No announcement yet.

2000/2008 forest trusts ?

  • Filter
  • Time
  • Show
Clear All
new posts

  • 2000/2008 forest trusts ?

    I may be able to find this info over the weekend, but i've already got 14 million things to read, understand, and design, by midday monday.. so yea.

    We're planning a global AD upgrade. It's currently in windows 2000 mixed mode (I think) - multiple domains within a forest.

    WE're going to deploy a new forest using 2008 Server, and a 2008 AD.
    Will we be able to configure a trust between the new 2008 forest, and the existing 2000 forest, such that every domain and subdomain in the existing structure, will be able to trust anything in the new domain ?

    We'll probably be putting some 2003 servers into the 2008 domain, so we won't be able to go full 2008 native mode straight up..
    Please do show your appreciation to those who assist you by leaving Rep Point

  • #2
    Re: 2000/2008 forest trusts ?

    A new type of trust introduced with 2k3 was "forest trusts":

    Forest trusts allow transitivity between all domains in all forests. However you need the forest functional level of 2k3 to implement them.

    Therefore in your situation if you need trusts between all domains and your new forest you'll need to configure individual trusts. Unless of course, theres a way to do it that I don't know about



    • #3
      Re: 2000/2008 forest trusts ?

      Crap. So we'd have to increase the domain/forest functional level of existing domain to be 2k3 native, which it can't be if it has 2000 DCs in it.

      Hmm. The domains i can make 2k3 native, I will.. and that'll be ok.

      couple of domains i cna't do that with though... so i might need to do explicit trusts between those sub domains and the new domain.

      If this helps at all define what i'm trying to do:

      currentl domain (dom, forest) (dom) (dom) (dom) (dom)

      new plan: (dom, forest)
      na (OU)
      AP (ou)
      eu (ou)
      uk (ou)

      the na domain in particular has a 2000 DC in it. most of the rest are 2K i beleive.

      maybe i could just drop that server out of the domain.
      Please do show your appreciation to those who assist you by leaving Rep Point