VMM Tricks: VMM Domain Function Level … Why

So most of use already knows that VMM 2008 R2 required Windows 2003 Domain level for the installation and I already blogged about some error that you may face if VMM is connected and authenticated by windows 2000 domain controller in the installation phase.

But it was a new question when one asked me “Why Windows 2003 Domain Level?”

Kerberos authentication is a prerequisite for VMM. To configure your environment to allow users in one Active Directory Domain Services (AD DS) domain to access VMM resources in another domain, you can either ensure that both domains are in the same forest or configure a forest-level trust relationship and use Kerberos authentication. To set up a forest-level trust relationship, both domains must be in Windows Server 2003 forest mode. Windows 2000 Server does not support forest-level trusts.

Windows Server 2003 and Windows 2000 Server environments that contain complex group structures can encounter problems with an access token limitation during authentication.

The Kerberos Access Token in Windows 2000 native mode environment had many limitations and the resolution is just simply to raise domain function level to Windows 2003.

Check MS Addressing Problems Due to Access Token Limitation
http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc