List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Domain/Forest Functional Levels and Trusts

Prev Next

You are not authorized to post a reply.

Author

Messages

rmscheck

Posts:245

04/12/2010 5:16 PM
Folks, Is there any dependencies on DFLs or FFLs when dealing with trusts? I am currently trying to find any shred of info that talks about this. Basically we have a External trust to an NT4 domain and are looking to someday upgrade to 2008 R2 DCs and eventually some day 2008 R2 DFL/FFL.. I'm trying to pin down any dependencies or caveats we may run into with 2008 R2 upgrades to this ancient trust. I know I know.. get rid of NT4.. believe me, I'm trying! -Rand

kbatkbslpcom User is Offline

Posts:194

04/12/2010 5:35 PM
Not a DFL/FFL level issue...but what I ran across last year was that NT4 and 2008 (we are not using R2) don't play well together. During the domain upgrade from OS/2000 (2000 "native" mode) to OS/2008 ("2000" native mode) - NT4 trusts broke. I think it is related to MS08-068...since we elected to only go upto 2003 DFL/FFL, the decision in the name of expedience (i.e. don't waste time testing since we have an alternative) was to just bring up a 2003 DC and make it the PDC-E...until the NT4 domains (plural!) are gone. ... but it looks like MS08-068 (SMB vulnerability) maybe causing the 2008 DC's to not talk to NT4 machines - at least for domain trust purposes (not sure for other security related communications). I'm thinking of trying this as a test - but if we go this route, it requires either entirely (i.e. disable MS08-068) or selectively (and by selectively, I mean updating the registry of each 2008 DC with the names of each NT4 server). ... -----Original Message----- From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar Sent: Monday, April 12, 2010 12:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain/Forest Functional Levels and Trusts Folks, Is there any dependencies on DFLs or FFLs when dealing with trusts? I am currently trying to find any shred of info that talks about this. Basically we have a External trust to an NT4 domain and are looking to someday upgrade to 2008 R2 DCs and eventually some day 2008 R2 DFL/FFL.. I'm trying to pin down any dependencies or caveats we may run into with 2008 R2 upgrades to this ancient trust. I know I know.. get rid of NT4.. believe me, I'm trying! -Rand

pbbergs

Posts:281

04/13/2010 4:45 PM
Check out an article I have on modifications you will need to make once the Forest is upgraded from 2000. This covers an upgrade to 2003 but I believe it holds true for 2008 as well. http://www.pbbergs.com/windows/articles.htm Select NT4 -v- Active Directory Trust Thanks Paul -----Original Message----- From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar Sent: Monday, April 12, 2010 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain/Forest Functional Levels and Trusts Folks, Is there any dependencies on DFLs or FFLs when dealing with trusts? I am currently trying to find any shred of info that talks about this. Basically we have a External trust to an NT4 domain and are looking to someday upgrade to 2008 R2 DCs and eventually some day 2008 R2 DFL/FFL.. I'm trying to pin down any dependencies or caveats we may run into with 2008 R2 upgrades to this ancient trust. I know I know.. get rid of NT4.. believe me, I'm trying! -Rand

pbbergs

Posts:281

04/13/2010 4:45 PM
Check out an article I have on modifications you will need to make once the Forest is upgraded from 2000. This covers an upgrade to 2003 but I believe it holds true for 2008 as well. http://www.pbbergs.com/windows/articles.htm Select NT4 -v- Active Directory Trust Thanks Paul -----Original Message----- From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar Sent: Monday, April 12, 2010 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain/Forest Functional Levels and Trusts Folks, Is there any dependencies on DFLs or FFLs when dealing with trusts? I am currently trying to find any shred of info that talks about this. Basically we have a External trust to an NT4 domain and are looking to someday upgrade to 2008 R2 DCs and eventually some day 2008 R2 DFL/FFL.. I'm trying to pin down any dependencies or caveats we may run into with 2008 R2 upgrades to this ancient trust. I know I know.. get rid of NT4.. believe me, I'm trying! -Rand

ZJORZ

Posts:363

04/29/2010 10:27 PM
Have a look at: The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default http://support.microsoft.com/kb/942564 NOTE THE FOLLOWING: This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers. Important Windows NT 4.0 trusts cannot be created between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. The workaround steps that are documented later in this article apply to only Windows Server 2008. Security changes that are in Windows Server 2008 R2 prevent a trust between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. This behavior is by design. Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) Ing. Jorge de Almeida Pinto Senior Technical Consultant MVP Identity & Access - Directory Services (MVP Profile) (Blog) * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! -----Original Message----- From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rand Salazar Sent: Monday, April 12, 2010 18:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain/Forest Functional Levels and Trusts Folks, Is there any dependencies on DFLs or FFLs when dealing with trusts? I am currently trying to find any shred of info that talks about this. Basically we have a External trust to an NT4 domain and are looking to someday upgrade to 2008 R2 DCs and eventually some day 2008 R2 DFL/FFL.. I'm trying to pin down any dependencies or caveats we may run into with 2008 R2 upgrades to this ancient trust. I know I know.. get rid of NT4.. believe me, I'm trying! -Rand

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Domain/Forest Functional Levels and Trusts

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads