| Author | Messages | |
bartvdw
Posts:20
 | | 07/13/2010 9:53 AM |
| Hi,
Environment is a production domain with 1 child domain. Everything is
currently running Windows Server 2003. FFL and DFL are both 2003.
We're going to upgrade the production domain to Windows Server 2008 R2, all
DC's. However we're not going to touch the child domain as the existance is
not sure in the future.
After we've completed the upgrade of the production domain, what is advised
regarding FFL and DFL? Leave it on 2003 level or can we upgrade as well?
What's the impact towards the child domain?
Many thanks
-Bart
| | | |
| chriss3
Posts:19
| | 07/13/2010 10:01 AM |
| Hi.
Introducing Windows Server 2008 R2 DCs means that you have to extend the schema - What you have is a forest with two domains - you can't really run this kind of operation isolated to the boundary of one specific domain. Rising the FFL means to rise the DFL of all domains in the forest as well.
Both of the above operations requires a healthy AD in terms of replication and consistency, if you experience trouble with the child domain I suggest you make a decision to either remove if, or solve any related issues.
Enfo Zipper
Christoffer Andersson - Principal Advisor
Microsoft MVP - Directory Services
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Bart Van den Wyngaert
Sent: den 13 juli 2010 10:52
To: activedir@activedir.org
Subject: [ActiveDir] Schema upgrade and FFL/DFL with a child domain
Hi,
Environment is a production domain with 1 child domain. Everything is currently running Windows Server 2003. FFL and DFL are both 2003.
We're going to upgrade the production domain to Windows Server 2008 R2, all DC's. However we're not going to touch the child domain as the existance is not sure in the future.
After we've completed the upgrade of the production domain, what is advised regarding FFL and DFL? Leave it on 2003 level or can we upgrade as well? What's the impact towards the child domain?
Many thanks
-Bart
| | | |
| GuidoG
Posts:113
| | 07/13/2010 10:10 AM |
| You can go to 2008 R2 DFL in your "production" domain, which won't impact your child domain.
Note that I have heard of a few incidents where shortcut-trusts were no longer working after switching domain mode, but they were easily re-established afterwards. Usually it's a non-issue.
You can't switch to 2008 R2 FFL, as that would require upgrading your child-dom as well. As such you won't be in the position to enable features such as un-delete.
Here is a list of the differences between the various levels:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Bart Van den Wyngaert
Sent: Tuesday, July 13, 2010 10:52 AM
To: activedir@activedir.org
Subject: [ActiveDir] Schema upgrade and FFL/DFL with a child domain
Hi,
Environment is a production domain with 1 child domain. Everything is currently running Windows Server 2003. FFL and DFL are both 2003.
We're going to upgrade the production domain to Windows Server 2008 R2, all DC's. However we're not going to touch the child domain as the existance is not sure in the future.
After we've completed the upgrade of the production domain, what is advised regarding FFL and DFL? Leave it on 2003 level or can we upgrade as well? What's the impact towards the child domain?
Many thanks
-Bart
| | | |
| bartvdw
Posts:20
| | 07/13/2010 11:41 AM |
| Hi Guido,
Thanks. I think that the we best leave the DFL as it is. Indeed without
upgrading the FFL, we can't use features such as un-delete and therefor I
don't see any added value in upgrading the DFL without upgrading FFL.
However what do you preciesly mean with "shortcut-trusts"?
Additionally has extending the schema impact on trusts in any way?
Thanks again guys
-Bart
On Tue, Jul 13, 2010 at 11:06 AM, Grillenmeier, Guido <
guido.grillenmeier@hp.com> wrote:
> You can go to 2008 R2 DFL in your “production” domain, which won’t impact
> your child domain.
>
>
>
> Note that I have heard of a few incidents where shortcut-trusts were no
> longer working after switching domain mode, but they were easily
> re-established afterwards. Usually it’s a non-issue.
>
>
>
> You can’t switch to 2008 R2 FFL, as that would require upgrading your
> child-dom as well. As such you won’t be in the position to enable features
> such as un-delete.
>
>
>
> Here is a list of the differences between the various levels:
>
>
> http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx
>
>
>
> /Guido
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Bart Van den Wyngaert
> *Sent:* Tuesday, July 13, 2010 10:52 AM
>
> *To:* activedir@activedir.org
> *Subject:* [ActiveDir] Schema upgrade and FFL/DFL with a child domain
>
>
>
> Hi,
>
>
>
> Environment is a production domain with 1 child domain. Everything is
> currently running Windows Server 2003. FFL and DFL are both 2003.
>
>
>
> We're going to upgrade the production domain to Windows Server 2008 R2, all
> DC's. However we're not going to touch the child domain as the existance is
> not sure in the future.
