I think Brian means that environments that already have problems (e.g. in replication) may experience issues when you propagate schema changes, or changes to the PAS.
Cheers Ken -----Original Message----- From: Palmer, Neal [mailto:npal...@uwic.ac.uk] Sent: Tuesday, 9 February 2010 6:55 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) Can you expand on that? I don’t see how a schema change in itself causes problems. I'm assuming you mean multiple domains/forests/trusts? (Our site is W2K3 D/FFL - One domain/forest, lots of pretty W2K3 boxes :) -----Original Message----- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: 08 February 2010 19:00 To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) Sort of. I've seen this cause issues in large (and messy) customer environments before. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 > -----Original Message----- > From: Michael B. Smith [mailto:mich...@smithcons.com] > Sent: Monday, February 08, 2010 12:01 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Nit picker. :-) > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Brian Desmond [mailto:br...@briandesmond.com] > Sent: Monday, February 08, 2010 12:55 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Not 100% true as raising the forest functional level traditionally > added attributes to the partial attribute set which is technically a schema > change. > Whether or not this will still happen when you go to 2008 FFL depends > on what FFL you're at now. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c – 312.731.3132 > > > > -----Original Message----- > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Monday, February 08, 2010 8:04 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... (revisited) > > > > Adprep adds the schema changes. > > > > None of the new features are activated until the DFL or FFL is increased. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > From: Palmer, Neal [mailto:npal...@uwic.ac.uk] > > Sent: Monday, February 08, 2010 7:53 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... (revisited) > > > > Hi all, > > > > (Apologies for the long unwieldy sentences!) (D/FL = Domain/Forest > > Functional Level) > > > > I just wondered if anyone can confirm that the AD DS updates/Schema > > changes and features are all performed during the Adprep before you > > install/add the first W2K8 DC to a domain… and not when you move to > > D/FL W2K8? > > > > It seems I can’t find information that specifies which new features > > of > > W2K8 are added to AD/Schema during the process of joining to the > > domain as a DC, and what is added later once you’ve W2K8’d all your > > DC’s and decide to move to W2K8 D/FL. > > > > If there are 3 stages :- > > > > 1. ADPrep the domain for W2K8 > > 2. Install/join a W2K8 DC > > 3. Up the functional/domain level > > > > I’m a little unsure of what is or isn’t available at each stage. > > > > We have a W2K3 DL and all W2K3 DC’s. I’m just researching before > > presenting info/requirements to start moving to W2K8. First stage is > > to get one W2K8 DC in… > > > > Thanks > > > > Neal > > > > > > > > From: Brian Desmond [mailto:br...@briandesmond.com] > > Sent: 27 January 2010 06:16 > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > The particular issue Bob noted is one of those obscure things that’s > > unlikely to affect most people so I wouldn’t generally worry about > > it much just FYI… > > > > Thanks, > > Brian Desmond > > br...@briandesmond.com > > > > c - 312.731.3132 > > > > From: Palmer, Neal [mailto:npal...@uwic.ac.uk] > > Sent: Monday, January 25, 2010 5:05 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Hi from a lurker ☺ > > > > Can I just thank you guys for this heads and your post Bob… Im > > tasked with investigating a 2003>2008 domain raise this year and > > this is an awesome starting point! > > > > Thanks! > > > > Neal > > > > > __________________________________________________________ > > _ > > > > Neal Palmer Senior Technical Support Officer UWIC, Cardiff, Wales… > > > __________________________________________________________ > > _ > > > > From: Brian Desmond [mailto:br...@briandesmond.com] > > Sent: 09 January 2010 02:55 > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > It changes because of the new crypto types IIRC and needing to have > > a hash in that new format. > > > > Thanks, > > Brian Desmond > > br...@briandesmond.com > > > > c – 312.731.3132 > > > > From: Free, Bob [mailto:r...@pge.com] > > Sent: Friday, January 08, 2010 6:27 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Michael- I’m probably further in your debt than the other way around > > ☺ > > > > One thing this conversation did stir up in my addled old brain that > > is actually germane to the “what happens when I flip the bit” > > question is that when you switch DFL your krbTGT account has it’s password > > changed. > > > > I remember Brial Puhl talking about when they flipped the REDMOND > > domain to Server 2008 DFL, they experienced an issue with some of > > their application servers suddenly failing to authenticate because > > of the password change. They tried to repro it and I don’t think > > they ever did. Something to keep in the back of your mind. > > > > My bet is it changes twice like is recommended in the AD DR WP or > > the joeware “what to do if one of your DCs get’s stolen” > > instructions. I’d guess it is baked in as they actually have an > > event in 2K8 telling you to change it twice if you have to change it > > for some reason. Looking at replication metadata for pwdLastSet > > bears that out. I’m not clear on why it needs to be changed when > > raising FL but there must be a good > reason. > > > > Cheers > > > > --bob > > > > > > > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Friday, January 08, 2010 3:35 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Thanks Bob! > > > > Let me buy you one (or a few) at TEC… > > > > From: Free, Bob [mailto:r...@pge.com] > > Sent: Friday, January 08, 2010 6:22 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > > I haven’t seen anything documented about raising the DFL/FFL > > > causing security changes. > > > > It’s that first DC that I’m concerned with, raising FLs comes later > > in the > game. > > > > There are a few changes that can be made when you introduce the > > first > > 2K8 DC into the domain if they are not specifically configured in > > your DC policy that could affect functionality. There are also some > > tighter settings that are now baked in that could possibly need to be > > relaxed. > > To mitigate them, it may even be necessary to edit the DC policies > > from an up-level client prior to introducing the first 2K8 DC as the > > settings required aren’t available to the > > 2K3 editor.. > > > > For example, if you had left LMCompatibility level at the default of > > 2 but not configured it in your GPO, it would be raised to 3 across > > the domain. Null session shares are cleared from the DC’s registry > > if not defined in GPO, NullSessionPipes list is shorter. There are > > some NTLM changes > > http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx > > There is the NT4 Crypto issue previously mentioned. Etc. etc. > > > > DES is turned off in R2/WIN7 and can affect some apps that only use > > DES for Kerberos encryption, SAP and some JAVA implementations been > > mentioned as possible issues. http://support.microsoft.com/kb/977321 > > > > The list goes on. There are 2 sources I’d recommend reviewing before > > plunking in the first DC. > > > > Glen LeCheminant’s blog > > http://blogs.technet.com/glennl/archive/2009/08/21/w2k3-to-w2k8-acti > > ve > > - > > directory-upgrade-considerations.aspx > > > > We had the luxury of having Glen come on site and help with our > > review and he pointed us to this resource that Product Services is > > maintaining on > > TechNet-- > > > > Microsoft Support Quick Start for Adding Windows Server 2008 or > > Windows Server 2008 R2 Domain Controllers to Existing Domains. > > http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx > > > > Especially look at “known issues” This document is dynamic so I > > would check back occasionally. > > > > These may all be uneventful in most environments but I’m not going > > to break something like SAP AuthN / AuthZ or some critical app that > > runs on some long forgotten NAS box if I can help it. I’m getting > > too old for a RGE ☺ > > > > --bob > > > > > > From: Michael Waltonen [mailto:walto...@umn.edu] > > Sent: Friday, January 08, 2010 6:29 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > I haven’t seen anything documented about raising the DFL/FFL causing > > security changes. Do you have anything about this that you can share? > > > > I have seen the 2008 DCs removed some crypto options from netlogon, > > but there’s a GPO setting to add the support back. > > > > -Mike > > > > From: bounce-8784996-8243...@lyris.sunbelt-software.com > > [mailto:bounce-8784996-8243...@lyris.sunbelt-software.com] On Behalf > > Of Michael B. Smith > > Sent: Thursday, January 07, 2010 12:51 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > It removes a number of “obsolete” security options. > > > > I quote the word “obsolete” because some older/insecure products > > depend on them. Older versions of SAMBA for example. Some NAS that > > based on older versions of SAMBA, etc. > > > > I ran into a product at one customer called a “CAS” that allowed a > > single sign- on to Apache/IIS/and Windows by actually doing a > > man-in-the- > middle attack! > > It depended on this too. > > > > From: David Lum [mailto:david....@nwea.org] > > Sent: Thursday, January 07, 2010 1:36 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > From what I’ve read changing the functional level to 2008 doesn’t > > really > “do” > > anything I particular anyway, right? > > > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Thursday, January 07, 2010 9:09 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > You have to run the schema upgrade, but nothing says that you ever > > have to bump the domain functional level or the forest functional level. > > > > I’ve done this for a number of customers, with no ill effect. > > > > I’d recommend you roll out 2008 or 2008 R2. It’ll save you work in > > the > future. > > > > From: David Lum [mailto:david....@nwea.org] > > Sent: Thursday, January 07, 2010 12:00 PM > > To: NT System Admin Issues > > Subject: Adding 2008 DC's... > > > > We have an environment with five 2003 Server DC’s. I need to roll > > out two new DC’s and would like to make them 2008 Server. Do you > > guys consider this a major or minor infrastructure change? I’m on > > the fence – existing DC’s are untouched save for running ADPREP on > > the schema master, otherwise the existing DC’s are untouched. Lots > > of new features though and to me just as importantly 2008 will be > > supported for > years to come. > > > > My fellow SE’s are telling me to just roll out 2003 and call it > > good, but to me it seems silly since our DC’s typically hang around > > a long time (6+ years currently), and in 5 years security patches go > > away for > > 2003 (extended support ends 7/2015, and mainstream support ends > 7/2010). > > > > Comments? > > David Lum // SYSTEMS ENGINEER > > NORTHWEST EVALUATION ASSOCIATION > > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
