Monday, August 02, 2010 1:58 PM
VMM Tricks: VMM Domain Function Level … Why
So most of use already knows that VMM 2008 R2 required Windows 2003
Domain level for the installation and I already blogged about some error that you may face if VMM is connected and authenticated by windows 2000 domain controller in the installation phase.
But it was a new question when one asked me “Why Windows 2003 Domain Level?”
Kerberos authentication is a prerequisite for VMM.
To configure your environment to allow users in one Active Directory
Domain Services (AD DS) domain to access VMM resources in another
domain, you can either ensure that both domains are in the same forest
or configure a forest-level trust relationship and use Kerberos
authentication. To set up a forest-level trust relationship, both
domains must be in Windows Server 2003 forest mode. Windows 2000 Server
does not support forest-level trusts.
Windows Server 2003 and Windows 2000 Server environments that contain
complex group structures can encounter problems with an access token
limitation during authentication.
The Kerberos Access Token in Windows 2000 native mode environment had
many limitations and the resolution is just simply to raise domain
function level to Windows 2003.
Check MS Addressing Problems Due to Access Token Limitation