Active Directory Domains and Trusts Snap-in

Active Directory Domains and Trusts Snap-in

The Active Directory Domains and Trusts snap-in is an enterprise administrator's tool that allows you to look up the forest easily and select a domain for administering. Other purposes of the Active Directory Domains and Trusts snap-in are discussed below in detail.

An example of a forest (which contains two non-adjacent trees — net.dom and dotnet.dom) represented in the snap-in's main window is shown in Fig. 7.19. If you point to a domain in the tree and select the Manage command on the context or Action menus, the Active Directory Users and Computer snap-in will be started for this domain.

click to expand
Fig. 7.19: Selecting a domain for management in the enterprise (domain forest)

Raising Functional Level

Using the Active Directory Domains and Trusts snap-in, you can raise the domain as well as the forest functional level. In Windows 2000, a similar operation is called changing mode (mixed mode or native mode). Right click a domain in the domain tree and select the Raise Domain Functional Level command on the context menu (see Fig. 7.19). You will see a window (Fig. 7.20) that informs you about the current domain level and possible levels (if available).

click to expand
Fig. 7.20: Selecting functional level of a domain

If the domain consists of Windows .NET-based domain controllers only, you can raise the domain level to Windows .NET (version 2002) right away. Select a level and click Raise. If there are domain controllers on other platforms (Windows NT 4.0 or Windows 2000), then the operation will fail. The system will report the controllers that prevent raising the functional level. Such a report will contain lines similar to the following:

     The following domains include domain controllers that are running earlier     versions of windows:     Domain NameDomain Controller Version of Windows Windows 2000 Server 5.0 (2195) 

Otherwise, the operation will be replicated over other controllers in the same domain. Wait until replication has been completed. Then, you can verify functional levels by querying the RootDSE object on domain controllers (see Chapter 1, "LDAP Basics").

To raise the forest level, point to the root in the tree pane (Fig. 7.21) and select the Raise Forest Functional Level command on the context menu. Again, all errors that have occurred will be reported.

click to expand
Fig. 7.21: Raising forest functional level

If two domain forests have the Windows .NET (version 2002) functional level, then the Active Directory Domains and Trusts snap-in will allow you to establish forest trusts between root domains of those forests.

Using User Principal Names (UPN)

The concept of user principal names can considerably simplify the logon process in large domain trees. While logging on, the domain users can use one of two methods for specifying their names. They can:

  • Enter a UPN name, such as user@DNSdomainName (in this case, the domain list becomes unavailable).

  • Enter a pre-Windows 2000 (SAM account) user name (without the "@" symbol) and then select a domain from the list.

Each method has certain advantages. It may be inconvenient to enter long domain names, such as The first method is, in fact, just a particular instance of a general format: userName@UPNSuffix. The default UPN suffix is the DNS name of that domain where a user account is located. It is possible to add alternative suffixes that can be used by all users of a domain forest.

To add a UPN suffix, open the Active Directory Domain and Trusts snap-in, point to the root in the tree pane, and select Properties from the context menu. Enter a suffix in the Alternative UPN suffixes field and click Add and Apply. The entered suffix (net in Fig. 7.22) will appear in the dialog box during new user creation.

click to expand
Fig. 7.22: Adding an alternative UPN suffix

Now you can choose any UPN suffix for a new user (the current domain, parent domain and alternative UPN suffixes) or change the UPN name for an existing user. Let us create, for example, a user with the logon parameters shown in Fig. 7.23. Initially, the logon name and the pre-Windows 2000 name are the same, but you can specify any name you like.

click to expand
Fig. 7.23: Choosing UPN suffixes during new user creation

The created user will be able to log onto the domain tree with the following names (the password will be the same for both logon names):

  • EntAdmin@net — UPN name

  • EAdmin (and a domain name selected from the list) — SAM account name

You can also check these names using the ADSI Edit snap-in (sAMAccountName is a mandatory attribute, and userPrincipalName is an optional attribute).


Notice that, by default, the "built-in" Administrator and Guest accounts do not have UPN names.


UPN names are not supported by Windows 9x/ME clients.

Understandably, all account names must be unique. SAM account (pre-Windows 2000) names in the same domain cannot be repeated. A full name must not be used more than once in an OU. However, the same full name can be used for accounts in different OUs (because the canonical names of objects will differ, e.g., Smith and Smith), provided that the UPN and SAM account names are different (e.g., and; JSMITH and JOHNS).

Verifying Trusts

A domain administrator can use the Active Directory Domains and Trusts snap-in for verifying trusts between domains and for creating new trusts. This process primarily concerns trusts with Windows NT 4.0 domains. Such trusts must be manually created (see Chapter 5, "Installing Active Directory").

However, you may also want to create explicit, unidirectional trusts between AD-based domains that belong to different domain trees (or forests — if the forest trusts are established) or even to the same tree. This, for instance, may be required in order to reduce logon time into a "remote" domain. Here, "remote" is related to the "distance" between domains in a tree structure. (All considerations stated are even applicable to transitive Kerberos trusts.)

For example, the and domains (Fig. 7.24) can be regarded as "remote", because trusts between trees in a forest are established through the root domains.

click to expand
Fig. 7.24: A shortcut trust between two "remote" domains

To check a trust between domains:

  1. Open the Properties window for a domain.

  2. Select a trust on the Trusts tab and click Properties (in Windows 2000 — Edit).

  3. In the next window, click Validate (in Windows 2000—Verify). If the trust is operational, you should see the message: "The trust has been verified. It is in place and active." If the system reports an error and proposes that you reset the trust, confirm the operation. Usually, the trusts will be reset successfully. In Windows .NET, you can simultaneously verify both sides of two-way trusts if you know a domain administrator's credentials in the second domain.

You can also use the NetDom tool for verifying and resetting trusts.

Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154 © 2008-2017.
If you may any questions please contact us: