Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] 2000 -> 2008 DC migration
Prev Next
You are not authorized to post a reply.

AuthorMessages
kbatkbslpcomUser is Offline

Posts:144

10/13/2009 6:04 PM  
Ran into quite a few issues when I demoted the last 2000 DC yesterday
from the domain (of course, the FSMO's were moved from 2000 to 2008).

NT4 trusts broke (yes, NT4!). Am trying the 'allow NT4 crypto' GPO - so
far it isn't working. I think I'm getting bit by MS08-068 (SMB
vulnerability) for that one. Trusts being maintained by a 2003 DC right
now.


An application that ONLY will work correctly when talking to a 2000 DC.
Have tried hard-coding (similar LDAP syntax below - they were using the
generic LDAP entry) to 2008 and the 2003 DC - it won't work. When
hard-coded to a (newly promoted 2000 DC, just last night) - it works
fine.

Those are being worked on...the one below is kinda weird - and maybe
related to the one above. Any suggestions would be very useful...many
hours spent last night

Thanks!




Have a weird thing (its broken) happening when we pointed our LDAP type
lookups to 2008 DC's whereas they were pointing to 2000 DC's. Their
work-around is to hard-code to a single 2008 DC - not a long term
solution.


We have a load balanced name that resolves to one of 6 IP addresses that
correspond to 2008 DC's. The users request it using syntax like (this
is from their application config file):

Their application config didn't change at all - we changed the backend
revolver (not DNS, but checks a keep alive for port 389 to determine if
the DC at the IP address is "up") to point from 6 2000 DC's to 6 2008
DC's (all are global catalogs).

In the config below, the example name that resolves is
LDAPCHILD.rr.parent.com (names changed to protect me - but
representative)

When LDAPCHILD was redirected to the 2000 DC's, this worked. When
directed to the 2008 DC's, it fails. If they change the ldpbindserver
value to the FQDN of a 2008 DC, it works (i.e.
ldap://dc2008.child.parent.com:3268/)

Any thoughts? At first, I thought it may have been related to the
"alias" problem that required a reghack on 2000/2003/2008 for SMB 1.0
packets. But now I'm not so sure. I'm going to ask them to put a
sniffer on their server so I can see what the packets are doing. (this
was the article regarding the SMB issue -
http://support.microsoft.com/kb/281308)

It is very reproducable...they just have to change that one line. I've
tried it using a VBscript - and it works fine (either to that sample
'ldapchild' rr entry or via an alias defined in the hosts file on my
machine).





//Begin ldap configuration
String ldpBindUsr = "userID@child.parent.com
<mailto:userID@child.parent.com> ";
String ldpBindPwd = "thepassword";
String ldpBindServer= "ldap://ldapchild.rr.parent.com:3268/
<ldap://ldapchild.rr.parent.com:3268/> ";
String ldpSearchDN="dc=parent,dc=com";
String ldpSearchFilter="sAMAccountName=";
String ldpAUTHENTICATION="simple";
String ldpProperty="memberOf";
//Begin end configuration



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] 2000 -> 2008 DC migration



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:janders14
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:4825
People OnlinePeople Online:
VisitorsVisitors:46
MembersMembers:0
TotalTotal:46
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use