Solved

Creating an AD trust between a domain with W2K3 Srvr R2/SP2 and one that is only at SP2

Posted on 2009-05-15
12
392 Views
Last Modified: 2012-05-07
I am wondering if there are any issues with creating a trust between two domain, one where its DCs are sitting at W2K3 R2/SP2 and the other domain's DCs are sitting at only W2K3 SP2?

1) I need to know if there will be any incompatibility problems
2) Replication (in general) / Replication speed issues?
3) How does this difference in the OS levels affect AD communication, if at all?

Need some documentation that supports your answers.  Thanks, much!
0
Comment
Question by:Monterio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24401798
Hi!

If both domains are part of the same forest, R2 schema changes were replicated to all domain controllers controllers, regardless of their version. R2 intoduces many new features but as far as I know AD replication has not changed. New AD related features are ADAM and ADFS:

"What's New in Windows Server 2003 R2"
http://technet.microsoft.com/en-us/library/cc773240.aspx

If domains are not part of the same forest there will be no replication between them.

HTH

Toni
0
 
LVL 1

Author Comment

by:Monterio
ID: 24412182
Thanks much!  I thought as much, but couldn't find much info to validate it.  What's your source, for future reference.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413020
When you run adprep /forestprep to add the Windows Server 2003 R2 schema updates, you do not have to upgrade your existing domain controllers to Windows Server 2003 R2; they can continue to run Windows NT® Server 4.0, Windows® 2000 Server, or Windows Server 2003.

from article "Active Directory Schema Update"
http://technet.microsoft.com/en-us/library/cc755834(WS.10).aspx

A forest is an instance of Active Directory comes from MOC 2279. AD database contains more partitions, Schema and Configuration partition are replicated between all DCs in entire forest. Check the following article "The Importance of Active Directory Replication"
http://www.tech-faq.com/active-directory-replication.shtml
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Monterio
ID: 24413238
I wasn't planning on running having the other teams run adprep/forestprep that are not at R2.  I was merely going to have them run the second CD and call it a day.  In the past I hadn't had to run adprep when I upgrade the DCs on our side (corporate network), I just ran the second CD and all went well.

Are you saying that the other teams that are not at R2 will have to run adprep as well?  Seems odd.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413513
I thought this was worth increasing the point value.  :-)
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413585
I still don't know if we are talking about domains in single forest or multiple forests?

Adprep /forestprep is run once in entire forest on Schema master with credentials of user account which is member of Schema Admins group.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413750
I'm creating an external, down-level trust between domains in two separate forests.  As I stated, one forest is at W2K3 Server R2 SP2 and the other is at W2K3 Server SP1.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24414039
External trust between two domains in two forests supports only NTLM authentication. You could say that you will create NT 4.0 type of trust. Windows 2003 or R2 does not play a role in this scenario.

If you would raise forest functional level to Windows 2003 in both forests you would be able to create forest trust between two forests. Forest trust is partially transitive. All domains from one forest trust all domains second forest.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24414167
We are at W2K3 functional level, but I do not wish to create forest level trusts.  Too many issues to work out with the ISOs in each country that I cannot verify 100% that everyone is compliant.  So I'm only looking at creating down-level trusts.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 100 total points
ID: 24414418
Trust is a trust. From security point of view it does not matter if it is external or forest trust. OK, I take last statement back. I prefer Kerberos authentication to NTLM authentication. I should add that forest trust supports selective authentication: http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx
0
 
LVL 1

Author Comment

by:Monterio
ID: 24506464
Sorry, guys...serious AD issues I've had to deal with over the last several days.  To put this question to bed, here's what I have:

GOAL:   I need to setup 6 external trusts from my domain to 6 other forests in 6 other countries.
ISSUE:  3 of the six are at W2K3 functional level with all DCs clocking in at W2K3 R2 SP3.  The other 3 are are at W2K functional level with all DCs clocking in at either W2K and/or W2K3 or (both in one case) SP1 or SP2, but no R2 in either case.

Can I still set up the external trust?  What are the pitfalls that I'm gonna run into? (I already know that my DFS won't work properly because 3 of 'em don't have R2 installed and R2 has imporvements in DFS like being able to access share via CNAME as opposed to having to use the FQDN)
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 31582073
Not the in-depth answer I was hoping for, but I do appreciate the effort put forth in trying address my quesstion.  Thanks, much!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server Login Issue 4 70
Bizarre hard disk problem 15 140
ADMT Intra Forest migration questions 7 299
Windows server 2003 bootable iso 9 376
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question