The Active Directory Domains and Trusts Console
The Active Directory Domains and Trusts console is used to manage domains and trust relationships between domains and forest, change the domain mode, and set user principal name (UPN) suffixes for the forest. With the installation of Windows Server 2003, the Active Directory Domains and Trusts console is by default added to the Start menu. The MMC snap-in file, Domain.msc, can be used to start Active Directory Domains and Trusts from the Run dialog box. You can also start the console from Administrative Tools. The administrative tasks enabled by Active Directory Domains and Trusts can be accessed from the Action menus displayed by selecting a domain name or the root object. You can also perform management tasks on the Properties dialog box of a domain. The administrative tasks that you can use the Active Directory Domains And Trusts MMC snap-in for are summarized below: y y View a console tree listing all the domains in a forest Change the domain mode from Windows 2000 mixed mode to Windows 2000 native mode or Windows Server 2003 functional level. The domain mode in now known as the domain functional level. Configure interoperability with domains in other Windows Server 2003 forests and pre-Microsoft Windows 2000 domains through specifying trust relationships between the domains. Transfer the domain naming operations master role from one domain controller to a different domain controller. Add, delete and change user principal name (UPN) suffixes.
y y y
Domain functional levels allow you to enable Active Directory features and functionality in the domain and forest for your network. Windows Server 2003 adds additional functionality based on the mode of the forest. When a new domain is created in a new forest, the functionality level for the domain is Windows 2000 mixed mode, and the functionality level for the new forest is Windows 2000 mode. When you upgrade the domain controllers in a forest, you can improve the functionality level to support further Active Directory features and functionality.
The following domain functionality levels exist:
y y y y
Windows 2000 Mixed domain functionality level is supported by Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. Windows 2000 Native domain functionality level is supported by Windows 2000 and Windows Server 2003 domain controllers. Windows Server 2003 Interim domain functionality level is supported by Windows NT 4 and Windows Server 2003 domain controllers. Windows Server 2003 domain functionality level is supported by Windows Server 2003 domain controllers.
The following Forest functionality levels exist:
y y y Windows 2000 forest functionality level is supported by Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. Windows Server 2003 Interim forest functionality level is supported by Windows NT 4 and Windows Server 2003 domain controllers. Windows Server 2003 forest functionality level is supported by Windows Server 2003 domain controllers.
You can use the Active Directory Domains and Trusts console to create the following types of trusts between domains and forests:
y y y y y y Tree-root trust Parent-child trust Shortcut trust Forest trust Realm trust External trust
How to change the domain functionality level using Active Directory Domains and Trusts
1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts. 2. Proceed to right-click the domain that you want to upgrade and click Raise Domain Functional Level from the shortcut menu. 3. When the Raise Domain Functional Level dialog box opens, use the Select An Available Domain Functional Level drop-down list to choose the domain functionality level that you want to use. The drop-down list only displays the levels that can be specified for the particular domain. 4. Click Raise 5. When the Raise Domain Functional Level message box appears, click OK.
How to change the forest functionality level using Active Directory Domains and Trusts
1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts. 2. Proceed to right-click the domain that you want to upgrade and click Raise Forest Functional Level from the shortcut menu. 3. When the Raise Forest Functional Level dialog box opens, use the Select An Available Forest Functional Level drop-down list to choose the forest functionality level you want to use. The dropdown list only displays those levels that can be specified for the particular forest. 4. Click Raise 5. When the Raise Forest Functional Level message box appears, click OK
How to add or remove UPN suffixes
1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts. 2. Right-click the Active Directory Domains And Trusts node and select Properties from the shortcut menu. 3. When the Active Directory Domains And Trusts dialog box appears, click the UPN Suffixes tab. 4. If you want to add a UPN suffix, use the Alternative UPN Suffixes box to enter an alternative UPN suffix. Click Add 5. If you want to remove a UPN suffix, use the Alternative UPN Suffixes box to indicate the UPN suffix that should be removed. Click Remove.
6. Click Yes to verify your configurations and then click OK.
How to configure different types of trusts between domains and forests using Active Directory Domains and Trusts
Use the steps below to create shortcut trust between two domains in a forest: 1. Click Start, Administrative Tools and then select Active Directory Domains And Trusts. 2. Right-click the domain node for the domain that you want to configure shortcut trust for using the console tree and then select Properties from the shortcut menu. 3. When the Properties dialog box appears, click the Trusts tab. 4. This is the tab utilized to create new trust relationships between domains 5. Click New Trust to start the New Trust Wizard. 6. Click Next on the Welcome To The New Trust Wizard page. 7. When the Trust Name page appears, in the Name box, enter the name of the domain that you want to use to create trust. Click Next 8. Select one of the following options on the Direction Of Trust page: o Two-Way o One-Way: Incoming o One-Way: Outgoing
9. Click Next, when the Sides Of Trust page displays, choose between the following options: o This Domain Only for the trust relationship to be created in the local domain. o Both This Domain And The Specified Domain for the trust relationship to be created in both domains
10. Click Next. The wizard now uses the options that you have selected in this step and the previous step to display the appropriate pages. 11. The Outgoing Trust Authentication Level page is displayed if you have previously selected the following: Two-Way or One-Way: Outgoing and This Domain Only. o You can now either select the Domain Wide Authentication option or the Selective Authentication to specify user authentication. Click Next. 12. The Trust Password page is displayed if you previously selected the following: One-Way: Incoming and This Domain Only o You have to enter a password in the Trust Password box and Confirm Trust Password box. Click Next. 13. The User Name And Password page is displayed if you previously selected Both This Domain And The Specified Domain. o " You have to enter a user name and password of an account that has administrative privileges in the domain in the User Name and Password boxes. Click Next 14. The wizard displays the Trust Selections Complete page. This page contains a list of all the configuration options that you have specified. Click Next 15. When the Trust Creation Complete page appears, click Next 16. When the Confirm Outgoing Trust page appears, choose between the following options: 17. Yes, Confirm The Outgoing Trust 18. No, Do Not Confirm The Outgoing Trust 19. Click Next 20. When the Confirm Incoming Trust page appears, choose between the following options: o Yes, Confirm The Incoming Trust o No, Do Not Confirm The Incoming Trust
21. Click Next. 22. When the Completing The New Trust Wizard page is displayed, click Finish