>
>
>
> After we've completed the upgrade of the production domain, what is advised
> regarding FFL and DFL? Leave it on 2003 level or can we upgrade as well?
> What's the impact towards the child domain?
>
>
>
> Many thanks
>
> -Bart
>
| | | |
| kbatkbslpcom
Posts:194
| | 07/13/2010 1:22 PM |
| Short-cut trusts are (generally) between child domains from a root.
root "A.com"
child "B.a.com"
child "C.a.com"
In a forest, all domains have a transitive trust...so in the above, a
trusts b, b trusts c, a trusts c, etc.
However, for authentication to go from "B" to "C" - the
trust/authentication path goes through domain "A".
If "A" is an empty root, it probably has few DC's in it - and
probably none of the DC's are local to most clients...so cross-domain
access (from B to C, etc) involves DC"s in "B" and "C" talking to a DC
in domain "A" - if the DC's in "A" are across a WAN (and the WAN is
down) - no authentication.
A short-cut trust would be created from "B" to "C" - and thereby the
trust "path" doesn't flow through "A". The authentication "shortcut"
path goes from DC's in "B" to DC's in "C".
I had a scenario involving cross domain (different forests) trusts and
upgrading them forest trusts (in a forest trust, the authentication path
goes through the forest root...so a root DC must be available for it to
work - my question was about potential load, WAN issues, etc)
per a case I had with Microsoft about this...this is a partial response
from the engineer (who consulted with a couple of other MS folks):
The consensus between us is that it is not advisable to leave the
exiting trusts in place after when the two-way forest trust is put into
place. Leaving the existing trusts while establishing a forest to
forest trust leaves multiple Trusted Domain Objects (TDOs) referencing
the same domains. When the forest trust TDO is chosen, the systems will
attempt Kerberos authentication as the highest supported authentication
across that type of trust. When a TDO for the external trust between
the child domains is selected authentication will not use Kerberos. End
users may experience unexpected requests for credentials as various
queries of the TDOs return different trust results.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Bart Van den
Wyngaert
Sent: Tuesday, July 13, 2010 6:40 AM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Schema upgrade and FFL/DFL with a child
domain
Hi Guido,
Thanks. I think that the we best leave the DFL as it is. Indeed
without upgrading the FFL, we can't use features such as un-delete and
therefor I don't see any added value in upgrading the DFL without
upgrading FFL.
However what do you preciesly mean with "shortcut-trusts"?
Additionally has extending the schema impact on trusts in any
way?
Thanks again guys
-Bart
On Tue, Jul 13, 2010 at 11:06 AM, Grillenmeier, Guido
<guido.grillenmeier@hp.com> wrote:
You can go to 2008 R2 DFL in your "production" domain,
which won't impact your child domain.
Note that I have heard of a few incidents where
shortcut-trusts were no longer working after switching domain mode, but
they were easily re-established afterwards. Usually it's a non-issue.
You can't switch to 2008 R2 FFL, as that would require
upgrading your child-dom as well. As such you won't be in the position
to enable features such as un-delete.
Here is a list of the differences between the various
levels:
http://technet.microsoft.com/en-us/library/understanding-active-director
y-functional-levels(WS.10).aspx
/Guido
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Bart Van den
Wyngaert
Sent: Tuesday, July 13, 2010 10:52 AM
To: activedir@activedir.org
Subject: [ActiveDir] Schema upgrade and FFL/DFL with a
child domain
Hi,
Environment is a production domain with 1 child domain.
Everything is currently running Windows Server 2003. FFL and DFL are
both 2003.
We're going to upgrade the production domain to Windows
Server 2008 R2, all DC's. However we're not going to touch the child
domain as the existance is not sure in the future.
After we've completed the upgrade of the production
domain, what is advised regarding FFL and DFL? Leave it on 2003 level or
can we upgrade as well? What's the impact towards the child domain?
Many thanks
-Bart
| | | |
| febrero
Posts:9
| | 07/13/2010 3:12 PM |
| FFL cannot be raised until all Dcs are 2008R2.
Production Domain DFL can be raised...
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] on behalf of Bart Van den Wyngaert [bartvdw.lists@gmail.com]
Sent: Tuesday, July 13, 2010 3:51 AM
To: activedir@activedir.org
Subject: [ActiveDir] Schema upgrade and FFL/DFL with a child domain
Hi,
Environment is a production domain with 1 child domain. Everything is currently running Windows Server 2003. FFL and DFL are both 2003.
We're going to upgrade the production domain to Windows Server 2008 R2, all DC's. However we're not going to touch the child domain as the existance is not sure in the future.
After we've completed the upgrade of the production domain, what is advised regarding FFL and DFL? Leave it on 2003 level or can we upgrade as well? What's the impact towards the child domain?
Many thanks
-Bart
| | | |
|
|