Not 100% true as raising the forest functional level traditionally added attributes to the partial attribute set which is technically a schema change. Whether or not this will still happen when you go to 2008 FFL depends on what FFL you're at now.
Thanks, Brian Desmond [email protected] c – 312.731.3132 > -----Original Message----- > From: Michael B. Smith [mailto:[email protected]] > Sent: Monday, February 08, 2010 8:04 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Adprep adds the schema changes. > > None of the new features are activated until the DFL or FFL is increased. > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > From: Palmer, Neal [mailto:[email protected]] > Sent: Monday, February 08, 2010 7:53 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Hi all, > > (Apologies for the long unwieldy sentences!) (D/FL = Domain/Forest > Functional Level) > > I just wondered if anyone can confirm that the AD DS updates/Schema > changes and features are all performed during the Adprep before you > install/add the first W2K8 DC to a domain… and not when you move to D/FL > W2K8? > > It seems I can’t find information that specifies which new features of W2K8 > are added to AD/Schema during the process of joining to the domain as a DC, > and what is added later once you’ve W2K8’d all your DC’s and decide to > move to W2K8 D/FL. > > If there are 3 stages :- > > 1. ADPrep the domain for W2K8 > 2. Install/join a W2K8 DC > 3. Up the functional/domain level > > I’m a little unsure of what is or isn’t available at each stage. > > We have a W2K3 DL and all W2K3 DC’s. I’m just researching before > presenting info/requirements to start moving to W2K8. First stage is to get > one W2K8 DC in… > > Thanks > > Neal > > > > From: Brian Desmond [mailto:[email protected]] > Sent: 27 January 2010 06:16 > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > The particular issue Bob noted is one of those obscure things that’s unlikely > to affect most people so I wouldn’t generally worry about it much just FYI… > > Thanks, > Brian Desmond > [email protected] > > c - 312.731.3132 > > From: Palmer, Neal [mailto:[email protected]] > Sent: Monday, January 25, 2010 5:05 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Hi from a lurker ☺ > > Can I just thank you guys for this heads and your post Bob… Im tasked with > investigating a 2003>2008 domain raise this year and this is an awesome > starting point! > > Thanks! > > Neal > > __________________________________________________________ > _ > > Neal Palmer Senior Technical Support Officer UWIC, Cardiff, Wales… > __________________________________________________________ > _ > > From: Brian Desmond [mailto:[email protected]] > Sent: 09 January 2010 02:55 > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > It changes because of the new crypto types IIRC and needing to have a hash > in that new format. > > Thanks, > Brian Desmond > [email protected] > > c – 312.731.3132 > > From: Free, Bob [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:27 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Michael- I’m probably further in your debt than the other way around ☺ > > One thing this conversation did stir up in my addled old brain that is > actually > germane to the “what happens when I flip the bit” question is that when you > switch DFL your krbTGT account has it’s password changed. > > I remember Brial Puhl talking about when they flipped the REDMOND > domain to Server 2008 DFL, they experienced an issue with some of their > application servers suddenly failing to authenticate because of the password > change. They tried to repro it and I don’t think they ever did. Something to > keep in the back of your mind. > > My bet is it changes twice like is recommended in the AD DR WP or the > joeware “what to do if one of your DCs get’s stolen” instructions. I’d guess > it > is baked in as they actually have an event in 2K8 telling you to change it > twice > if you have to change it for some reason. Looking at replication metadata for > pwdLastSet bears that out. I’m not clear on why it needs to be changed > when raising FL but there must be a good reason. > > Cheers > > --bob > > > > From: Michael B. Smith [mailto:[email protected]] > Sent: Friday, January 08, 2010 3:35 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Thanks Bob! > > Let me buy you one (or a few) at TEC… > > From: Free, Bob [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:22 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > > I haven’t seen anything documented about raising the DFL/FFL causing > > security changes. > > It’s that first DC that I’m concerned with, raising FLs comes later in the > game. > > There are a few