Whoa. They've done some serious updating to those articles in the last couple of months. I've not seen those mentioned in any of the other lists I read - where did you get those Bob? From your PFE or TAM? Or someplace more public?
Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Free, Bob [mailto:r...@pge.com] Sent: Tuesday, February 09, 2010 5:07 PM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) >I'm assuming you mean multiple domains/forests/trusts? It *could* happen regardless of the number of domains or forests if you have a lot of GCs and the PAS does a full replication. Think of a branch office scenario with LOTS of DCs on lousy links. This got a fair amount of consideration from folks with replication concerns in "large or messy environments" in the W2K-W2K3 upgrade period if they were concerned with a full PAS replication cycle. Good discussion of it- http://www.mail-archive.com/active...@mail.activedir.org/msg31582.html Another example- http://blogs.technet.com/justinturner/archive/2009/10/28/replication-error-8464-after-schema-upgrade.aspx Back to the discussion at hand, there is a concern with replication halting for 12 hours when the 1st R2 DC is introduced if you have existing DCs enabled for strict replication consistency that was pointed out to us on a PFE visit. Article 2002034 "Deploying the 1st Windows Server 2008 R2 DC in an existing forest my halt AD replication to strict mode destination DCs for up to 12 hours" is to be published but I haven't seen it yet. See http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx#BKMK_KnownIssues 2002034 is also mentioned in http://support.microsoft.com/kb/2005074 which describes a similar issue that could occur under certain conditions. YMMV -----Original Message----- From: Palmer, Neal [mailto:npal...@uwic.ac.uk] Sent: Tuesday, February 09, 2010 2:55 AM To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) Can you expand on that? I don’t see how a schema change in itself causes problems. I'm assuming you mean multiple domains/forests/trusts? (Our site is W2K3 D/FFL - One domain/forest, lots of pretty W2K3 boxes :) -----Original Message----- From: Brian Desmond [mailto:br...@briandesmond.com] Sent: 08 February 2010 19:00 To: NT System Admin Issues Subject: RE: Adding 2008 DC's... (revisited) Sort of. I've seen this cause issues in large (and messy) customer environments before. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 > -----Original Message----- > From: Michael B. Smith [mailto:mich...@smithcons.com] > Sent: Monday, February 08, 2010 12:01 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Nit picker. :-) > > Regards, > > Michael B. Smith > Consultant and Exchange MVP > http://TheEssentialExchange.com > > > -----Original Message----- > From: Brian Desmond [mailto:br...@briandesmond.com] > Sent: Monday, February 08, 2010 12:55 PM > To: NT System Admin Issues > Subject: RE: Adding 2008 DC's... (revisited) > > Not 100% true as raising the forest functional level traditionally > added attributes to the partial attribute set which is technically a schema > change. > Whether or not this will still happen when you go to 2008 FFL depends > on what FFL you're at now. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c – 312.731.3132 > > > > -----Original Message----- > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Monday, February 08, 2010 8:04 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... (revisited) > > > > Adprep adds the schema changes. > > > > None of the new features are activated until the DFL or FFL is increased. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > From: Palmer, Neal [mailto:npal...@uwic.ac.uk] > > Sent: Monday, February 08, 2010 7:53 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... (revisited) > > > > Hi all, > > > > (Apologies for the long unwieldy sentences!) (D/FL = Domain/Forest > > Functional Level) > > > > I just wondered if anyone can confirm that the AD DS updates/Schema > > changes and features are all performed during the Adprep before you > > install/add the first W2K8 DC to a domain… and not when you move to > > D/FL W2K8? > > > > It seems I can’t find information that specifies which new features > > of > > W2K8 are added to AD/Schema during the process of joining to the > > domain as a DC, and what is added later once you’ve W2K8’d all your > > DC’s and decide to move to W2K8 D/FL. > > > > If there are 3 stages :- > > > > 1. ADPrep the domain for W2K8 > > 2. Install/join a W2K8 DC > > 3. Up the functional/domain level > > > > I’m a little unsure of what is or isn’t available at each stage. > > > > We have a W2K3 DL and all W2K3 DC’s. I’m just researching before > > presenting info/requirements to start moving to W2K8. First stage is > > to get one W2K8 DC in… > > > > Thanks > > > > Neal > > > > > > > > From: Brian Desmond [mailto:br...