Solved

Creating an AD trust between a domain with W2K3 Srvr R2/SP2 and one that is only at SP2

Posted on 2009-05-15
12
388 Views
Last Modified: 2012-05-07
I am wondering if there are any issues with creating a trust between two domain, one where its DCs are sitting at W2K3 R2/SP2 and the other domain's DCs are sitting at only W2K3 SP2?

1) I need to know if there will be any incompatibility problems
2) Replication (in general) / Replication speed issues?
3) How does this difference in the OS levels affect AD communication, if at all?

Need some documentation that supports your answers.  Thanks, much!
0
Comment
Question by:Monterio
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24401798
Hi!

If both domains are part of the same forest, R2 schema changes were replicated to all domain controllers controllers, regardless of their version. R2 intoduces many new features but as far as I know AD replication has not changed. New AD related features are ADAM and ADFS:

"What's New in Windows Server 2003 R2"
http://technet.microsoft.com/en-us/library/cc773240.aspx

If domains are not part of the same forest there will be no replication between them.

HTH

Toni
0
 
LVL 1

Author Comment

by:Monterio
ID: 24412182
Thanks much!  I thought as much, but couldn't find much info to validate it.  What's your source, for future reference.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413020
When you run adprep /forestprep to add the Windows Server 2003 R2 schema updates, you do not have to upgrade your existing domain controllers to Windows Server 2003 R2; they can continue to run Windows NT® Server 4.0, Windows® 2000 Server, or Windows Server 2003.

from article "Active Directory Schema Update"
http://technet.microsoft.com/en-us/library/cc755834(WS.10).aspx

A forest is an instance of Active Directory comes from MOC 2279. AD database contains more partitions, Schema and Configuration partition are replicated between all DCs in entire forest. Check the following article "The Importance of Active Directory Replication"
http://www.tech-faq.com/active-directory-replication.shtml
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Author Comment

by:Monterio
ID: 24413238
I wasn't planning on running having the other teams run adprep/forestprep that are not at R2.  I was merely going to have them run the second CD and call it a day.  In the past I hadn't had to run adprep when I upgrade the DCs on our side (corporate network), I just ran the second CD and all went well.

Are you saying that the other teams that are not at R2 will have to run adprep as well?  Seems odd.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413513
I thought this was worth increasing the point value.  :-)
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413585
I still don't know if we are talking about domains in single forest or multiple forests?

Adprep /forestprep is run once in entire forest on Schema master with credentials of user account which is member of Schema Admins group.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413750
I'm creating an external, down-level trust between domains in two separate forests.  As I stated, one forest is at W2K3 Server R2 SP2 and the other is at W2K3 Server SP1.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24414039
External trust between two domains in two forests supports only NTLM authentication. You could say that you will create NT 4.0 type of trust. Windows 2003 or R2 does not play a role in this scenario.

If you would raise forest functional level to Windows 2003 in both forests you would be able to create forest trust between two forests. Forest trust is partially transitive. All domains from one forest trust all domains second forest.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24414167
We are at W2K3 functional level, but I do not wish to create forest level trusts.  Too many issues to work out with the ISOs in each country that I cannot verify 100% that everyone is compliant.  So I'm only looking at creating down-level trusts.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 100 total points
ID: 24414418
Trust is a trust. From security point of view it does not matter if it is external or forest trust. OK, I take last statement back. I prefer Kerberos authentication to NTLM authentication. I should add that forest trust supports selective authentication: http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx
0
 
LVL 1

Author Comment

by:Monterio
ID: 24506464
Sorry, guys...serious AD issues I've had to deal with over the last several days.  To put this question to bed, here's what I have:

GOAL:   I need to setup 6 external trusts from my domain to 6 other forests in 6 other countries.
ISSUE:  3 of the six are at W2K3 functional level with all DCs clocking in at W2K3 R2 SP3.  The other 3 are are at W2K functional level with all DCs clocking in at either W2K and/or W2K3 or (both in one case) SP1 or SP2, but no R2 in either case.

Can I still set up the external trust?  What are the pitfalls that I'm gonna run into? (I already know that my DFS won't work properly because 3 of 'em don't have R2 installed and R2 has imporvements in DFS like being able to access share via CNAME as opposed to having to use the FQDN)
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 31582073
Not the in-depth answer I was hoping for, but I do appreciate the effort put forth in trying address my quesstion.  Thanks, much!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cannot uninstall a windows update on server 2003 4 85
SolarWind and DNS Server 12 78
Computer software inventory 5 95
Alert on Server memory 2 22
I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question