changes that can be made when you introduce the first 2K8 > DC into the domain if they are not specifically configured in your DC policy > that could affect functionality. There are also some tighter settings that are > now baked in that could possibly need to be relaxed. To mitigate them, it > may even be necessary to edit the DC policies from an up-level client prior to > introducing the first 2K8 DC as the settings required aren’t available to the > 2K3 editor.. > > For example, if you had left LMCompatibility level at the default of 2 but not > configured it in your GPO, it would be raised to 3 across the domain. Null > session shares are cleared from the DC’s registry if not defined in GPO, > NullSessionPipes list is shorter. There are some NTLM changes > http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx > There is the NT4 Crypto issue previously mentioned. Etc. etc. > > DES is turned off in R2/WIN7 and can affect some apps that only use DES for > Kerberos encryption, SAP and some JAVA implementations been mentioned > as possible issues. http://support.microsoft.com/kb/977321 > > The list goes on. There are 2 sources I’d recommend reviewing before > plunking in the first DC. > > Glen LeCheminant’s blog > http://blogs.technet.com/glennl/archive/2009/08/21/w2k3-to-w2k8-active- > directory-upgrade-considerations.aspx > > We had the luxury of having Glen come on site and help with our review and > he pointed us to this resource that Product Services is maintaining on > TechNet-- > > Microsoft Support Quick Start for Adding Windows Server 2008 or Windows > Server 2008 R2 Domain Controllers to Existing Domains. > http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx > > Especially look at “known issues” This document is dynamic so I would check > back occasionally. > > These may all be uneventful in most environments but I’m not going to break > something like SAP AuthN / AuthZ or some critical app that runs on some > long forgotten NAS box if I can help it. I’m getting too old for a RGE ☺ > > --bob > > > From: Michael Waltonen [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:29 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > I haven’t seen anything documented about raising the DFL/FFL causing > security changes. Do you have anything about this that you can share? > > I have seen the 2008 DCs removed some crypto options from netlogon, but > there’s a GPO setting to add the support back. > > -Mike > > From: [email protected] > [mailto:[email protected]] On Behalf Of > Michael B. Smith > Sent: Thursday, January 07, 2010 12:51 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > It removes a number of “obsolete” security options. > > I quote the word “obsolete” because some older/insecure products depend > on them. Older versions of SAMBA for example. Some NAS that based on > older versions of SAMBA, etc. > > I ran into a product at one customer called a “CAS” that allowed a single > sign- > on to Apache/IIS/and Windows by actually doing a man-in-the-middle attack! > It depended on this too. > > From: David Lum [mailto:[email protected]] > Sent: Thursday, January 07, 2010 1:36 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > From what I’ve read changing the functional level to 2008 doesn’t really “do” > anything I particular anyway, right? > > From: Michael B. Smith [mailto:[email protected]] > Sent: Thursday, January 07, 2010 9:09 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > You have to run the schema upgrade, but nothing says that you ever have to > bump the domain functional level or the forest functional level. > > I’ve done this for a number of customers, with no ill effect. > > I’d recommend you roll out 2008 or 2008 R2. It’ll save you work in the future. > > From: David Lum [mailto:[email protected]] > Sent: Thursday, January 07, 2010 12:00 PM > To: NT System Admin Issues > Subject: Adding 2008 DC's... > > We have an environment with five 2003 Server DC’s. I need to roll out two > new DC’s and would like to make them 2008 Server. Do you guys consider > this a major or minor infrastructure change? I’m on the fence – existing DC’s > are untouched save for running ADPREP on the schema master, otherwise > the existing DC’s are untouched. Lots of new features though and to me just > as importantly 2008 will be supported for years to come. > > My fellow SE’s are telling me to just roll out 2003 and call it good, but to > me it > seems silly since our DC’s typically hang around a long time (6+ years > currently), and in 5 years security patches go away for 2003 (extended > support ends 7/2015, and mainstream support ends 7/2010). > > Comments? > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
