Thanks Bob! Let me buy you one (or a few) at TEC...
From: Free, Bob [mailto:[email protected]] Sent: Friday, January 08, 2010 6:22 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... > I haven't seen anything documented about raising the DFL/FFL causing security > changes. It's that first DC that I'm concerned with, raising FLs comes later in the game. There are a few changes that can be made when you introduce the first 2K8 DC into the domain if they are not specifically configured in your DC policy that could affect functionality. There are also some tighter settings that are now baked in that could possibly need to be relaxed. To mitigate them, it may even be necessary to edit the DC policies from an up-level client prior to introducing the first 2K8 DC as the settings required aren't available to the 2K3 editor.. For example, if you had left LMCompatibility level at the default of 2 but not configured it in your GPO, it would be raised to 3 across the domain. Null session shares are cleared from the DC's registry if not defined in GPO, NullSessionPipes list is shorter. There are some NTLM changes http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx There is the NT4 Crypto issue previously mentioned. Etc. etc. DES is turned off in R2/WIN7 and can affect some apps that only use DES for Kerberos encryption, SAP and some JAVA implementations been mentioned as possible issues. http://support.microsoft.com/kb/977321 The list goes on. There are 2 sources I'd recommend reviewing before plunking in the first DC. Glen LeCheminant's blog http://blogs.technet.com/glennl/archive/2009/08/21/w2k3-to-w2k8-active-directory-upgrade-considerations.aspx We had the luxury of having Glen come on site and help with our review and he pointed us to this resource that Product Services is maintaining on TechNet-- Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains. http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx Especially look at "known issues" This document is dynamic so I would check back occasionally. These may all be uneventful in most environments but I'm not going to break something like SAP AuthN / AuthZ or some critical app that runs on some long forgotten NAS box if I can help it. I'm getting too old for a RGE :) --bob From: Michael Waltonen [mailto:[email protected]] Sent: Friday, January 08, 2010 6:29 AM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... I haven't seen anything documented about raising the DFL/FFL causing security changes. Do you have anything about this that you can share? I have seen the 2008 DCs removed some crypto options from netlogon, but there's a GPO setting to add the support back. -Mike From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, January 07, 2010 12:51 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... It removes a number of "obsolete" security options. I quote the word "obsolete" because some older/insecure products depend on them. Older versions of SAMBA for example. Some NAS that based on older versions of SAMBA, etc. I ran into a product at one customer called a "CAS" that allowed a single sign-on to Apache/IIS/and Windows by actually doing a man-in-the-middle attack! It depended on this too. From: David Lum [mailto:[email protected]] Sent: Thursday, January 07, 2010 1:36 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... >From what I've read changing the functional level to 2008 doesn't really "do" >anything I particular anyway, right? From: Michael B. Smith [mailto:[email protected]] Sent: Thursday, January 07, 2010 9:09 AM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... You have to run the schema upgrade, but nothing says that you ever have to bump the domain functional level or the forest functional level. I've done this for a number of customers, with no ill effect. I'd recommend you roll out 2008 or 2008 R2. It'll save you work in the future. From: David Lum [mailto:[email protected]] Sent: Thursday, January 07, 2010 12:00 PM To: NT System Admin Issues Subject: Adding 2008 DC's... We have an environment with five 2003 Server DC's. I need to roll out two new DC's and would like to make them 2008 Server. Do you guys consider this a major or minor infrastructure change? I'm on the fence - existing DC's are untouched save for running ADPREP on the schema master, otherwise the existing DC's are untouched. Lots of new features though and to me just as importantly 2008 will be supported for years to come. My fellow SE's are telling me to just roll out 2003 and call it good, but to me it seems silly since our DC's typically hang around a long time (6+ years currently), and in 5 years security patches go away for 2003 (extended support ends 7/2015, and mainstream support ends 7/2010). Comments? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
