1. Describing AD DS Domain Trees
An AD DS tree consists of multiple domains
connected by two-way transitive trusts. Each domain in an AD DS tree
shares a common schema and global catalog. In Figure 2, the root domain of the AD DS tree is companyabc.com and the subdomains are asia.companyabc.com and europe.companyabc.com.
Figure 2. A Windows Server 2012 AD DS tree with subdomains.
The transitive trust relationship is
automatic. The transitive trust relationship means that because the
Asia domain trusts the root companyabc domain, and the Europe domain
trusts the companyabc domain, the Asia domain trusts the Europe domain
as well. The trusts flow through the domain structure.
Note
Although trusts are transitive in an AD DS
environment, that does not mean that permissions are fully accessible
to all users or even to administrators between domains. The trust only
provides a pathway from one domain to another. By default, no access
rights are granted from one transitive domain to another. The
administrator of a domain must issue rights for users or administrators
in another domain to access resources within their domain.
All domains within a tree share the same
namespace (in this example, companyabc.com), but have security
mechanisms in place to segregate access from other domains. In other
words, an administrator in the Europe domain could have relative
control over his entire domain, without users
from the Asia or companyabc domains having privileges to resources.
Conversely, the administrators in Europe can allow groups of users from
other domains access if they so want. The administration is granular
and configurable.
Incidentally, just because you can create subdomains within a forest, such as the ones shown in Figure 2,
does not meant that it makes sense to do so. Many environments are
better served with a single domain for all of their worldwide
resources, and after you make the decision to create subdomains, it is
not easy to change your mind and move resources later.
2. Describing Forests in AD DS
Forests are a group of interconnected domain
trees. Implicit trusts connect the roots of each tree together into a
common forest.
The overlying characteristics that tie
together all domains and domain trees into a common forest are the
existence of a common schema and a common global catalog. However,
domains and domain trees in a forest do not need to share a common
namespace. For example, the domains microsoft.internal and
technet.internal could theoretically be part of the same forest but
maintain their own separate namespaces.
Forests are the main organizational
security boundary for AD DS, and it is assumed that all domain
administrators within a forest are trusted to some degree. If a domain
administrator is not trusted, that domain administrator should be
placed in a separate forest.
3. Understanding the AD DS Authentication Modes
Windows NT 4.0 used a system of
authentication known as NT LAN Manager (NTLM). This form of
authentication sent the encrypted password across the network in the
form of a hash. The problem with this method of authentication was that
anyone could monitor the network for passing hashes, collect them, and
then use third-party decryption tools that effectively decrypt the
password using dictionary and brute-force techniques.
All versions of Windows Server
beyond Windows 2000 use a form of authentication known as Kerberos. In essence,
Kerberos does not send password information over the network and is
inherently more secure than NTLM.
4. Outlining Functional Levels in Windows Server 2012 AD DS
Just as Windows 2000 and Windows 2003 had
their own functional levels that ensured down-level compatibility with
legacy domain versions, Windows Server 2012 has its own functional
levels that are used to maintain compatibility.
By default, a fresh installation of Active
Directory on Windows Server 2012 DCs automatically puts you into
Windows Server 2012 domain and forest functional levels. If you install
Windows Server 2012 DCs into an existing legacy domain, however, you
are allowed to choose which functional level you want to start the
forest in. If an existing forest is in place, you can bring it to
Windows Server 2012 functional level as follows:
1. Ensure that all DCs in the forest are upgraded to Windows Server 2012 or replaced with new Windows Server 2012 DCs.
2. Open Active Directory Domains and Trusts from the Tools menu in Server Manager on a DC.
3. In the left scope pane, right-click the domain name, and then click Raise Domain Functional Level.
4. In the Raise Domain Functional Level box, select Windows Server 2012, and then click Raise.
5. Click OK, and then click OK again to complete the task.
6. Repeat steps 1–5 for all domains in the forest.
7. Perform the same steps on the forest root, except this time choose Raise Forest Functional Level and follow the prompts.
When all domains and the forest
level have been raised to Windows Server 2012 functionality, the forest
can take advantage of the latest AD DS functionality. Remember, before
you accomplish this task in a mixed-mode environment, Windows Server
2012 essentially operates in a downgraded mode of compatibility.
