates the forest root domain.
If the server is the first domain controller on the network, the installation
process creates the forest-root domain. During the creation of the forest root
domain, operations master roles such as the primary domain controller
(PDC) emulator, relative identifier (RID) operations master, domain naming
master, schema master, and infrastructure master are assigned to the domain
controller.

The operations master roles can be assigned to another domain
controller when replica domain controllers are added to the domain.

Introduction
The installation process
Note

! Configures the membership of the domain controller in an appropriate site.
If the Internet Protocol (IP) address of the server being promoted to a
domain controller is within the range for a given subnet defined in Active
Directory, the wizard configures the membership of the domain controller in
the site associated with that subnet.
If no subnet objects are defined or if the IP address of the server is not
within the range of the subnet objects present in Active Directory, the server
is placed in the Default-First-Site-Name site. Default-First-Site-Name is the
first site that is set up automatically when you create the first domain
controller in a forest.
The Active Directory Installation Wizard creates a server object for the
domain controller in the appropriate site. The server object contains
information required for replication. The server object contains a reference
to the computer object in the Domain Controllers organizational unit that
represents the domain controller being created.

If a server object for this domain controller already exists in the
Servers container in the site to which the domain controller is being added,
it is deleted and then recreated, because the wizard assumes that you are
performing a re-installation of Active Directory.

During the installation of Active Directory, security is enabled on the
directory service and the file replication folders to control the access to
Active Directory objects.
! Adds two new links to Group Policy security settings. These links are
Domain Security Policy and Domain Controller Security Policy.
! Creates the shared system volume folder.
The shared system volume is a folder structure that is hosted on all
Windows Server 2003 domain controllers, and contains the following:
# The SYSVOL shared folder. This shared folder contains Group Policy
information.
# The Net Logon shared folder. This shared folder contains logon scripts
for non-Windows Server 2003 family-based computers.
! Creates the Active Directory database and log files.
The default location for the database and log files is systemroot\Ntds.

For best performance, place the database and log files on separate
hard disks. Installing the database and log files on separate hard disks
ensures that reads and writes to the database and log files are not competing
for input and output resources.

! Applies the user-provided password for the administrator account that is
used to start the domain controller in Directory Services Restore Mode.

Note
Note

How to Create Forest and Domain Structure

The Active Directory Installation Wizard is used to create a forest and domain
structure. When you install Active Directory for the first time in a network, you
create the forest root domain. After you have created the forest root domain, use
the wizard to create additional trees and child domains.
When you run the Active Directory Installation Wizard, you will be guided
through the installation process and prompted for information. The information
that you must provide when you install Active Directory varies according to the
options that you select.
To create the forest root domain, perform the following steps:
1. Click Start, click Run, and then type dcpromo as the name of the program.
The Active Directory Installation Wizard verifies the following:
# That the user currently logged on is a member of the local
Administrators group.
# That the computer is running an operating system that supports Active
Directory.
# That a previous installation or removal of Active Directory has not
occurred without restarting the computer, or that an installation or
removal of Active Directory is not currently in progress.
If any of these four verifications fail, an error message appears and you exit
the wizard.
2. On the Welcome page, click Next.
Introduction
Procedure to create the
forest root domain

3. On the Operating System Compatibility page, click Next.

The Operating System Compatibility page contains information
relating to early Windows operating system compatibility.
Windows Server 2003 implements a higher level of security than
Windows 2000 does. Windows 95 and Microsoft Windows NT service
pack 3 and earlier are not able to authenticate to a Windows Server 2003
domain controller. However, you can install the Active Directory client on
these operating systems to enable them to authenticate.

4. On the Domain Controller Type page, click Domain controller for a new
domain, and then click Next.
5. On the Create New Domain page, click Domain in a new forest, and then
click Next.
6. On the New Domain Name page, type the full DNS name for the new
7. On the NetBIOS Domain Name page, verify the NetBIOS name, and then
click Next.
The NetBIOS name is used to identify the domain to client computers
running earlier versions of Microsoft Windows and Microsoft Windows NT.
The NetBIOS domain name is generated from the DNS domain name. The
NetBIOS name is formed by taking up to the first 15 characters of the
leftmost label in the DNS domain name. The wizard verifies that the
NetBIOS domain name is unique and, if it is not, the user is prompted to
change the name.
8. On the Database and Log Folders page, specify the location in which you
want to install the database and log folders, and then click Next.
9. On the Shared System Volume page, type the location in which you want
to install the SYSVOL folder, or click Browse to choose a location, and
then click Next.
10. On the DNS Registration Diagnostics page, verify if an existing DNS
server will be authoritative for this forest or, if necessary, choose to install
and configure DNS on this server by clicking Install and configure the
DNS server on this computer, and set this computer to use this DNS server
as its preferred DNS server, and then click Next.
11. On the Permissions page, specify whether to assign the default permissions
on user and group objects that are compatible with servers running earlier
versions of Windows and Windows NT, or only with servers running
Windows Server 2003.

If the Permissions compatible with pre-Windows 2000 server
operating systems option is selected, the Everyone group is added to the
Pre-Windows 2000 Compatible Access group. This group has permissions
to read user and group information in Active Directory.

Caution
Note

12. When prompted, specify the password for the directory services restore
mode.
Windows Server 2003 domain controllers maintain a small version of the
Windows NT 4.0 account database. The only account in this database is the
Administrator account and this account is required for authentication when
starting the computer in Directory Services Restore mode, as the Active
Directory directory service is not started in this mode.
13. Review the Summary page, and then click Next to begin the installation.
14. Restart the computer.

After you finish specifying the installation information, the Active Directory
Installation Wizard installs Active Directory and converts the computer to a
domain controller.
The procedure for creating a child domain by using the Active Directory
Installation Wizard is similar to that of creating the forest root domain. The
changes to the procedure are as follows:
! On the Create New Domain page, click Child domain in an existing
domain tree.
! On the Network Credentials page, type the user name, password, and user
domain of the user account you want to use for this operation. The user
account must be a member of the Enterprise Admins group.
! On the Child Domain Installation page, verify the parent domain, and then
type the new child domain name.

When you use the Active Directory Installation Wizard to create a child
domain, it contacts the domain naming master and requests the addition or
deletion. The domain naming master is responsible for ensuring that the domain
names are unique. If the domain naming master is unavailable, you cannot add
or remove domains.
The procedure for creating a tree by using the Active Directory Installation
Wizard is similar to that of creating the forest root domain. The changes to the
procedure are as follows:
! On the Create New Domain page, click Domain tree in an existing forest.
! On the Network Credentials page, type the user name, password, and user
domain of the user account you want to use for this operation, and then click
Next. The user account must be a member of the Enterprise Admins group.
! On the New Domain Tree page, type the full DNS name for the new
domain.

Creating a child domain
Creating a tree

How to Add a Replica Domain Controller

To enable fault tolerance in the event that a domain controller goes offline
unexpectedly, you must have a minimum of two domain controllers in a single
domain. Because all domain controllers in a domain replicate their domain-
specific data to one another, installing multiple domain controllers in the
domain automatically enables fault tolerance for the data stored in Active
Directory. If a domain controller fails, the remaining domain controllers will
provide authentication services and access to objects in Active Directory,
allowing the domain to operate as usual.
Before you begin the installation, you need to determine whether the initial
replication of Active Directory will be performed over the network from a
nearby domain controller or whether the initial replication will be performed
from a media backup.
Choose the network option if the replica domain controller will be installed:
! In a site where another domain controller exists.
! In a new site that is connected to an existing site by a high-speed network.

Choose the install from backup media option when you want to install the first
domain controller in a remote site for an existing domain.
To install a replica domain controller, perform the following steps:
1. Run dcpromo. To install an additional domain controller from restored
backup files, run dcpromo with the /adv option.
2. On the Domain Controller Type page, select Additional domain
controller for an existing domain.
Introduction
Procedure

If you have run the Active Directory Installation Wizard with the /adv
option, on the Copying Domain Information page, choose one of the
following options:
# Over the network.
# From these restored backup files, and specify the location of the restored
backup files.
When choosing the option to copy domain information from restored
backup files, you must first back up the system state data of a domain
controller running Windows Server 2003 from the domain in which this
member server will become an additional domain controller. Then, you
must restore locally the system state backup on the server on which you are
installing Active Directory. For more information about backing up and
restoring Active Directory, see Backing Up Active Directory and Restoring
Active Directory in Module 10, Maintaining Active Directory in Course
2279, Planning, Implementing, and Maintaining a Microsoft
Windows Server 2003 Active Directory Infrastructure.

If a domain controller that was backed up contains an application
directory partition, the application directory partition will not be restored on
the new domain controller. If the domain controller from which you restored
the system state data was a global catalog server, you will have the option to
make this new domain controller a global catalog server.

3. Specify the network credentials, the location for the Active Directory files,
and the directory services restore mode administrator password.
a. On the Network Credentials page, type the user name, password, and
user domain of the user account you want to use for this operation.
The user account must be a member of the Domain Admins group for
the target domain.
b. On the Database and Log Folders page, type the location in which you
want to install the database and log folders, or click Browse to choose a
location.
c. On the Shared System Volume page, type the location in which you
want to install the SYSVOL folder, or click Browse to choose a
location.
d. On the Directory Services Restore Mode Administrator Password
page, type and confirm the password you want to assign to this servers
administrator account that will be used when the computer is started in
directory services restore mode, and then click Next.
e. Review the Summary page, and then click Next to begin the
installation.

When a new domain controller is added to a domain, replication occurs to
ensure consistency in Active Directory.
Note

How to Rename a Domain Controller

Windows Server 2003 allows you to rename a domain controller after it has
been installed. To rename a domain controller, you must have Domain Admin
rights. When you rename a domain controller, the new domain controller name
must be added, and the old name must be removed from both the DNS and the
Active Directory database. The rename domain controller feature is only
available if the domain functional level is set to Windows Server 2003. For
information on how to raise the domain functional level, see Raising Forest and
Domain Functional Levels in this module.
To rename a domain controller, perform the following steps:
1. Run the System applet for Control Panel.
2. In the System Properties dialog box, on the Computer Name tab, click
Change.
3. Confirm that you want to rename the domain controller when prompted.
4. Enter the full computer name (including the primary DNS suffix), and then
click OK.

Renaming this domain controller may cause it to become temporarily
unavailable to users and computers.

You can change the Primary DNS suffix for a domain controller when
renaming the domain controller. However, this does not move the domain
controller to a new Active Directory domain. For example if you rename the
server dc2.nwtraders.msft to dc1.contoso.msft, the computer will still be a
domain controller for the nwtraders.msft domain, even thought its Primary DNS
suffix is contoso.msft. To move a domain controller to another domain, you
must first demote the domain controller and then promote it to a domain
controller in the new domain.
Introduction
Procedure
Note

How to Remove a Domain Controller from Active Directory

Windows Server 2003 allows you to remove a domain controller that is no
longer required or has been damaged by natural disaster. If the domain
controller is the last domain controller in its domain, removing the domain
controller will remove this domain from the forest. If this domain is the last
domain in the forest, removing the domain controller will delete the forest.
To remove a domain controller that is online and is no longer required, perform
the following steps:
1. Open the Active Directory Installation Wizard.
2. On the Remove Active Directory page, if this is the last domain controller
for the domain, select the This server is the last domain controller in the
domain check box, and then click Next.
The wizard will query Active Directory to determine whether there are other
replica domain controllers for this domain. If you had checked the box
indicating that it was the last replica domain controller and Active Directory
still contained another domain controller server object, or vice versa, the
wizard will not allow you to proceed.
If this domain controller is the last replica for one or more application
partitions, you will be prompted to confirm that you want to delete these
partitions.
3. On the Administrator Password page, in the New Administrator
Password and Confirm password dialog boxes, type your new
administrator password, and then click Next.
4. On the Summary page, review the summary, and then click Next.

Introduction
Procedure to remove a
domain controller that is
online

To remove a domain controller that is damaged and cannot be started from
Active Directory, restart the domain controller in directory services restore
mode, and run the ntdsutil command with the metadata cleanup option. To do
so perform the following steps:
1. At the command prompt, type the following command, and then press
ENTER.
Ntdsutil: metadata cleanup

2. At the Metadata cleanup prompt, type the following command, and then
press ENTER.
Metadata cleanup: connections

3. At the Server connections prompt, type the following sequence of
commands to connect to a domain controller in the domain that contains the
damaged domain controller.
Server connections: Connect to server servername FQDN
Server connections: quit

4. At the Metadata cleanup prompt, select operations target by typing the
following command:
Metadata cleanup: select operations target

5. At the Select operations target prompt, type the following sequence of
commands to identify and select the damaged domain controller:
Select operations target: list sites
Select operations target: select site number
Select operations target: list servers in site
Select operations target: select server number
Select operations target: quit

6. At the Metadata cleanup prompt, type the following command to remove
the damaged domain controller from Active Directory:
Metadata cleanup: remove selected server
Metadata cleanup: quit

When removing a domain controller that is a global catalog server,
you must ensure that another global catalog is available to users before
demoting it. Also, if the domain controller holds an operations master role, you
must transfer the operations master role to another domain controller before
removing it. For information about transferring the operations master role to
another domain controller, see Module 9, Managing Operations Masters in
Course 2279, Planning, Implementing, and Maintaining a Microsoft Windows
Server 2003 Active Directory Infrastructure.

Procedure to remove a
domain controller that is
damaged
Important

How to Verify the Active Directory Installation

The Active Directory installation process creates a number of default objects in
the Active Directory database. In addition, it creates the shared system folder
and the database and log files. You must verify the installation of Active
Directory after the wizard completes the installation and the new domain
controller restarts.
There are two steps involved in verifying SYSVOL. First, verify that the folder
structure was created, and second, verify that the necessary shared folders were
created. If the SYSVOL folder is not correctly created, data that is stored in the
SYSVOL folder, such as Group Policy and scripts, will not be replicated
between domain controllers.
To verify that the folder structure was created, perform the following steps:
1. Click Start, and then click Run.
2. In the Open box, type %systemroot%\sysvol, and then click OK.
Windows Explorer opens and displays the contents of the SYSVOL folder,
which should include the subfolders Domain, Staging, Staging areas, and
Sysvol.

Introduction
Verifying the creation of
SYSVOL and its shares

To verify that the necessary shares have been created, perform the following
steps:
1. Open a command prompt window.
2. At the command prompt, type net share and then press ENTER.

In the list of shared folders on this computer, you should see the shared folders
listed in the following table.
Share name Resource Remark

NETLOGON systemroot\SYSVOL\sysvol\domain\SCRIPTS Logon server share
SYSVOL systemroot\SYSVOL\sysvol Logon server share

To verify that the Active Directory database and log files were created, perform
the following steps:
2. In the Open box, type %systemroot%\ntds and then click OK.

Windows Explorer opens and displays the contents of the Ntds folder, which
should include the following files:
! Ntds.dit. This is the directory database file.
! Edb.*. These are the transaction logs and the checkpoint files.
! Res*.log. These are the reserved log files.

If you changed the location of the directory database and log files during
the installation, replace %systemroot% with the correct location.

the Active Directory
database and log files
Note

During the installation of Active Directory on the first domain controller in a
new domain, several default objects are created. These objects include
containers, users, computers, groups, and organizational units.
View these default objects by using the Active Directory Users and Computers
administrative tool.
The following list describes the purpose of some of these default objects:
! Builtin (container). This is a container object that is used to hold the default
built-in security groups.
! Computers (container). This object is the default location for computer
accounts.
! Domain Controllers (organizational unit). This object is the default location
for domain controller computer accounts.
! ForeignSecurityPrincipals (container). This object is used to hold security
identifiers (SIDs) from external, trusted domains.
! Users (container). This object is the default location for user and group
accounts.
! Lost and Found (container). This is the default container for orphaned
objects.
! NTDS Quotas. Stores quota specifications. Quota objects determine the
number of directory objects that a security principal can own in Active
Directory.
! Program Data. The default location for storage of application data.
! System. Stores built-in system settings.

After installing Active Directory, you should examine the event logs for any
errors that may have been encountered during the installation process. Error
messages generated during the installation are recorded in the System,
Directory Service, DNS Server, and File Replication service logs.
the default Active
Directory structure
Examining the event
logs for errors

How to Troubleshoot the Installation of Active Directory

When installing Active Directory, you may encounter problems. These
problems could result from improper security credentials, usage of names that
are not unique, an unreliable network, or insufficient resources.
The following is a list of some common problems that you may encounter while
installing Active Directory, and some strategies for resolving them:
! Access denied while creating or adding domain controllers.
The following are the possible solutions to this problem:
# If you receive this message when creating the first domain controller in a
new forest, you are not logged on to the server with an account that
belongs to the Local Administrators group. Log off and then log on
using an account that belongs to the Local Administrators group.
# If you receive this message when you are adding a domain controller to
an existing domain, you must supply credentials of a user account that is
a member of the Domain Admins group or the Enterprise Admins group.
! DNS or NetBIOS domain names are not unique.
When a domain is being created, both the DNS domain name and the
NetBIOS domain names must be unique. If you receive an error message
indicating that either one of the domain names is not unique, change the
domain name.
Introduction
Common Active
Directory installation
problems

! Domain cannot be contacted.
If you are adding a domain controller to an existing domain, ensure that you
have network connectivity between the server being promoted to a domain
controller and at least one of the existing domain controllers in the domain.
Use the ping command from the command prompt to test connectivity with
any of the domain controllers in the domain.
The problem can also arise if DNS does not provide name resolution to at
least one domain controller in the domain. To verify this, try connecting to a
domain controller by using its DNS name. To do so:
a. Open a command prompt.
b. At the command prompt, type <Fully qualified domain name (FQDN) of
the domain controller>
If DNS is not configured correctly, you will not be able to connect to the
domain controller.
You can also check whether DNS has been configured properly by verifying
the A records registered by the domain controllers in the DNS database.
! Insufficient disk space
Available disk space is less than the minimum required to install Active
Directory. Increase partition size, or install Active Directory database and
log files on separate partitions.


Practice: Creating a Child Domain

In this practice, you will install Active Directory and create a child domain
within the forest-root domain nwtraders.msft. After installing Active Directory,
you will verify the creation of the shared system volume folder, and the
database and log files.
Northwind Traders is opening offices at new locations, and new domains will
be created for each of these offices, within the nwtraders.msft domain.
To install Active Directory and create the forest root domain, perform the
following steps:
1. Log on to the Nwtraders domain as Administrator with a password of
P@ssw0rd.
2. Click Start, then Run, and then type dcpromo to start the Active Directory
Installation Wizard.
3. On the Welcome to the Active Directory Installation Wizard page, click
Next.
5. On the Domain Controller Type page, click Domain controller for a new
6. On the Create New Domain page, click Child domain in an existing
domain tree, and then click Next.
7. On the Network Credentials page, type the user name, password, and user
domain of the user account you want to use for this operation, and then click
Next.
The user account must be a member of the Enterprise Admins group.
8. On the Child Domain Installation page, verify that the parent domain is
nwtraders.msft, type the new child domain name, and then click Next.
Introduction
Scenario
Procedure to create
child domain

9. On the NetBIOS Domain Name page, verify the NetBIOS name, and click
Next.
10. On the Database and Log Folders page, accept the default, and then click
Next.
11. On the Shared System Volume page, leave the location to install the
SYSVOL folder, and then click Next.
12. On the DNS Registration Diagnostics page, verify that the DNS
configuration settings are accurate, and then click Next.
13. On the Permissions page, select Permissions compatible only with
Windows 2000 or Windows .NET server operating systems, and then
click Next.
14. On the Directory Services Restore Mode Administrator Password page,
type and confirm the password that you want to assign to the Administrator
account for this server, and then click Next.
15. Review the Summary page, and then click Next to begin the installation,
then click Finish on the Active Directory Installation Wizard.

To verify that Active Directory has been installed correctly, perform the
following steps:
1. Ensure that SYSVOL has been properly created and shared.
2. Verify that the Active Directory database and log files have been created.

Procedure to verify the
installation of Active
Directory

Lesson: Examining and Configuring Active Directory
Integrated DNS

Windows Server 2003 requires that a DNS infrastructure is in place or is
installed when you install Active Directory. Before you create domains, you
should understand how DNS and the Active Directory directory service are
integrated and how client computers use DNS during logon. You should also be
able to locate domain controllers and other services.
This lesson describes the format of SRV (service) resource records, the DNS
records that are registered by domain controllers, and how SRV records are
used to resolve resource providers. The lesson also covers how to configure the
priority and weight of SRV records. Understanding the working of DNS
integrated with Active Directory will help you resolve problems related to
DNS, such as client logon problems.
! Describe the relationship between DNS and Active Directory.
! Explain the purpose of Active Directory-integrated zones.
! Describe the purpose of SRV records.
! Describe the SRV records that are registered by domain controllers.
! Examine the DNS records registered by a domain controller.
! Describe how client computers use DNS to locate domain controllers and
services.
! Configure SRV record priority and weight for a domain controller.

Introduction
Lesson objectives

DNS and Active Directory Namespaces

DNS domains and Active Directory domains use identical domain names for
different namespaces. Using identical domain names enables computers in a
Windows Server 2003 network to use DNS to locate domain controllers and
other computers that provide Active Directoryrelated services.
Domains and computers are represented by resource records in the DNS
namespace, and by Active Directory objects in the Active Directory namespace.
The DNS host name for a computer is the same name as that used for the
computer account that is stored in Active Directory. The DNS domain name,
which is called the primary DNS suffix, is also the same as the name of the
Active Directory domain to which the computer is joined.
In other words, a computer is represented in the DNS namespace and the Active
Directory namespace by the same name. For example, a computer named
Computer1 that is joined to the Active Directory domain named
training.microsoft.msft has the following fully qualified domain name (FQDN):
computer1.training.microsoft.msft
The integration of DNS and Active Directory is essential because a client
computer in a Windows Server 2003 network must be able to locate a domain
controller to allow users to log on to a domain or to use the services provided
by Active Directory. To locate a domain controller, a computer uses DNS to
locate the IP address for a computer that provides the required service within
Active Directory.
Introduction
The relationship
between the DNS
namespace and the
Active Directory
namespace

What Are Active Directory-Integrated Zones?

One of the benefits of integrating DNS and Active Directory is the capability to
integrate DNS zones into the Active Directory database. A zone is a portion of
the domain namespace that has a logical grouping of resource records allowing
zone transfers of these records as a single unit.
Microsoft DNS servers store information that is used to resolve host names to
IP addresses and IP addresses to host names, in a database file with the
extension .dns, for each zone.
Active Directory integrated zones are primary and stub DNS zones that are
stored as objects in the Active Directory database. Zone objects can be stored in
an Active Directory application partition or in an Active Directory domain
partition. If zone objects are stored in an Active Directory application partition,
only domain controllers that subscribe to the application partition will
participate in the replication of this partition. However, if zone objects are
stored in an Active Directory domain partition, they will be replicated to all
domain controllers in the domain.
Introduction
Active Directory
integrated zones

Active Directory-integrated zones offer the following benefits.
! Multi-master replication
In a standard zone storage model, DNS updates are conducted based upon a
single-master update model. In this model, a single authoritative DNS server
for a zone is designated as the primary source for the zone. This server
maintains the master copy of the zone in a local file. With this model, the
primary server for the zone represents a single fixed point of failure. If this
server is not available, update requests from DNS clients are not processed
for the zone.
When you configure Active Directory integrated zones, dynamic updates to
DNS are conducted based upon a multi-master update model.
In this model, any authoritative DNS server, such as a domain controller
running a DNS server, is designated as a primary source for the zone.
Because the master copy of the zone is maintained in the Active Directory
database, which is fully replicated to all domain controllers, the zone can be
updated by the DNS servers operating at any domain controller for the
domain.
With the multi-master update model of Active Directory, any of the primary
servers for the directory-integrated zone can process requests from DNS
clients to update the zone as long as a domain controller is available and
reachable on the network.
! Secure dynamic updates
Because DNS zones are Active Directory objects in Active Directory
integrated zones, you can set permissions on records within those zones to
control which computers can update their records. Therefore, updates that
use the dynamic update protocol can come from only authorized computers.
! Performs standard zone transfers to DNS servers that are not configured as
domain controllers and performs standard zone transfers to DNS servers that
are in other domains. You must use standard zone transfers to replicate the
zones to DNS servers in other domains.

For more information about Active Directory-integrated zones and DNS
replication, see the What Are Active Directory-Integrated Zones topic in the
Module 2 section on the Appendices page on the Student Materials compact
disc.

Benefits of Active
Directory integrated
zones
Note

What Are SRV Resource Records?

For Active Directory to function properly, client computers must be able to
locate servers that provide specific services such as authenticating logon
requests and searching for information in Active Directory. To achieve this,
Active Directory stores information about the location of the computers that
provide these services in DNS records known as SRV resource records.
SRV resource records link the name of a service to the DNS computer name for
the computer that offers that service. For example, an SRV record can contain
information to help clients locate a domain controller in a specific domain or
forest.
When a domain controller starts, it registers SRV records, which contain
information about the services it provides, and an A resource record that
contains its DNS computer name and its IP address. A DNS client later uses
this combined information to locate the requested service on the appropriate
domain controller.
All SRV records use a standard format, which consists of fields that contain the
information used to map a specific service to the computer that provides the
service. SRV records use the following format:
_service_.protocol.name ttl class SRV priority weight port target
Introduction
The purpose of SRV
records
Format of SRV records

The following table describes each field in an SRV record:
Field Description

_Service Specifies the name of the service, such as LDAP or Kerberos, provided
by the server that registers this SRV record.
_Protocol Specifies the transport protocol type, such as TCP or User Datagram
Protocol (UDP).
Name Specifies the domain name referenced by the resource record.
Ttl Specifies the Time to Live (TTL) value in seconds, which is a standard
field in DNS resource records specifying the length of time for which a
record may be considered valid.
Class Specifies the standard DNS resource record class value, which is
almost always IN for the Internet system. This is the only class
supported by Windows Server 2003 DNS.
Priority Specifies the priority of the server. Clients attempt to contact the host
with the lowest priority.
Weight Denotes a load balancing mechanism that clients use when selecting a
target host. When the priority field is the same for two or more records
in the same domain, clients randomly choose SRV records with higher
weights.
Port Specifies the port where the server is listening for this service.
Target Specifies the FQDN, which is also called the full computer name, of
the computer providing the service.

The following is an example of an SRV record of a computer:
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft

The SRV record indicates that the computer provides the following services:
! Provides the LDAP service
! Provides the LDAP service by using the TCP transport protocol
! Registers the SRV record in the contoso.msft DNS domain
! Has a time to live (TTL) of 600 seconds or 10 minutes.
! Has an FQDN of london.contoso.msft

Example

SRV Records Registered by Domain Controllers

SRV records are registered by computers that provide an Active Directory
service. In Windows Server 2003, domain controllers and global catalog servers
register services with DNS.
When a domain controller starts, the Net Logon service running on the domain
controller uses dynamic updates to register SRV resource records in the DNS
database. These SRV records map the name of the service provided by the
domain controller to the DNS computer name for that domain controller.
To enable a computer to locate a domain controller, domain controllers running
Windows Server 2003 register SRV records in the following format:
_Service._Protocol.DcType._msdcs.DnsDomainName or DnsForestName

The _msdcs component in these SRV records denotes a subdomain in the DNS
namespace that is specific to Microsoft, which allows computers to locate
domain controllers that have functions in the domain or forest that are specific
to Windows Server 2003.
The possible values for the DCType component, which is a prefix to the _msdcs
subdomain, specify the following server roles types:
! dc for a domain controller
! gc for global catalog server

Introduction
How services are
registered with DNS
Services registered with
DNS

The presence of the _msdcs subdomain means that domain controllers running
Windows Server 2003 also register the following SRV records:
_ldap._tcp.dc._msdcs.DnsDomainName
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
_ldap._tcp.gc._msdcs.DnsForestName
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
_kerberos._tcp.dc._msdcs.DnsDomainName
_kerberos._tcp.SiteName._sites.dc._msdcs.DnsDomainName

The following table lists some of the SRV records registered by domain
controllers and defines the lookup criteria that each record supports.
SRV record Lookup criteria

_ldap._tcp.DnsDomainName Allows a computer to find an LDAP server in the domain
named by DnsDomainName.
All domain controllers register this record.
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName Allows a computer to find a domain controller in the
domain named by DnsDomainName and in the site
named by SiteName. Note that SiteName is the relative
distinguished name of the site object that is stored in
Active Directory.
All domain controllers register this record.
_gc._tcp.DnsForestName Allows a computer to find a global catalog server in the
forest named by DnsForestName. Note that
DnsForestName is the domain name of the forest root
domain.
Only domain controllers configured as global catalog
servers register this record.
_gc._tcp.SiteName._sites. DnsForestName Allows a computer to find a global catalog server in the
forest named DnsForestName and in the site named by
SiteName.
Only domain controllers configured as global catalog
servers register this record.
_kerberos._tcp.DnsDomainName Allows a computer to locate a KDC server for the domain
named by DnsDomainName.
All domain controllers running the Kerberos version 5
service register this record.
_kerberos._tcp.SiteName. _sites.DnsDomainName Allows a computer to locate a KDC server for the domain
named by DnsDomainName and in the site named by
SiteName.
All domain controllers running the Kerberos V5 service
register this record.


How to Examine the Records Registered by a Domain Controller

You can use either the DNS console or the NSLookup utility to view the SRV
records registered by domain controllers.
To view the SRV resource records registered domain controllers by using the
DNS snap-in, perform the following steps:
1. Open DNS from the Administrative Tools menu.
2. Double-click Server (where Server is the name of your DNS server),
double-click Forward Lookup Zones, and then double-click domain
(where domain is the domain name).
3. Open the following folders in the domain folder to view the SRV resource
records that are registered:
# _msdcs
# _sites
# _tcp
# _udp

Introduction
Procedure for viewing
SRV records by using
the DNS Snap-in

To view the list of SRV resource records that are registered by using the
nslookup command, perform the following steps:
1. Open a command prompt window, and run the nslookup utility.
2. Type ls t SRV domain (where domain is the domain name), and then press
ENTER.
The SRV resource records that are registered will be listed.
To save the results of this list to a file, type ls t SRV domain > filename
(where filename is any name you give to the file).

If you do not have a reverse lookup zone configured, time-outs will be
reported when you first run nslookup. This reporting happens because
nslookup generates a reverse lookup to determine the host name of the DNS
server based on its IP address.

Procedure for viewing
SRV records by using
nslookup
Note

Multimedia: How Client Computers Use DNS to Locate Domain
Controllers and Services

This animation shows how client computers use DNS to locate domain
controllers and services. The animation will show the complete process starting
with net logon and ending with the client contacting a domain controller by
using the list of domain controller IP addresses returned by DNS.
To log on to a Windows Server 2003 domain or to search Active Directory, a
client computer must contact a domain controller. All domain controllers
register both A resource records and SRV records. The A resource record
contains the FQDN and IP address for the domain controller. The SRV record
contains the FQDN of the domain controller and the name of the service that
the domain controller provides. Therefore, the client computer can query DNS
to locate a domain controller.
Introduction
How clients locate
resources

The following describes the process of how a computer locates a domain
controller:
1. A user logs on to the domain, initiates an Active Directory search, or
performs other tasks that require a domain controller. The Net Logon
service on the client (the computer that is locating the domain controller)
starts the DsGetDcName application programming interface (API).
2. Net Logon collects information about the client and the specific service
required; this information will be included in the DNS query. This
information is specified by the following DsGetDcName parameters:
# ComputerName. The name of the client computer.
# DomainName. The name of the DNS domain that will be queried.
# SiteName. The name of the site in which the domain controller should be
located. If the site is not specified, the domain controller that will be
located is in the site that is closest to the site in which the client
computer is located.
The client also specifies that the domain controller should be an LDAP
server in the domain named by DomainName, or a global catalog server or
KDC server for the forest in which DomainName is located.
3. The Net Logon service sends a DNS query to a DNS server. This DNS
query contains the information it collected from the client and specifies the
service that is required.
4. The DNS server queries the DNS zone database for SRV records that match
the service required by the client in the domain named by DomainName.
5. The DNS server returns a list of IP addresses of domain controllers that
provide the service requested in the domain specified by the client.
6. The Net Logon service sends a datagram (an LDAP UDP message) to one
or more of the located domain controllers to determine whether it is running
and whether it supports the specified domain.
7. Each available domain controller responds to the datagram to indicate that it
is currently operational, and then returns the information to DsGetDcName.
The Net Logon service returns the information to the client from the domain
controller that responds first.
8. The client computer chooses the first domain controller that responds and
meets the criteria, and then sends the request to that domain controller.

The Net Logon service caches the domain controller information so that it is not
necessary that the client computer repeat the discovery process for subsequent
requests. Caching this information also encourages the consistent use of the
same domain controller.

For more information about how client computers use DNS to locate
domain controllers and services, and site coverage, see the How Client
Computers Use DNS to Locate Domain Controllers and Services topic in the
Module 2 section on the Appendices page on the Student Materials compact
disc.

Note

How to Configure the Priority and Weight Values in SRV Records

In a Windows Server 2003 domain, certain domain controllers perform special
roles known as the operations master roles. These roles require a domain
controller to perform tasks, such as providing support to Windows NT 4.0
backup domain controllers, in addition to providing domain authentication and
authorization services. Such domain controllers may therefore be subjected to
higher utilization. To reduce utilization of such domain controllers, you can
hide them by reducing the priority and weight values in the SRV records for
these servers.
To reduce the priority and weight of a domain controller, you modify its
Windows registry and specify LDAPSRVWEIGHT and LDAPSRVPRIORITY
values to be included in its SRV record.
Introduction
Procedure

To change the priority and weight of a domain controller, perform the following
steps:
1. Run Regedit.exe.
2. Locate the HKLM\SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters key in the registry.
3. Create two new reg_dword values, LdapSrvWeight and LDapSrvPriority.
4. Set the appropriate values based on what you are trying to accomplish for
each given domain controller.
The LdapSrvPriority parameter specifies the priority of the domain
controller. A client trying to discover a domain controller in this domain
will contact the domain controller with the lowest-numbered priority.
Domain controllers with the same priority will be tried in a pseudorandom
order. Set the priority value high if you want to reduce the utilization of a
domain controller.
The LdapSrvWeight parameter specifies the weight of the domain controller.
When domain controllers have the same priority, clients select a domain
controller based on its weight. A higher weight increases the probability of
the domain controller being selected by a client.
5. Restart the domain controller.


Practice: Verifying and Configuring SRV Records

In this practice you will examine _MS subdomains, and the structure and
hierarchy of the records registered by a domain controller by using the DNS
console and the NSLookup utility. You will also configure the priority and
weight of your domain controller.
You have just created a child domain on your network. You want to verify that
your domain controller has registered its SRV records with Active Directory.
Because you plan on making this domain controller a PDC emulator, you want
to configure the priority and weight of the domain controller.
To view the SRV resource records registered domain controllers by using the
DNS snap-in, perform the following steps:
P@ssw0rd.
2. Open DNS from the Administrative Tools menu.
3. Double-click Server (where Server is the name of your DNS server),
double-click Forward Lookup Zones, and then double-click domain
(where domain is the domain name).
4. Open the following folders in the domain folder to view the SRV resource
records that are registered:
# _msdcs
# _sites
# _tcp
# _udp

Introduction
Scenario
Procedure to examine
SRV records registered
by domain controllers

To change the priority and weight of your domain controller, perform the
following steps:
1. Create two new reg_dword values, LdapSrvWeight and LDapSrvPriority,
within the HKLM\SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters key in the registry.
2. Set the weight and priority to 200 and 1 respectively.

Procedure to change the
priority and weight of a
domain controller

Lesson: Raising Forest and Domain Functional Levels

Forest and domain functionality determines the Active Directory features that
are enabled. This lesson introduces the features that are enabled based on forest
and domain functionality, and how to raise the functionality of a forest and a
domain.
! Describe forest and domain functionality.
! Describe the requirements for raising the forest and domain functional
levels.
! Raise the functional level of a forest and a domain.

Introduction
Lesson objectives

What Is Forest and Domain Functionality?

Forest and domain functionality is a Windows Server 2003 feature that provides
a way to enable domain- or forest-wide Active Directory features within your
network environment. Different levels of domain functionality and forest
functionality are available depending on your environment.
Domain functionality enables features that will affect the entire domain and that
domain only. There are four domain functional levels available:
! Windows 2000 mixed
This is the default functional level. You can raise the domain functional
level to either Windows 2000 native or Windows Server 2003. Mixed-mode
domains can contain Windows NT 4.0 backup domain controllers and
cannot use Universal security groups, group nesting, and security identifier
(SID) history capabilities.
! Windows 2000 native
This functional level can be used if the domain contains only
Windows 2000 and Windows Server 2003 domain controllers. Even though
domain controllers running Windows 2000 Server are not aware of domain
functionality, Active Directory features such as Universal security groups,
group nesting, and security identifier (SID) history capabilities are available.
! Windows 2003 Server
This is the highest functional level for a domain, and can be used only if all
the domain controllers in the domain are running Windows Server 2003. All
Active Directory features for the domain are available for use.
! Windows 2003 interim
This functional level is a special functional level that supports
Windows NT 4.0 and the Windows 2003 Server domain controllers. For
information about this functional level, see Upgrading from a Windows NT
domain in Help and Support.

Introduction
What is domain
functionality?

The following table describes some of the domain-wide features that are
enabled for the corresponding domain functional level:
Domain feature Windows 2000 mixed Windows 2000 native Windows Server 2003

Domain controller
rename tool
Disabled Disabled Enabled
Universal Groups

Enabled for distribution
groups.
Disabled for security
groups.
Enabled
Allows both security and
distribution groups.
Enabled
Allows both security and
distribution groups.
Group Nesting

Enabled for distribution
groups.
Disabled for security
groups, except for domain
local security groups that
can have global groups as
members.
Enabled
Allows full group nesting.
Enabled
Allows full group nesting.
SID history Disabled Enabled
Allows migration of
security principals from
one domain to another.
Enabled
Allows migration of
security principals from
Converting groups Disabled
No group conversions
allowed.
Enabled
Allows migration of
security principles from
Enabled
Allows migration of
security principles from

For a complete list of the features that are enabled for each domain functional
level, see Domain and forest functionality in online Help and Support.
Forest functionality enables features across all the domains within your forest.
Two forest functional levels are available: Windows 2000 and
Windows Server 2003. By default, forests operate at the Windows 2000
functional level. You can raise the forest functional level to
Windows Server 2003. Raising the forest functional level to
Windows Server 2003 enables features such as forest trusts, and improved
replication features, which are not available at the Windows 2000 functional
level.
For a complete list of the features that are enabled for each forest functional
level, see Domain and forest functionality in online Help and Support.

You cannot lower the functional level of the domain or forest once it has
been raised.

What is forest
functionality?
Note

Requirements for Enabling New Windows Server 2003 Features

In addition to the basic Active Directory features on individual domain
controllers, new domain-wide and forest-wide Active Directory features are
available when all domain controllers in a domain or forest are running
To enable the new domain-wide features, all domain controllers in the domain
must be running Windows Server 2003, and the domain functional level must
be raised to Windows Server 2003. You must be a Domain Administrator to
raise the domain functional level.
To enable new forest-wide features, all domain controllers in the forest must be
running Windows Server 2003, and the forest functional level must be raised to
Windows Server 2003. Domains that are not set to the domain functional level
of Windows Server 2003 will automatically be raised to Windows Server 2003
at the same time the forest functional level is raised to Windows Server 2003.
You must be an Enterprise Administrator to raise the forest functional level.
Introduction
Requirements for
enabling new domain-
wide features
Requirements for
enabling new forest-
wide features

How to Raise the Functional Level

Raising the forest and domain functionality to Windows Server 2003 enables
certain features, such as forest trusts, that are not available at other functional
levels. You can raise forest and domain functionality by using the Active
Directory Domains and Trusts console.
To raise the domain functional level, perform the following steps:
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the node for the domain whose functional
level is to be raised, and then click Raise Forest Functional Level.
3. In Select an available domain functional level dialog box, select the
functional level, and then click Raise.

To raise the forest functional level, perform the following steps:
2. In the console tree, right-click the Active Directory Domains and Trusts
node, and then click Raise Forest Functional Level.
3. In Select an available forest functional level dialog box, select
Windows .NET Server 2003, and then click Raise.

You must raise the functional level of all domains in a forest to
Windows Server 2003 before you can raise the forest functional level.

Introduction
Procedure to raise the
domain functional level
Procedure to raise the
forest functional level
Note

Practice: Raising the Domain Functional Level

In this practice you will raise the domain functional level from Windows mixed
to Windows 2000 native.
You have just created a child domain by installing Active Directory on your
Windows Server 2003 server. Your new domain requires nested security
groups, which means that you must raise the functional level of your domain.
To raise the functional level of your domain controller from Windows mixed to
Windows 2000 native, perform the following steps:
1. Log on to your child domain as Administrator with a password of
P@ssw0rd.
2. Examine the forest and domain functional level in the classroom forest.
3. Create a distribution group and a security group based on the current
domain functional level (Windows 2000 mixed).
4. Create a nested security group and observe the result.
5. Raise the domain functional level of your domain to Windows Server 2003.
6. Verify the domain functional level.
7. Create a nested security group, and convert the distribution group created in
step 2, to a security group.

Introduction
Scenario
Practice

Lesson: Creating Trust Relationships

Active Directory provides security across multiple domains and forests, through
domain and forest trusts. This lesson covers the types of trusts; how trusts work;
and how to create, verify, and revoke trust relationships.
! Describe the types of trusts that can be established between domains.
! Describe how trusts work within a forest.
! Describe how trusts work across forests.
! Create a trust.
! Verify and revoke a trust.

Introduction
Lesson objectives

Types of Trusts

Trusts are the mechanism that ensures that a user who is authenticated in his
home domain can access resources in any trusted domain. In
Windows Server 2003, there are two categories of truststransitive trusts and
non-transitive trusts.
A transitive trust is one in which the trust relationship extended to one domain
is automatically extended to all other domains that trust that domain. For
example, domain C directly trusts domain D. Domain D directly trusts domain
E. Because both trusts are transitive, domain C indirectly trusts domain E.
Transitive trusts are automatic. An example of transitive trust is a parent/child
trust. Non-transitive trusts are not automatic and must be setup explicitly. An
example of a non-transitive trust is an external trust.
In Windows Server 2003 there are three trust directions: one-way incoming,
one-way outgoing, and two-way trusts. If a one-way incoming trust is set up
between domain B and domain Q, users in domain B can be authenticated in
domain Q. If a one-way outgoing trust is set up between domain B and domain
Q, users in domain Q can be authenticated in domain B. A two-way trust means
that there are two trust paths going in both directions between two domains.
Introduction
Transitive vs. Non
transitive trusts
Trust direction

Windows Server 2003 supports the following types of trusts, in the transitive
and non-transitive categories:
Type Transitivity When to use

Short cut Transitive Use to reduce Kerberos authentication hops.
Forest Transitive Use to enable authentication between forests.
External Non-transitive Use to set up a trust relationship between a domain
in one forest with a domain in another forest.
Realm Transitive or non-
transitive user
choice
Use to trust an external Kerberos realm

A realm is a set of security principles in a non-Windows environment
that are subject to Kerberos authentication. For more information about
Kerberos realms see Interoperability with RFC-1510 Kerberos
implementations in Help and Support.

Types of Trusts
Note

What Are Trusted Domain Objects

When you set up trusts between domains within the same forest, across forests,
or with an external realm, information about these trusts is stored in Active
Directory so that, when required, the information can be retrieved.
Each trust relationship within a domain is represented by an object known as
the trusted domain object (TDO). The TDO stores information about the trust,
such as the trust transitivity and trust type. Whenever a trust is created, a new
TDO is created and stored (in the System container) in its domain.
Forest trust TDOs store additional information to identify all of the trusted
namespaces from its partner forest. When a forest trust is established, each
forest collects all of the trusted namespaces in its partner forest and stores the
information in a TDO. This information includes the domain tree names,
service principal name (SPN) suffixes, and security ID (SID) namespaces.
SPNs are structures that help identify the computer on which a service is
running.
When a workstation requests a service and the service cannot be located in the
domain or the forest in which the workstation is a member, TDOs are used to
locate the service in all trusted forests.
Introduction
Trusted domain objects

How Trusts Work Within a Forest

Trusts allow users from one domain access to resources in another domain.
Trust relationships can be transitive or non-transitive.
When a user attempts to gain access to a resource in another domain, the
Kerberos V5 protocol must determine whether the trusting domain, which is the
domain containing the resource to which the user is trying to gain access, has a
trust relationship with the trusted domain, which is the domain to which the
user is logging on. To determine this relationship, the Kerberos V5 security
protocol travels the trust path between the domain controller in the trusting
domain to the domain controller in the trusted domain.
When a user in the trusted domain attempts to gain access to a resource in
another domain, the users computer first contacts the domain controller in its
domain to get authentication to the resource. If the resource is not in the users
domain, the domain controller uses the trust relationship with its parent and
refers the users computer to a domain controller in its parent domain. This
attempt for locating a resource continues up the trust hierarchy, possibly to the
forest root domain, and down the trust hierarchy until contacting a domain
controller in the domain where the resource is located. The path that is taken
from domain to domain is the trust path, and it is the shortest path following the
trust hierarchy.
Introduction
How trusts allow users
to access resources
within a forest

How Trusts Work Across Forests

Windows Server 2003 supports cross-forest trusts, so that users in one forest
can access resources in another forest. When a user attempts to access a
resource in a trusted forest, the resource must first be located. Once the resource
is located, the user can be authenticated and allowed to access the resource.
Understanding how this process works will help you troubleshoot problems that
may arise with cross-forest trusts.
The following is a description of how a resource in another forest is located and
accessed. The assumption is that the computers involved are running
Windows 2000 Professional, Windows XP Professional, Windows 2000 Server,
or Windows Server 2003.
1. A user logged on to the domain vancouver.nwtraders.msft attempts to
access a shared resource such as a shared folder located in the Contoso.msft
forest. The computer the user is working on contacts the Key Distribution
Center (KDC) on a domain controller in its domain
vancouver.nwtraders.msft and requests a service ticket by using the SPN of
the computer on which the resource is available. An SPN can be one of the
following: the DNS name of a host, the DNS name of a domain, or the
distinguished name of a service connection point object.
2. Because the resource is not located in vancouver.nwtraders.msft, the domain
controller for vancouver.nwtraders.msft queries the global catalog to see if
the resource is located in any of the other domains in the forest.
3. Because a global catalog is limited to its own forest, the SPN is not found.
The global catalog then checks its database for information about any forest
trusts that are established with its forest, and, if found, it compares the name
suffixes listed in the forest trust TDO to the suffix of the target SPN to find
a match. Once a match is found, the global catalog provides routing
information about how to locate the resource to the domain controller in the
Vancouver domain.
4. The domain controller Vancouver sends a referral for its parent domain
nwtraders.msft to the users computer.
Introduction
How a resource is
accessed

5. The users computer contacts a domain controller in nwtraders.msft for a
referral to a domain controller in the forest root domain of the Contoso.msft
forest.
6. Using the referral returned by the domain controller in the nwtraders.msft
domain, the users computer contacts a domain controller in the
Contoso.msft forest for a service ticket to the requested service.
7. Because the resource is not located in the forest root domain of the
Contoso.msft forest, the domain controller contacts its global catalog to find
the SPN.
8. The global catalog finds a match for the SPN and sends it back to the
domain controller.
9. The domain controller sends the referral to seattle.contoso.msft to the users
computer.
10. The users computer contacts the KDC on the domain controller Seattle and
negotiates a ticket for the user to gain access to the resource in the domain
seattle.contoso.msft.
11. The users computer sends the server service ticket to the computer on
which the shared resource is located, which reads the users security
credentials and constructs an access token, which gives the user access to
the resource.


How to Create Trusts

You can use Active Directory Domains and Trusts to set up trust relationships
between forests or between domains in the same forest. You can also use it to
set up shortcut trusts.
Before you create a forest trust, you must create a secondary lookup zone on the
DNS server in each forest that points to the DNS server in the other forest. This
ensures that the domain controller in the forest from where you are creating the
forest trust can locate a domain controller in the other forest and complete the
setup of the trust relationship.
To create a trust, perform the following steps:
2. In the console tree, perform one of the following steps:
# If you are creating a forest trust, right-click the domain node for the
forest root domain, and then click Properties.
# If you are creating a shortcut trust, right-click the domain node for the
domain that you want to establish a shortcut trust with, and then click
Properties.
# If you are creating an external trust, right-click the domain node for the
domain that you want to establish a trust with, and then click Properties.
# If you are creating a realm trust, right-click the domain node for the
domain you want to administer, and then click Properties.
3. On the Trust tab, click New Trust, and then click Next.
4. The New Trust Wizard is started.
5. On the Welcome page click Next.
Introduction
Procedure

6. On the Trust Name page, perform one of the following steps:
# If you are creating a forest trust, type the DNS name of the second
forest, and then click Next.
# If you are creating a shortcut trust, type the DNS name of the domain,
type and confirm the trust password, and then click Next.
# If you are creating an external trust, type the DNS name of the domain,
and then click Next.
# If you are creating a realm trust, type the realm name for the target
realm, and then click Next.
7. On the Trust Type page, perform one of the following steps:
# If you are creating a forest trust, click Forest trust, and then click Next.
# If you are creating a shortcut trust, skip to step 8.
# If you are creating an external trust, click External trust, and then click
Next.
# If you are creating a realm trust, select the Realm trust option, and then
click Next. On the Transitivity of Trust page, do one of the following:
# To form a trust relationship with the domain and the specified realm,
click Nontransitive, and then click Next.
# To form a trust relationship with the domain and the specified realm
and all trusted realms, click Transitive, and then click Next.
8. On the Direction of Trust page, perform one of the following steps:
# To create a two-way trust, click Two-way, and then follow the wizard
instructions.
# To create a one-way incoming trust, click One-way: incoming, and then
follow the wizard instructions.
# To create a one-way outgoing trust, click One-way: outgoing, and then
follow the wizard instructions.


How to Verify and Revoke a Trust

If you create non-transitive trusts, you will sometimes need to verify and revoke
the trust paths you created. You verify a trust to make sure it is working
correctly and can validate authentication requests from other domains. You
revoke a trust to prevent that authentication path from being used during
authentication. You can use Active Directory Domains and Trusts or the
netdom command to verify and revoke trust paths.
To verify a trust by using Active Directory Domains and Trusts, perform the
following steps:
1. In Active Directory Domains and Trusts, in the console tree, right-click one
of the domains involved in the trust that you want to verify, and then click
Properties.
2. On the Trusts tab, under either Domains trusted by this domain
(outgoing trusts) or Domains that trust this domain (incoming trusts),
click the trust to be verified, and then click Properties.
3. Click Validate.
4. Repeat steps 1 through 3 to verify the trust for the other domain involved in
the relationship.

To verify a trust by using netdom, perform the following steps:
2. Type the following command, and then press ENTER.
NETDOM TRUST trusting_domain_name
/Domain:trusted_domain_name /Verify

Introduction
Procedure to verify
Trusts

To revoke a trust by using Active Directory Domains and Trusts, perform the
following steps:
1. In Active Directory Domains and Trusts, in the console tree, right-click one
of the domains involved in the trust that you want to revoke, and then click
Properties.
2. On the Trusts tab, under either Domains trusted by this domain
(outgoing trusts) or Domains that trust this domain (incoming trusts),
click the trust to be removed, and then click Remove.
3. Repeat steps 1 and 2 to revoke the trust for the other domain involved in the
relationship.

To revoke a trust by using netdom, perform the following steps:
2. Type the following command, and then press ENTER.
NETDOM TRUST trusting_domain_name
/Domain:trusted_domain_name /Remove

Procedure to revoke
trusts

Practice: Creating a Shortcut Trust

In this practice you will create a shortcut trust between your domain and
another domain in your forest, and validate the trust.
You have created a child domain for your location within the forest domain
nwtraders.msft. Sales managers at another location need access to sales
resources in your location and vice versa. You need to set up a two-way
shortcut trust between your domain and the domain that represents the other
location.
You will work with a partner, who will be assigned to you by your instructor.
You will create the two-way shortcut trust between your domain and your
partners domain. Your partner will also set up a two-way shortcut trust with
your domain.
Introduction
Scenario
Instructions

To create a shortcut trust, perform the following steps:
P@ssw0rd.
3. In the console tree, right-click the domain node for the domain that you
want to establish a shortcut trust with, and then click Properties.
4. On the Trusts tab, click New Trust, and then click Next.
5. On the Trust Name and Password page, type the DNS name of the
domain, type and confirm the trust password, and then click Next.
6. On the Direction of Trust page, click Two-way, and then click Next.
7. On the Sides of trust page, select This domain only, and then click Next.
8. Type P@ssw0rd as the trust password, and then click Next.
9. If you do not enter P@ssw0rd as the password, ensure that both you and
your partner use the same trust password.
10. Click Next on the Trusts Selections Complete page, and click Next again.
11. On the Confirm Outgoing Trust page, select No, do not confirm the
outgoing trust, and then click Next.
12. On the Confirm Incoming Trust page, select No, do not confirm the
incoming trust, and then click Next.
13. On the Completing the New Trust Wizard page, click Finish.

To validate a shortcut trust, perform the following steps:
1. On the Trust tab of the Properties page, click the trust that you want to
validate, and then click Properties.
2. On the Properties page, click Validate.
3. Select No, do not validate the incoming trust, and then click OK.
If the trust is valid, a validation message appears.
If you perform the validation test before your partner sets up a two-way
shortcut trust with your domain, you will receive an error message.

Procedure to create a
shortcut trust
Procedure to validate a
shortcut trust

Lesson: Securing Trusts by Using SID Filtering

To ensure that only users of trusted domains are allowed access to a domains
resources, Windows Server 2003 provides the SID filtering feature. This lesson
discusses SID history and SID filtering, and explains how to increase security
by using SID filtering.
! Describe the purpose of SID history.
! Describe the purpose of SID filtering.
! Use SID filtering to secure resources.

Introduction
Lesson objectives

What Is SID History?

Windows uses a data structure known as a Security ID (SID) to identify users,
computers and groups. SIDs have two components. The first part uniquely
identifies a domain; the second part uniquely identifies a user account,
computer account, or group managed by that domain. Windows uses SIDs to
identify users and groups in access control lists (ACLs) and group
memberships.
When a user account is migrated to a different domain, it is assigned a new
SID, which results in the loss of group memberships based on the old account
SID. SID history is an attribute on user and group objects in Active Directory
and is used to hold the previous SID of a migrated user account. If a user
account is migrated multiple times, SID history stores a list of all the SIDs the
user was assigned. SID history provides a migrated user with continuity of
access to resources, until all the necessary groups or ACLs can be updated
using the new account SID.
When a Windows Server 2003 domain controller authenticates a user, it
computes group memberships using both the current user account SID, and any
SIDs in SID history. If the user account has been migrated, access to resources
based on the previous account is maintained.
Introduction
The purpose of SID
History

What Is SID Filtering?

SIDs can be maliciously added to a users SID history, so that the user account
may gain unauthorized access to resources in a domain that trusts the users
account domain. This is known as an elevation-of-privilege attack. To mitigate
this risk, SID history is well-protected against unauthorized access or
modification. Trusting domains can set up SID filtering to ensure that only
users of the trusted domain are allowed access to its resources.
SID filtering is a mechanism the removes any SIDs in a users authorization
data that are not related to the domain that is directly trusted. The trusted
domain that is targeted for SID filtering is considered to be quarantined. This
modifies the processing of authentication requests when users from the
quarantined domain log on.
Any domain controller in the trusting domain can positively determine the
correct domain SID for the quarantined domain, and filter the SIDs in the
authorization data to remove any that are not belong to that domain. While a
given domain can be quarantined only by another domain that directly trusts it,
the effect is inherited by any domain further along the trust path in the trusting
direction. All domain controllers in the trusting domain are configured to filter
SIDs in any authorization data received from the trusted domain.
Introduction
How SID filtering works

How to Increase Security by Using SID Filtering

On Windows Server 2003-based domains, SID filtering can be enabled,
verified, and disabled by using the Netdom.exe utility.
You use Netdom with the /filtersids switch to configure SID filtering.
To configure SID filtering, perform the following steps:
1. Run the following command on a domain controller in the domain (in this
example, the RESDOM domain is filtering the ACCDOM domain):
netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator
/PD:adminpwd /UO:RESDOM\Administrator /PO: adminpwd
/filtersids:yes

Active Directory replication causes the setting to be propagated to all
domain controllers in the domain.
2. Verify the SID filtering settings on the domain by running the following
command on one of the domain controllers in the domain:
netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator /PD:
adminpwd /UO:RESDOM\Administrator /PO:adminpwd /filtersids

To disable SID filtering, run the following command on one of the domain
controllers in the domain:
netdom trust RESDOM /D:ACCDOM /UD:ACCDOM\Administrator
/PD:adminpwd /UO:RESDOM\Administrator /PO:"" /filtersids:no

Introduction
Procedure to configure
SID filtering

Lab A: Implementing Active Directory

After completing this lab, you will be able to:
! Install Active Directory
! Create a forest root
! Verify an Active Directory installation
! Verify the forest and domain functional level
! Raise the functional level of the forest and the domain
! Create a child domain in an existing forest
! Create forest trusts
! Verify forest trusts

This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations.

Before working on this lab, you must have must have:
! Knowledge about the components that make up the logical and physical
structure of Active Directory.
! The knowledge and skills to install Active Directory and create a forest root
domain, and a child domain.
! Knowledge about how Active Directory integrated DNS works.
! The knowledge and skills to raise the functional level of a forest.
! The knowledge and skills to create a trust relationship between two forests.

Objectives
Note
Prerequisites

You are a Systems Engineer for Northwind Traders. In response to a series of
mergers with a several smaller companies, Northwind Traders has decided to
consolidate its Active Directory infrastructure. The individual organizations
must maintain their Active Directory structure yet also be able to communicate
among all the subsidiaries. You will provide the infrastructure necessary to
support this goal by using multiple forests and trusts as appropriate between
them.
Scenario
Estimated time to
complete this lab:
60 minutes

Exercise 1
Removing a Child Domain from Active Directory
In this exercise, you will remove Active Directory from your domain controller to prepare for the
creation of an Active Directory forest and domain structure.
Scenario
Northwind Traders must implement Active Directory in several locations. The IT management
team has asked the engineering group to implement Active Directory by using separate forests. You
will work independently as the local administrator of the office to which you have been assigned.
You will use the servers at your site to create a new Active Directory forest root and child domain.
In preparation for this event, you must first demote your domain controller.

Tasks Special instructions
1. Remove Active Directory
from your domain
controller.

2. Verify that Active Directory
has been removed from your
server.
a. Log on to NWTraders as Administrator with a password of P@ssw0rd
to perform this task.
b. Verify that the NETLOGON and SYSVOL shares no longer exist.

Exercise 2
Creating an Active Directory Forest Root Domain
In this exercise, you will work with a partner to create your own Active Directory forest. One of
you will create the forest root domain and the other will create a child domain in the newly created
forest root.
Scenario
You are creating a new Active Directory forest that will eventually be merged into a comprehensive
administrative environment. As one of the regional locations for Northwind Traders, you must
coordinate your efforts with a sister location in your country. One of the locations will establish the
forest root domain and the other will create a child domain in the newly created forest. The forest
root domain must be created before the child domain can join the forest. You must coordinate your
effort with your sister location to ensure that the appropriate steps are taken at the correct time.

1. Create a new forest root
domain.
a. Your instructor will assign the name of your forest root domain.
b. Log on to your local server as Administrator with a password of
P@ssw0rd if you are not already logged on.
You must install DNS by using the Active Directory Installation
Wizard. The root domain controllers DNS resolver must be
pointed to London.

2. Verify the creation of the
new forest.


Exercise 3
Creating an Active Directory Child Domain
In this exercise, you will complete the creation of the Active Directory forest by creating a child
domain within the forest root.
Scenario
As the sister location to the newly created forest root, you will complete the forest by creating the
first child domain. Do not complete this step until you have verified with your partner that the
forest root domain has been configured and is running.

1. Create a new child domain. ! Log on to your local server as Administrator with a password of
P@ssw0rd
The child domain controller must have its DNS resolver pointed
to the partners forest root domain controller.
2. Verify the installation of the
new child domain.


Exercise 4
Raising Domain and Forest Functional Level
In this exercise, you will raise the domain and forest functional levels to Windows Server 2003.
Scenario
Northwind Traders is preparing their environment for cross forest trusts which will be implemented
at a later stage. To achieve this, domains and forests must have their functional level raised to
support the forest trust feature.

1. Raise the domain functional
level.
! Log on to your domain as Administrator with a password of
P@ssw0rd.
2. Raise the forest functional
level.
! This action must be performed by only one member of the forest.


Exercise 5
Creating a Forest Trust

Important For this exercise, your instructor will configure the LONDON server as a root hints server
and will delegate your domain from this root server. Do not perform this exercise until your instructor
asks you to do so. If the root server has not been configured for this exercise, you will be unable to
create the forest trusts required.

In this exercise, you will create a trust with the following forests, forming a two-way forest trust. If
your domain name ends with an even number, replace the letters in the exercise with an odd
number of your choice. If your domain name ends in an odd number, replace the letters in the
exercise with an even number of your choice.
" Nwtraders_u.msft
" Nwtraders_v.msft
" Nwtraders_w.msft
" Nwtraders_x.msft
" Nwtraders_y.msft
" Nwtraders_z.msft
Scenario
The Northwind Traders conglomerate is growing quickly. You must support the increase in
connectivity requirements between the various organizations. To accomplish this, you will create a
series of trusts between forests that require communications and resource access.

1. Configure DNS forwarding. ! This task must be performed in the classroom environment on all forest
root domain controllers because there is no access to the Internet root
hints servers. Your instructor has configured the LONDON server as a
root server for this exercise and has delegated your zone to your server.
2. Create trusts between the
classroom forest and your
assigned forests, and then
verify that the trusts have
been created.
! This step must be performed from the domain controller that
established the forest root domain.


Exercise 6
Securing Trusts by Using SID Filtering
In this exercise, you will configure SID filtering on your domain.
Scenario
Northwind Traders, like many companies, experiences some employee turnover as well as internal
employee movement. The organization would like to ensure that when users move between
domains that they do not maintain access rights to resources in their former position. You have been
asked to enable SID filtering to prevent unwanted access.

1. Configure SID filtering on
your domain controller.
a. Log on to your domain as Administrator with a password of
P@ssw0rd if you are not already logged on.
b. At the command prompt, type netdom <your_domain_name>
/domain:<trusted_domain_name> /quarantine:yes, and then press
ENTER.

Lab 2A: Implementing Active
Directory
Exercise 1
Removing a Child Domain from Active Directory
In this exercise, you will remove Active Directory from your domain controller
to prepare for the creation of an Active Directory forest and domain structure.
! Remove Active Directory from your domain controller
1. Click Start, click Run, in the Open box, type dcpromo and then click OK
to start the Active Directory Installation Wizard.
Next.
3. On the Remove Active Directory page, click the checkbox labeled This
server is the last domain controller in the domain, and then click Next.
4. On the Network Credentials page, type Administrator as the username
and P@ssw0rd as the password, and then click Next.
5. On the Administrator Password page, type P@ssw0rd in both fields, and
then click Next.
6. On the Summary page, click Next.
7. On the Completing the Active Directory Installation Wizard page, click
Finish.
The Active Directory Installation Wizard removes components
from the Active Directory database, and then prompts you to
restart Windows.
8. Click Restart Now.

! Verify that Active Directory has been removed from your server
1. Log on as the local Administrator with a password of P@ssw0rd.
3. In the Open box, type %systemroot% and then click OK.
4. Verify that the sysvol and ntds folders are no longer present.
5. Open a command prompt window, type net share and then press ENTER.
6. Verify that the NETLOGON and SYSVOL shares no longer exist.

Task 1
Task 2

Exercise 2
Creating an Active Directory Forest Root Domain
In this exercise, you will work with a partner to create your own Active
Directory forest. One of you will create the forest root domain and the other
will create a child domain in the newly created forest root.
! Create a new forest root domain
1. Log on as the local Administrator with a password of P@ssw0rd if you
are not already logged on.
2. Click Start, click Run, in the Open box, type dcpromo and then click OK.
Next.
5. On the Domain Controller Type page, click Domain Controller for a
New Domain radio button, and then click Next.
6. On the Create New Domain page, click Domain in a new forest, and then
click Next.
7. On the New Domain Name page, type your assigned domain name as given
to you by your instructor.
8. On the NetBIOS Domain Name page, click Next to accept the default
settings.
9. On the Database and Log Folders page, click Next to accept the default
settings.
10. On the Shared System Volume page, click Next to accept the default
settings.
11. On the DNS Registration Diagnostics page, ensure that Install and
configure the DNS server on this computer and set the computer to use
this DNS server as its preferred DNS server is selected, then click Next.
12. On the Permissions page, click Next to accept the default settings.
type P@ssw0rd in both fields, and then click Next.
Finish.
16. When prompted to restart Windows, click Restart Now.

! Verify the creation of the new forest
1. Log on as your domain Administrator with a password of P@ssw0rd.
2. Click Start, click All Programs, click Administrative Tools, and then
click Active Directory Users and Computers.
3. Verify that the only domain listed is the newly created forest root domain.

Task 1
Task 2

Exercise 3
Creating an Active Directory Child Domain
In this exercise, you will complete the creation of the Active Directory forest by
creating a child domain within the forest root.
! Create a new child domain
1. Log on as the local Administrator with a password of P@ssw0rd.
The child domain controller must have its DNS resolver pointed to
the partners forest root domain controller.
2. Click Start, click Run, in the Open box, type dcpromo and then click OK.
Next.
5. On the Domain Controller Type page, click Domain Controller for a
New Domain, and then click Next.
6. On the Create New Domain page, click Child domain in an existing
domain tree, and then click Next.
7. On the Network Credentials page, type Administrator as the user name,
P@ssw0rd as the password, and your partners forest root domain name in
the domain field, and then click Next.
8. On the Child Domain Installation page, in the Parent domain box, type
your partners newly created domain name, in the Child domain box, type
your domain, and then click Next.
9. On the NetBIOS Domain Name page, click Next to accept the default
settings.
10. On the Database and Log Folders page, click Next to accept the defaults
settings.
11. On the Shared System Volume page, click Next to accept the default
settings.
12. On the DNS Registration Diagnostics page, click Next.
13. On the Permissions page, click Next to accept the default settings.
type P@ssw0rd in both fields, and then click Next.
Finish.
17. When prompted to restart Windows, click Restart Now.

! Verify the installation of the new child domain
click Active Directory Domains and Trusts.
3. Verify that the child domain is listed in the newly created forest root
domain.
Task 1
Task 2

Exercise 4
Raising Domain and Forest Functional Level
In this exercise, you will raise the domain and forest functional levels to
! Raise the domain functional level
3. Right-click your assigned domain name, select the Raise Domain
Functional Level option, select the Windows .NET Server 2003 functional
level, and then click Raise.
4. On the Raise Domain Functional Level window, click OK in response to the
message indicating that this choice cannot be reversed.
5. Click OK to confirm that the functional level was raised successfully.

! Raise the forest functional level
This action must be performed by only one member of the forest.

1. From Active Directory Domains and Trusts, right-click the Active
Directory Domains and Trusts node, and then click Raise Forest
Functional Level.
2. On the Raise Forest Functional Level page, select Windows .NET Server
2003 from the dropdown list, and then click Raise.
3. Click OK to confirm the message that this action will affect the entire
forest.

Task 1
Task 2

Exercise 5
Creating a Forest Trust

For this exercise, your instructor will configure the LONDON
server as a root hints server and will delegate your domain from this root server.
Do not perform this exercise until your instructor asks you to do so. If the root
server has not been configured for this exercise, you will be unable to create the
forest trusts required.

In this exercise, you will create a trust with the following forests, forming a
two-way forest trust. If your domain name ends with an even number, replace
the letters in the exercise with an odd number of your choice. If your domain
name ends in an odd number, replace the letters in the exercise with an even
number of your choice.
! Nwtraders_u.msft
! Nwtraders_v.msft
! Nwtraders_w.msft
! Nwtraders_x.msft
! Nwtraders_y.msft
! Nwtraders_z.msft

! Configure DNS forwarding
This task must be performed in the classroom environment on all
forest root domain controllers because there is no access to the
Internet root hints servers. Your instructor has configured the
LONDON server as a root server for this exercise and has
delegated your zone to your server.
1. Click Start, click Administrative Tools, and then click DNS.
2. In the DNS management MMC, expand and right-click your server name,
and then click Properties.
3. Click the Forwarders tab.
4. In the Selected domains forwarder IP address list box, type the
LONDON servers IP address, click ADD, and then click OK.

Important
Task 1

! Create trusts between the classroom forest and your assigned forests,
and then verify that the trusts have been created
This step must be performed from the domain controller that
established the forest root domain.
1. Log on as Administrator with a password of P@ssw0rd.
3. Right-click the forest root domain for your forest, and then click Properties.
4. On the Properties page for the forest, click the Trusts tab.
5. Click the New Trust button.
6. On the Welcome to the New Trust Wizard page, click Next.
7. On the Trust Name page, type the NetBIOS name or DNS name of the
classroom forest root domain, nwtraders or nwtraders.msft, and then click
Next.
8. On the Direction of Trust page, select Two-way as the trust direction, and
then click Next.
9. On the Side of Trust page, click Both this domain and the specified
domain, then click Next.
10. On the User Name and Password page, enter Administrator as the user
name and P@ssw0rd as the password, and then click Next.
11. On the Trust Selection Complete page, click Next.
12. On the Trust Creation Complete page, click Next.
13. On the Confirm Outgoing Trust page, click Next.
14. On the Completing the New Trust Wizard page, click Finish.
15. Verify the trust by viewing the Domain Properties window and locating the
trust that has been established, and then click OK to close the window.

Task 2

Exercise 6
Securing Trusts by Using SID Filtering
In this exercise, you will configure SID filtering on your domain.
! Configure SID filtering on your domain controller
1. Log on as your domain Administrator with a password of P@ssw0rd if
you are not already logged on.
2. Click Start, click Run, type cmd, and then click OK.
3. At the command prompt, type netdom <your_domain_name>
/domain:<trusted_domain_name> /quarantine:yes and then press
ENTER.

Task 1

THIS PAGE INTENTIONALLY LEFT BLANK

Microsoft Active Directory

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Active Directory

Uploaded by

Copyright:

Available Formats

Contents

You might also like