Nit picker. :-) Regards,
Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Brian Desmond [mailto:[email protected]] Sent: Monday, February 08, 2010 12:55 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) Not 100% true as raising the forest functional level traditionally added attributes to the partial attribute set which is technically a schema change. Whether or not this will still happen when you go to 2008 FFL depends on what FFL you're at now. Thanks, Brian Desmond [email protected] c – 312.731.3132 > -----Original Message----- > From: Michael B. Smith [mailto:[email protected]] > Sent: Monday, February 08, 2010 8:04 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Adprep adds the schema changes. > > None of the new features are activated until the DFL or FFL is increased. > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > From: Palmer, Neal [mailto:[email protected]] > Sent: Monday, February 08, 2010 7:53 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Hi all, > > (Apologies for the long unwieldy sentences!) (D/FL = Domain/Forest > Functional Level) > > I just wondered if anyone can confirm that the AD DS updates/Schema > changes and features are all performed during the Adprep before you > install/add the first W2K8 DC to a domain… and not when you move to > D/FL W2K8? > > It seems I can’t find information that specifies which new features of > W2K8 are added to AD/Schema during the process of joining to the > domain as a DC, and what is added later once you’ve W2K8’d all your > DC’s and decide to move to W2K8 D/FL. > > If there are 3 stages :- > > 1. ADPrep the domain for W2K8 > 2. Install/join a W2K8 DC > 3. Up the functional/domain level > > I’m a little unsure of what is or isn’t available at each stage. > > We have a W2K3 DL and all W2K3 DC’s. I’m just researching before > presenting info/requirements to start moving to W2K8. First stage is > to get one W2K8 DC in… > > Thanks > > Neal > > > > From: Brian Desmond [mailto:[email protected]] > Sent: 27 January 2010 06:16 > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > The particular issue Bob noted is one of those obscure things that’s > unlikely to affect most people so I wouldn’t generally worry about it > much just FYI… > > Thanks, > Brian Desmond > [email protected] > > c - 312.731.3132 > > From: Palmer, Neal [mailto:[email protected]] > Sent: Monday, January 25, 2010 5:05 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Hi from a lurker ☺ > > Can I just thank you guys for this heads and your post Bob… Im tasked > with investigating a 2003>2008 domain raise this year and this is an > awesome starting point! > > Thanks! > > Neal > > __________________________________________________________ > _ > > Neal Palmer Senior Technical Support Officer UWIC, Cardiff, Wales… > __________________________________________________________ > _ > > From: Brian Desmond [mailto:[email protected]] > Sent: 09 January 2010 02:55 > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > It changes because of the new crypto types IIRC and needing to have a > hash in that new format. > > Thanks, > Brian Desmond > [email protected] > > c – 312.731.3132 > > From: Free, Bob [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:27 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Michael- I’m probably further in your debt than the other way around ☺ > > One thing this conversation did stir up in my addled old brain that is > actually germane to the “what happens when I flip the bit” question is > that when you switch DFL your krbTGT account has it’s password changed. > > I remember Brial Puhl talking about when they flipped the REDMOND > domain to Server 2008 DFL, they experienced an issue with some of > their application servers suddenly failing to authenticate because of > the password change. They tried to repro it and I don’t think they > ever did. Something to keep in the back of your mind. > > My bet is it changes twice like is recommended in the AD DR WP or the > joeware “what to do if one of your DCs get’s stolen” instructions. I’d > guess it is baked in as they actually have an event in 2K8 telling you > to change it twice if you have to change it for some reason. Looking > at replication metadata for pwdLastSet bears that out. I’m not clear > on why it needs to be changed when raising FL but there must be a good reason. > > Cheers > > --bob > > > > From: Michael B. Smith [mailto:[email protected]] > Sent: Friday, January 08, 2010 3:35 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > Thanks Bob! > > Let me buy you one (or a few) at TEC… > > From: Free, Bob [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:22 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > > I haven’t seen anything documented about raising the DFL/FFL causing > > security changes. > > It’s that first DC that I’m concerned with, raising FLs comes later in the > game. > > There are a few changes that can be made when you introduce the first > 2K8 DC into the domain if they are not specifically configured in your > DC policy that could affect functionality. There are also some tighter > settings that are now baked in that could possibly need to be relaxed. > To mitigate them, it may even be necessary to edit the DC policies > from an up-level client prior to introducing the first 2K8 DC as the > settings required aren’t available to the > 2K3 editor.. > > For example, if you had left LMCompatibility level at the default of 2 > but not configured it in your GPO, it would be raised to 3 across the > domain. Null session shares are cleared from the DC’s registry if not > defined in GPO, NullSessionPipes list is shorter. There are some NTLM > changes > http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx > There is the NT4 Crypto issue previously mentioned. Etc. etc. > > DES is turned off in R2/WIN7 and can affect some apps that only use > DES for Kerberos encryption, SAP and some JAVA implementations been > mentioned as possible issues. http://support.microsoft.com/kb/977321 > > The list goes on. There are 2 sources I’d recommend reviewing before > plunking in the first DC. > > Glen LeCheminant’s blog > http://blogs.technet.com/glennl/archive/2009/08/21/w2k3-to-w2k8-active > - > directory-upgrade-considerations.aspx > > We had the luxury of having Glen come on site and help with our review > and he pointed us to this resource that Product Services is > maintaining on > TechNet-- > > Microsoft Support Quick Start for Adding Windows Server 2008 or > Windows Server 2008 R2 Domain Controllers to Existing Domains. > http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx > > Especially look at “known issues” This document is dynamic so I would > check back occasionally. > > These may all be uneventful in most environments but I’m not going to > break something like SAP AuthN / AuthZ or some critical app that runs > on some long forgotten NAS box if I can help it. I’m getting too old > for a RGE ☺ > > --bob > > > From: Michael Waltonen [mailto:[email protected]] > Sent: Friday, January 08, 2010 6:29 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > I haven’t seen anything documented about raising the DFL/FFL causing > security changes. Do you have anything about this that you can share? > > I have seen the 2008 DCs removed some crypto options from netlogon, > but there’s a GPO setting to add the support back. > > -Mike > > From: [email protected] > [mailto:[email protected]] On Behalf > Of Michael B. Smith > Sent: Thursday, January 07, 2010 12:51 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > It removes a number of “obsolete” security options. > > I quote the word “obsolete” because some older/insecure products > depend on them. Older versions of SAMBA for example. Some NAS that > based on older versions of SAMBA, etc. > > I ran into a product at one customer called a “CAS” that allowed a > single sign- on to Apache/IIS/and Windows by actually doing a > man-in-the-middle attack! > It depended on this too. > > From: David Lum [mailto:[email protected]] > Sent: Thursday, January 07, 2010 1:36 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > From what I’ve read changing the functional level to 2008 doesn’t really “do” > anything I particular anyway, right? > > From: Michael B. Smith [mailto:[email protected]] > Sent: Thursday, January 07, 2010 9:09 AM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... > > You have to run the schema upgrade, but nothing says that you ever > have to bump the domain functional level or the forest functional level. > > I’ve done this for a number of customers, with no ill effect. > > I’d recommend you roll out 2008 or 2008 R2. It’ll save you work in the future. > > From: David Lum [mailto:[email protected]] > Sent: Thursday, January 07, 2010 12:00 PM > To: NT System Admin Issues > Subject: Adding 2008 DC's... > > We have an environment with five 2003 Server DC’s. I need to roll out > two new DC’s and would like to make them 2008 Server. Do you guys > consider this a major or minor infrastructure change? I’m on the fence > – existing DC’s are untouched save for running ADPREP on the schema > master, otherwise the existing DC’s are untouched. Lots of new > features though and to me just as importantly 2008 will be supported for > years to come. > > My fellow SE’s are telling me to just roll out 2003 and call it good, > but to me it seems silly since our DC’s typically hang around a long > time (6+ years currently), and in 5 years security patches go away for > 2003 (extended support ends 7/2015, and mainstream support ends 7/2010). > > Comments? > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
