?
Solved

Creating an AD trust between a domain with W2K3 Srvr R2/SP2 and one that is only at SP2

Posted on 2009-05-15
12
Medium Priority
?
395 Views
Last Modified: 2012-05-07
I am wondering if there are any issues with creating a trust between two domain, one where its DCs are sitting at W2K3 R2/SP2 and the other domain's DCs are sitting at only W2K3 SP2?

1) I need to know if there will be any incompatibility problems
2) Replication (in general) / Replication speed issues?
3) How does this difference in the OS levels affect AD communication, if at all?

Need some documentation that supports your answers.  Thanks, much!
0
Comment
Question by:Monterio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24401798
Hi!

If both domains are part of the same forest, R2 schema changes were replicated to all domain controllers controllers, regardless of their version. R2 intoduces many new features but as far as I know AD replication has not changed. New AD related features are ADAM and ADFS:

"What's New in Windows Server 2003 R2"
http://technet.microsoft.com/en-us/library/cc773240.aspx

If domains are not part of the same forest there will be no replication between them.

HTH

Toni
0
 
LVL 1

Author Comment

by:Monterio
ID: 24412182
Thanks much!  I thought as much, but couldn't find much info to validate it.  What's your source, for future reference.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413020
When you run adprep /forestprep to add the Windows Server 2003 R2 schema updates, you do not have to upgrade your existing domain controllers to Windows Server 2003 R2; they can continue to run Windows NT® Server 4.0, Windows® 2000 Server, or Windows Server 2003.

from article "Active Directory Schema Update"
http://technet.microsoft.com/en-us/library/cc755834(WS.10).aspx

A forest is an instance of Active Directory comes from MOC 2279. AD database contains more partitions, Schema and Configuration partition are replicated between all DCs in entire forest. Check the following article "The Importance of Active Directory Replication"
http://www.tech-faq.com/active-directory-replication.shtml
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:Monterio
ID: 24413238
I wasn't planning on running having the other teams run adprep/forestprep that are not at R2.  I was merely going to have them run the second CD and call it a day.  In the past I hadn't had to run adprep when I upgrade the DCs on our side (corporate network), I just ran the second CD and all went well.

Are you saying that the other teams that are not at R2 will have to run adprep as well?  Seems odd.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413513
I thought this was worth increasing the point value.  :-)
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413585
I still don't know if we are talking about domains in single forest or multiple forests?

Adprep /forestprep is run once in entire forest on Schema master with credentials of user account which is member of Schema Admins group.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413750
I'm creating an external, down-level trust between domains in two separate forests.  As I stated, one forest is at W2K3 Server R2 SP2 and the other is at W2K3 Server SP1.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24414039
External trust between two domains in two forests supports only NTLM authentication. You could say that you will create NT 4.0 type of trust. Windows 2003 or R2 does not play a role in this scenario.

If you would raise forest functional level to Windows 2003 in both forests you would be able to create forest trust between two forests. Forest trust is partially transitive. All domains from one forest trust all domains second forest.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24414167
We are at W2K3 functional level, but I do not wish to create forest level trusts.  Too many issues to work out with the ISOs in each country that I cannot verify 100% that everyone is compliant.  So I'm only looking at creating down-level trusts.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 300 total points
ID: 24414418
Trust is a trust. From security point of view it does not matter if it is external or forest trust. OK, I take last statement back. I prefer Kerberos authentication to NTLM authentication. I should add that forest trust supports selective authentication: http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx
0
 
LVL 1

Author Comment

by:Monterio
ID: 24506464
Sorry, guys...serious AD issues I've had to deal with over the last several days.  To put this question to bed, here's what I have:

GOAL:   I need to setup 6 external trusts from my domain to 6 other forests in 6 other countries.
ISSUE:  3 of the six are at W2K3 functional level with all DCs clocking in at W2K3 R2 SP3.  The other 3 are are at W2K functional level with all DCs clocking in at either W2K and/or W2K3 or (both in one case) SP1 or SP2, but no R2 in either case.

Can I still set up the external trust?  What are the pitfalls that I'm gonna run into? (I already know that my DFS won't work properly because 3 of 'em don't have R2 installed and R2 has imporvements in DFS like being able to access share via CNAME as opposed to having to use the FQDN)
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 31582073
Not the in-depth answer I was hoping for, but I do appreciate the effort put forth in trying address my quesstion.  Thanks, much!
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question