I don't remember the details, but it appears that AES256 encryption for service tickets and TGTs can be a default in Windows Server 2008: http://technet.microsoft.com/en-us/library/cc749438(v=ws.10).aspx (there's a table about half way down)
Cheers Ken From: Donovan Oliver [mailto:[email protected]] Sent: Wednesday, 13 February 2013 9:11 AM To: NT System Admin Issues Subject: RE: AD Domain upgrade: 2003 to 2008R2 I thought AES256 was a type of Kerberos encryption that could optionally be applied to user objects, but did not operate elsewhere. Is there some background use of AES256 in a 2008 environment that is somehow on by default (thus imposing a forced change to devices that attempt to communicate using another Kerberos method)? Is sounds as though your example involved a customer that chose to attempt the use of AES256 and discovered an incompatible client. Short of a months-long investigation of software and devices, what about just turning off the last 2003 DC temporarily? How long can the rest of the 2008 DC's manage without replicating to one of its members? Would such a test only yield discoverable failed results if the clients are restarted during the outage? - Donovan From: Webster [mailto:[email protected]] Sent: Tuesday, February 12, 2013 11:01 AM To: NT System Admin Issues Subject: RE: AD Domain upgrade: 2003 to 2008R2 The only issue I have come across is infrastructure devices that do AD Integration but can't handle AES-256. Those devices have to be switched to do LDAP. I have done many 2003 to 2008 R2 migrations, then removing the 2003 DCs and moving to 2008 R2 DFL/FFL. The above is the only issue I have come across. Research your software and infrastructure devices to make sure there is nothing that is going to bite you in the rear. Thanks Webster From: Donovan Oliver [mailto:[email protected]] Subject: AD Domain upgrade: 2003 to 2008R2 I've seen it mentioned here a few times that domain upgrades from 2003 to 2008/2008R2 are really smooth (HW replacement, not in-place upgrades). It's also been mentioned that promoting the first DC is not an issue, but sometimes removing the last 2003 DC can create problems. What I haven't seen an answer to is: what sort of problems? Aside from NT4.0 issues (i.e. don't expect them to work), what can be done beforehand to check for potential breakage? What steps can be taken? How do you ensure that last DC removal won't hurt you? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
