We must now raise both the domain and forest functional levels to Windows Server 2003 mode if we are to create a forest trust between guinea.pig and piggy .wig. Every domain controller in both forests is running in Windows 2000 mixed mode. Before we can raise the entire forest functional level, we must raise each domain's functional level to Windows Server 2003.
When you raise a domain and/or a forest's functional level, there is no going back! This action cannot be undone . This means that we can only add domain controllers running Windows Server 2003 to each domain and/or forest from here on out. This is important if you still have servers running Windows 2000 Server or Window NT Server 4.
On DC01, open Active Directory Domains and Trusts . The left window pane displays our forest, guinea.pig, along with the domains contained within it (denver and austin).
In the left window pane, right-click denver.guinea.pig and choose Raise Domain Functional Level . The Raise Domain Functional Level dialog box appears.
In the field labeled Select an available domain functional level , select Windows Server 2003 in the drop down list of items:
Click Raise and OK . Windows informs you of the change in domain status.
Repeat steps 2 through 4 for guinea.pig and austin.guinea.pig .
We must wait for these changes to replicate to all domain controllers in each domain. You can also force replication as discussed earlier in the chapter ( Note: see page 195 ).
We must now raise the forest functional level to Windows Server 2003.
After the changes have either replicated or have been force-replicated, right-click the item labeled Active Directory Domains and Trusts on the left window pane and choose Raise Forest Functional Level .
Choose Windows Server 2003 in the field labeled Select an available forest functional level . Click Raise and OK . Windows informs you of the change in forest status.
Raise the forest functional level to Windows Server 2003 for our new forest, piggy.wig.
The path is now paved for our two forests to start talking to each other.
The following tutorial describes the process of creating a two-way forest trust between the guinea.pig and piggy.wig forests. ( Note: the following can be performed on either DC01 in guinea.pig or DCA in piggy.wig ). For the purposes of our example here, we create the trust using DC01.
On DC01, open Active Directory Domains and Trusts . In the left window pane, right-click guinea.pig and choose Properties .
The guinea.pig Properties window appears. Click the Trusts tab. A display of all trusts in the forest appears. Currently, we have a two-way, transitive trust between the guinea.pig, denver.guinea.pig, and austin.guinea.pig domains.
Click the button labeled New Trust . The New Trust wizard appears. Click Next .
Enter the full DNS name of the forest for which we wish to create a trust. In our case, this is piggy.wig . Click Next .
The next window asks what kind of trust we wish to create. Click the option labeled Forest trust and click Next .
The wizard asks about the trust direction. Click Two-way and click Next .
The next window asks where the trust should be created. Since we wish to create a trust in both forests, click the option labeled Both this domain and the specified domain . Click Next .
Since we are creating a trust in both forests, we must enter an administrative user 's username and password to the piggy.wig forest in order to create the trust in that forest. Enter the proper administrator username and password and click Next .
Select Forest-wide authentication on the next two screens, hitting Next on each.
You are presented with a summary screen. Click Next twice.
On the next two screens, select Yes, confirm the outgoing trust and Yes, confirm the incoming trust . This process ensures that our trust is working correctly. Click Finish .
We now have a forest trust created between the guinea.pig forest (and all domains contained therein) and the piggy.wig forest. Note that the piggy.wig forest contains only one domain, but it could contain more. The trust would then extend to those child domains as well.
We now turn to the process of sharing resources across forests. In order to accomplish this, users in one forest must be added to a global group. Within the same forest, that global group must be added to a universal group. In the second forest, the universal group from the first forest must be added to a domain local group , which is used to set permissions on the shared resource. Figure 5-6 illustrates this process: