[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Creating an AD trust between a domain with W2K3 Srvr R2/SP2 and one that is only at SP2

I am wondering if there are any issues with creating a trust between two domain, one where its DCs are sitting at W2K3 R2/SP2 and the other domain's DCs are sitting at only W2K3 SP2?

1) I need to know if there will be any incompatibility problems
2) Replication (in general) / Replication speed issues?
3) How does this difference in the OS levels affect AD communication, if at all?

Need some documentation that supports your answers.  Thanks, much!
0
Monterio
Asked:
Monterio
  • 7
  • 5
1 Solution
 
Toni UranjekConsultant/TrainerCommented:
Hi!

If both domains are part of the same forest, R2 schema changes were replicated to all domain controllers controllers, regardless of their version. R2 intoduces many new features but as far as I know AD replication has not changed. New AD related features are ADAM and ADFS:

"What's New in Windows Server 2003 R2"
http://technet.microsoft.com/en-us/library/cc773240.aspx

If domains are not part of the same forest there will be no replication between them.

HTH

Toni
0
 
MonterioAuthor Commented:
Thanks much!  I thought as much, but couldn't find much info to validate it.  What's your source, for future reference.
0
 
Toni UranjekConsultant/TrainerCommented:
When you run adprep /forestprep to add the Windows Server 2003 R2 schema updates, you do not have to upgrade your existing domain controllers to Windows Server 2003 R2; they can continue to run Windows NT® Server 4.0, Windows® 2000 Server, or Windows Server 2003.

from article "Active Directory Schema Update"
http://technet.microsoft.com/en-us/library/cc755834(WS.10).aspx

A forest is an instance of Active Directory comes from MOC 2279. AD database contains more partitions, Schema and Configuration partition are replicated between all DCs in entire forest. Check the following article "The Importance of Active Directory Replication"
http://www.tech-faq.com/active-directory-replication.shtml
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
MonterioAuthor Commented:
I wasn't planning on running having the other teams run adprep/forestprep that are not at R2.  I was merely going to have them run the second CD and call it a day.  In the past I hadn't had to run adprep when I upgrade the DCs on our side (corporate network), I just ran the second CD and all went well.

Are you saying that the other teams that are not at R2 will have to run adprep as well?  Seems odd.
0
 
MonterioAuthor Commented:
I thought this was worth increasing the point value.  :-)
0
 
Toni UranjekConsultant/TrainerCommented:
I still don't know if we are talking about domains in single forest or multiple forests?

Adprep /forestprep is run once in entire forest on Schema master with credentials of user account which is member of Schema Admins group.
0
 
MonterioAuthor Commented:
I'm creating an external, down-level trust between domains in two separate forests.  As I stated, one forest is at W2K3 Server R2 SP2 and the other is at W2K3 Server SP1.
0
 
Toni UranjekConsultant/TrainerCommented:
External trust between two domains in two forests supports only NTLM authentication. You could say that you will create NT 4.0 type of trust. Windows 2003 or R2 does not play a role in this scenario.

If you would raise forest functional level to Windows 2003 in both forests you would be able to create forest trust between two forests. Forest trust is partially transitive. All domains from one forest trust all domains second forest.
0
 
MonterioAuthor Commented:
We are at W2K3 functional level, but I do not wish to create forest level trusts.  Too many issues to work out with the ISOs in each country that I cannot verify 100% that everyone is compliant.  So I'm only looking at creating down-level trusts.
0
 
Toni UranjekConsultant/TrainerCommented:
Trust is a trust. From security point of view it does not matter if it is external or forest trust. OK, I take last statement back. I prefer Kerberos authentication to NTLM authentication. I should add that forest trust supports selective authentication: http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx
0
 
MonterioAuthor Commented:
Sorry, guys...serious AD issues I've had to deal with over the last several days.  To put this question to bed, here's what I have:

GOAL:   I need to setup 6 external trusts from my domain to 6 other forests in 6 other countries.
ISSUE:  3 of the six are at W2K3 functional level with all DCs clocking in at W2K3 R2 SP3.  The other 3 are are at W2K functional level with all DCs clocking in at either W2K and/or W2K3 or (both in one case) SP1 or SP2, but no R2 in either case.

Can I still set up the external trust?  What are the pitfalls that I'm gonna run into? (I already know that my DFS won't work properly because 3 of 'em don't have R2 installed and R2 has imporvements in DFS like being able to access share via CNAME as opposed to having to use the FQDN)
0
 
MonterioAuthor Commented:
Not the in-depth answer I was hoping for, but I do appreciate the effort put forth in trying address my quesstion.  Thanks, much!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now