Solved

Creating an AD trust between a domain with W2K3 Srvr R2/SP2 and one that is only at SP2

Posted on 2009-05-15
12
386 Views
Last Modified: 2012-05-07
I am wondering if there are any issues with creating a trust between two domain, one where its DCs are sitting at W2K3 R2/SP2 and the other domain's DCs are sitting at only W2K3 SP2?

1) I need to know if there will be any incompatibility problems
2) Replication (in general) / Replication speed issues?
3) How does this difference in the OS levels affect AD communication, if at all?

Need some documentation that supports your answers.  Thanks, much!
0
Comment
Question by:Monterio
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24401798
Hi!

If both domains are part of the same forest, R2 schema changes were replicated to all domain controllers controllers, regardless of their version. R2 intoduces many new features but as far as I know AD replication has not changed. New AD related features are ADAM and ADFS:

"What's New in Windows Server 2003 R2"
http://technet.microsoft.com/en-us/library/cc773240.aspx

If domains are not part of the same forest there will be no replication between them.

HTH

Toni
0
 
LVL 1

Author Comment

by:Monterio
ID: 24412182
Thanks much!  I thought as much, but couldn't find much info to validate it.  What's your source, for future reference.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413020
When you run adprep /forestprep to add the Windows Server 2003 R2 schema updates, you do not have to upgrade your existing domain controllers to Windows Server 2003 R2; they can continue to run Windows NT® Server 4.0, Windows® 2000 Server, or Windows Server 2003.

from article "Active Directory Schema Update"
http://technet.microsoft.com/en-us/library/cc755834(WS.10).aspx

A forest is an instance of Active Directory comes from MOC 2279. AD database contains more partitions, Schema and Configuration partition are replicated between all DCs in entire forest. Check the following article "The Importance of Active Directory Replication"
http://www.tech-faq.com/active-directory-replication.shtml
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413238
I wasn't planning on running having the other teams run adprep/forestprep that are not at R2.  I was merely going to have them run the second CD and call it a day.  In the past I hadn't had to run adprep when I upgrade the DCs on our side (corporate network), I just ran the second CD and all went well.

Are you saying that the other teams that are not at R2 will have to run adprep as well?  Seems odd.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24413513
I thought this was worth increasing the point value.  :-)
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24413585
I still don't know if we are talking about domains in single forest or multiple forests?

Adprep /forestprep is run once in entire forest on Schema master with credentials of user account which is member of Schema Admins group.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Monterio
ID: 24413750
I'm creating an external, down-level trust between domains in two separate forests.  As I stated, one forest is at W2K3 Server R2 SP2 and the other is at W2K3 Server SP1.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 24414039
External trust between two domains in two forests supports only NTLM authentication. You could say that you will create NT 4.0 type of trust. Windows 2003 or R2 does not play a role in this scenario.

If you would raise forest functional level to Windows 2003 in both forests you would be able to create forest trust between two forests. Forest trust is partially transitive. All domains from one forest trust all domains second forest.
0
 
LVL 1

Author Comment

by:Monterio
ID: 24414167
We are at W2K3 functional level, but I do not wish to create forest level trusts.  Too many issues to work out with the ISOs in each country that I cannot verify 100% that everyone is compliant.  So I'm only looking at creating down-level trusts.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 100 total points
ID: 24414418
Trust is a trust. From security point of view it does not matter if it is external or forest trust. OK, I take last statement back. I prefer Kerberos authentication to NTLM authentication. I should add that forest trust supports selective authentication: http://technet.microsoft.com/en-us/library/cc758152(WS.10).aspx
0
 
LVL 1

Author Comment

by:Monterio
ID: 24506464
Sorry, guys...serious AD issues I've had to deal with over the last several days.  To put this question to bed, here's what I have:

GOAL:   I need to setup 6 external trusts from my domain to 6 other forests in 6 other countries.
ISSUE:  3 of the six are at W2K3 functional level with all DCs clocking in at W2K3 R2 SP3.  The other 3 are are at W2K functional level with all DCs clocking in at either W2K and/or W2K3 or (both in one case) SP1 or SP2, but no R2 in either case.

Can I still set up the external trust?  What are the pitfalls that I'm gonna run into? (I already know that my DFS won't work properly because 3 of 'em don't have R2 installed and R2 has imporvements in DFS like being able to access share via CNAME as opposed to having to use the FQDN)
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 31582073
Not the in-depth answer I was hoping for, but I do appreciate the effort put forth in trying address my quesstion.  Thanks, much!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now