@briandesmond.com] > > Sent: 27 January 2010 06:16 > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > The particular issue Bob noted is one of those obscure things that’s > > unlikely to affect most people so I wouldn’t generally worry about > > it much just FYI… > > > > Thanks, > > Brian Desmond > > br...@briandesmond.com > > > > c - 312.731.3132 > > > > From: Palmer, Neal [mailto:npal...@uwic.ac.uk] > > Sent: Monday, January 25, 2010 5:05 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Hi from a lurker ☺ > > > > Can I just thank you guys for this heads and your post Bob… Im > > tasked with investigating a 2003>2008 domain raise this year and > > this is an awesome starting point! > > > > Thanks! > > > > Neal > > > > > __________________________________________________________ > > _ > > > > Neal Palmer Senior Technical Support Officer UWIC, Cardiff, Wales… > > > __________________________________________________________ > > _ > > > > From: Brian Desmond [mailto:br...@briandesmond.com] > > Sent: 09 January 2010 02:55 > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > It changes because of the new crypto types IIRC and needing to have > > a hash in that new format. > > > > Thanks, > > Brian Desmond > > br...@briandesmond.com > > > > c – 312.731.3132 > > > > From: Free, Bob [mailto:r...@pge.com] > > Sent: Friday, January 08, 2010 6:27 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Michael- I’m probably further in your debt than the other way around > > ☺ > > > > One thing this conversation did stir up in my addled old brain that > > is actually germane to the “what happens when I flip the bit” > > question is that when you switch DFL your krbTGT account has it’s password > > changed. > > > > I remember Brial Puhl talking about when they flipped the REDMOND > > domain to Server 2008 DFL, they experienced an issue with some of > > their application servers suddenly failing to authenticate because > > of the password change. They tried to repro it and I don’t think > > they ever did. Something to keep in the back of your mind. > > > > My bet is it changes twice like is recommended in the AD DR WP or > > the joeware “what to do if one of your DCs get’s stolen” > > instructions. I’d guess it is baked in as they actually have an > > event in 2K8 telling you to change it twice if you have to change it > > for some reason. Looking at replication metadata for pwdLastSet > > bears that out. I’m not clear on why it needs to be changed when > > raising FL but there must be a good > reason. > > > > Cheers > > > > --bob > > > > > > > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Friday, January 08, 2010 3:35 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > Thanks Bob! > > > > Let me buy you one (or a few) at TEC… > > > > From: Free, Bob [mailto:r...@pge.com] > > Sent: Friday, January 08, 2010 6:22 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > > I haven’t seen anything documented about raising the DFL/FFL > > > causing security changes. > > > > It’s that first DC that I’m concerned with, raising FLs comes later > > in the > game. > > > > There are a few changes that can be made when you introduce the > > first > > 2K8 DC into the domain if they are not specifically configured in > > your DC policy that could affect functionality. There are also some > > tighter settings that are now baked in that could possibly need to be > > relaxed. > > To mitigate them, it may even be necessary to edit the DC policies > > from an up-level client prior to introducing the first 2K8 DC as the > > settings required aren’t available to the > > 2K3 editor.. > > > > For example, if you had left LMCompatibility level at the default of > > 2 but not configured it in your GPO, it would be raised to 3 across > > the domain. Null session shares are cleared from the DC’s registry > > if not defined in GPO, NullSessionPipes list is