You have your bases covered by specifying LMCompatability level 2 in your DDCP, if it had not been set there previously your first 2008 DC would have set it to 3. Raising the FL has no affect that I have ever heard of.
Useful book mark for the compatibility issues WRT the security changes in 2008 & R2 is: http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(WS.10).aspx#BKMK_SecureDefault The whole article is great but that's the shortcut for what we are discussing. http://support.microsoft.com/kb/823659 is an old article but sec 10 g. discusses LMCompatability as it applies to 2008 and historically better than 954387 IMO. From: Miller Bonnie L. [mailto:[email protected]] Sent: Wednesday, January 12, 2011 11:09 AM To: NT System Admin Issues Subject: RE: Domain and Forest Functional levels Finally found a link describing the features at each level, although I don't see the ABE for DFS stuff mentioned specifically: http://technet.microsoft.com/en-us/library/cc771132(WS.10).aspx NTLM stuff: I think you guys are talking about Computer Config\Policies\Windows Settings\Security Settings\Local Policies/Security Options\Network Security "Network Security: LAN Manager authentication Level", which we have set in our default domain controllers policy, currently using "Send LM & NTLM - use NTLMv2 session security if negotiated". I think we had to set this when we extended the schema for WS08 or when we installed the first WS08 DC and started having trouble with RIS imaging not joining computers to the domain. http://support.microsoft.com/kb/954387 talks about the available options, and I can see the WS08 R2 DCs are picking up the settings from AD. It sounds like I should check that this hasn't changed to option 3 after raising the functional level then? Or, am I looking for something else (newer)? Sorry for all the questions-trying not to miss anything important. From: Michael B. Smith [mailto:[email protected]] Sent: Wednesday, January 12, 2011 7:49 AM To: NT System Admin Issues Subject: RE: Domain and Forest Functional levels You have to change a GPO in order to get NTLMv1 back. The default policy is changed to disable it. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Miller Bonnie L. [mailto:[email protected]] Sent: Wednesday, January 12, 2011 10:35 AM To: NT System Admin Issues Subject: RE: Domain and Forest Functional levels Do you mean it defaults higher and will switch back to NTLMv1 as needed, or is NTLMv1 gone completely? I am going to search more this morning, but if you have any links it is much appreciated. Thanks, -Bonnie From: Michael B. Smith [mailto:[email protected]] Sent: Tuesday, January 11, 2011 2:02 PM To: NT System Admin Issues Subject: RE: Domain and Forest Functional levels You lose NTLMv1 by default, plus some security switches flip up to "more secure". Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Miller Bonnie L. [mailto:[email protected]] Sent: Tuesday, January 11, 2011 4:40 PM To: NT System Admin Issues Subject: Domain and Forest Functional levels We are currently running WS08 R2 schema (upgraded quite a while ago), but still sitting at WS03 functional levels for both the domain and forest settings. I'm trying to get ABE working with DFS, and have discovered the domain functional level must be at WS08 minimum (amongst other things, including namespace migrations). So, besides not being able to run a WS03 DC in WS08 functional mode or both WS03 and WS08 DCs in WS08 R2 functional mode, is there anything else that is LOST functionality? I'm finding a lot of articles on how-to and what you can gain, but I want to make sure we won't miss anything important that is in use. Still searching, but if you have any links or first-hand knowledge, I would appreciate it as it's been many years since we've had to raise levels for a feature. We are also running: Exchange 2007 SP3 Sharepoint 2007 SP2 SCCM 2007 (R2 I think, can find out if it matters) Thanks, -Bonnie ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