shorter. There are > > some NTLM changes > > http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx > > There is the NT4 Crypto issue previously mentioned. Etc. etc. > > > > DES is turned off in R2/WIN7 and can affect some apps that only use > > DES for Kerberos encryption, SAP and some JAVA implementations been > > mentioned as possible issues. http://support.microsoft.com/kb/977321 > > > > The list goes on. There are 2 sources I’d recommend reviewing before > > plunking in the first DC. > > > > Glen LeCheminant’s blog > > http://blogs.technet.com/glennl/archive/2009/08/21/w2k3-to-w2k8-acti > > ve > > - > > directory-upgrade-considerations.aspx > > > > We had the luxury of having Glen come on site and help with our > > review and he pointed us to this resource that Product Services is > > maintaining on > > TechNet-- > > > > Microsoft Support Quick Start for Adding Windows Server 2008 or > > Windows Server 2008 R2 Domain Controllers to Existing Domains. > > http://technet.microsoft.com/en-us/library/ee522994(WS.10).aspx > > > > Especially look at “known issues” This document is dynamic so I > > would check back occasionally. > > > > These may all be uneventful in most environments but I’m not going > > to break something like SAP AuthN / AuthZ or some critical app that > > runs on some long forgotten NAS box if I can help it. I’m getting > > too old for a RGE ☺ > > > > --bob > > > > > > From: Michael Waltonen [mailto:walto...@umn.edu] > > Sent: Friday, January 08, 2010 6:29 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > I haven’t seen anything documented about raising the DFL/FFL causing > > security changes. Do you have anything about this that you can share? > > > > I have seen the 2008 DCs removed some crypto options from netlogon, > > but there’s a GPO setting to add the support back. > > > > -Mike > > > > From: bounce-8784996-8243...@lyris.sunbelt-software.com > > [mailto:bounce-8784996-8243...@lyris.sunbelt-software.com] On Behalf > > Of Michael B. Smith > > Sent: Thursday, January 07, 2010 12:51 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > It removes a number of “obsolete” security options. > > > > I quote the word “obsolete” because some older/insecure products > > depend on them. Older versions of SAMBA for example. Some NAS that > > based on older versions of SAMBA, etc. > > > > I ran into a product at one customer called a “CAS” that allowed a > > single sign- on to Apache/IIS/and Windows by actually doing a > > man-in-the- > middle attack! > > It depended on this too. > > > > From: David Lum [mailto:david....@nwea.org] > > Sent: Thursday, January 07, 2010 1:36 PM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > From what I’ve read changing the functional level to 2008 doesn’t > > really > “do” > > anything I particular anyway, right? > > > > From: Michael B. Smith [mailto:mich...@smithcons.com] > > Sent: Thursday, January 07, 2010 9:09 AM > > To: NT System Admin Issues > > Subject: RE: Adding 2008 DC's... > > > > You have to run the schema upgrade, but nothing says that you ever > > have to bump the domain functional level or the forest functional level. > > > > I’ve done this for a number of customers, with no ill effect. > > > > I’d recommend you roll out 2008 or 2008 R2. It’ll save you work in > > the > future. > > > > From: David Lum [mailto:david....@nwea.org] > > Sent: Thursday, January 07, 2010 12:00 PM > > To: NT System Admin Issues > > Subject: Adding 2008 DC's... > > > > We have an environment with five 2003 Server DC’s. I need to roll > > out two new DC’s and would like to make them 2008 Server. Do you > > guys consider this a major or minor infrastructure change? I’m on > > the fence – existing DC’s are untouched save for running ADPREP on > > the schema master, otherwise the existing DC’s are untouched. Lots > > of new features though and to me just as importantly 2008 will be > > supported for > years to come. > > > > My fellow SE’s are telling me to just roll out 2003 and call it > > good, but to me it seems silly since our DC’s typically hang around > > a long time (6+ years currently), and in 5 years security patches go > > away for > > 2003 (extended support ends 7/2015, and mainstream support ends > 7/2010). > > > > Comments? > > David Lum // SYSTEMS ENGINEER > > NORTHWEST EVALUATION ASSOCIATION > > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
