Trinitas Regional Medical Center
asked on
issues to be considered raising functional lever from2008r2 to 2012
I have a 2008r2 functional domain and I have all 2012 r2 domain controllers. I cant seem to find out what the real ramifications are for raising the functional levels to 2012 from 2008 r2.
I read that ntlm is no longer used. Is that true and what issues does that bring. I am running a 2010/2016 hybrid exchange converting to 365. Until now I really didn't have anyone to ask these questions to. So can you help ?
I read that ntlm is no longer used. Is that true and what issues does that bring. I am running a 2010/2016 hybrid exchange converting to 365. Until now I really didn't have anyone to ask these questions to. So can you help ?
NTLM is probably still used if you have migrated installing 2012 R2 DC in the existing domain.
=> The old parameters (for NTLM, for example) stay active until you change them.
If you fully disable NTLM, some old workstations or servers could have some little problems.
You probably can update the level of functionality without any problem.
Very few softwares could be really incompatible with these levels.
Exchange, in your case, is not a problem. Just verify for other main softwares that you may be using.
=> The old parameters (for NTLM, for example) stay active until you change them.
If you fully disable NTLM, some old workstations or servers could have some little problems.
You probably can update the level of functionality without any problem.
Very few softwares could be really incompatible with these levels.
Exchange, in your case, is not a problem. Just verify for other main softwares that you may be using.
ASKER
I can see that the frs to dfsr would be helpfull..
Could you explain to me what the next really means to me :
The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.
also
2012r2 upgrade
what issues if any :
I really appreciate all your input in advance
Could you explain to me what the next really means to me :
The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.
also
2012r2 upgrade
what issues if any :
- DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:
- Authenticate with NTLM authentication
- Use DES or RC4 cipher suites in Kerberos pre-authentication
- Be delegated with unconstrained or constrained delegation
- Renew user tickets (TGTs) beyond the initial 4 hour lifetime
- Authentication Policies
New forest-based Active Directory policies which can be applied to accounts in Windows Server 2012 R2 domains to control which hosts an account can sign-on from and apply access control conditions for authentication to services running as an account. - Authentication Policy Silos
New forest-based Active Directory object, which can create a relationship between user, managed service and computer, accounts to be used to classify accounts for authentication policies or for authentication isolation.
I really appreciate all your input in advance
Raising domain and forest functional levels is an easy task and I've never seen or heard of anyone having issues after doing it. I've done it dozen times. I would have zero concerns about it. Just do it.
New functional levels bring new features and security, that's why you might want to raise the level.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
New functional levels bring new features and security, that's why you might want to raise the level.
Could you explain to me what the next really means to me: The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.Here is the link that explains it
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
ASKER
ok.. i am ok with the kerbros ask..
but can someone tell me what i am most concerned about :
for promotion to 2012r2 forest and domain issue:
Protected Users authenticating to a Windows Server 2012 R2 domain
but can someone tell me what i am most concerned about :
for promotion to 2012r2 forest and domain issue:
Protected Users authenticating to a Windows Server 2012 R2 domain
- Can no longer: Authenticate with NTLM authentication
ASKER
Is there any reason why no one is answering my previous last inquiry
Protected Users authenticating to a Windows Server 2012 R2 domainOnly members of the Protected group, that should be administrators could be impacted.
In fact, they will be still able to connect to Windows 2012 R2 servers.
No, all users that are on modern workstations will use Kerberos and will connect.does this effect my exchange webmail or users.. whatissues can i really expect to see .............??
- Can no longer: Authenticate with NTLM authentication
Exchange Webmail access and authentication should work as usually, but depends of other soft/hard used (ReverseProxy, etc...).
Potentially, some (old) applications/servers could be impacted indirectly. Each server/application can accept or not different authentications.
ASKER
thank you for all the answers .. I just ran across this and i didnt want to byte myself...
In previuos replys..i was suggested to:
Before raising. I recommend to migrate FRS to DFSR
https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405
i have started this process.. BUT.. no issues so far..
PS C:\Windows\system32> Dfsrmig /setglobalstate 1
Current DFSR global state: 'Start'
New DFSR global state: 'Prepared'
All domain controllers have migrated successfully to the Global state ('Prepared').
Migration has reached a consistent state on all domain controllers.
Succeeded.
PS C:\Windows\system32> Dfsrmig /setglobalstate 2
Current DFSR global state: 'Prepared'
New DFSR global state: 'Redirected'
Migration will proceed to 'Redirected' state. The SYSVOL share
will be changed to SYSVOL_DFSR folder,
which is replicated using DFSR.
Succeeded.
PS C:\Windows\system32> Dfsrmig /getmigrationstate
All domain controllers have migrated successfully to the Global state ('Redirected').
Migration has reached a consistent state on all domain controllers.
Succeeded.
PS C:\Windows\system32> Get-WmiObject -Namespace "root\MicrosoftDFS" -Class DfsrReplicatedFolderInfo | Select-Object ReplicatedFolderName, ReplicationGroupName, State
ReplicatedFolderName ReplicationGroupName State
-------------------- -------------------- -----
SYSVOL Share Domain System Volume 4
so everything is good .. all i have to do now is Dfsrmig /setglobalstate 3 and wait for it to finish .. hopefully without error..
MYQUERY ..is i forgot we use DSF managment to share folders out .. approx 15 namespaces.. By completing this migration... Should I expect any issues or before i run step setglobalstate 3 .. is there something i should do first ???
thanks for all help in advance!!!
In previuos replys..i was suggested to:
Before raising. I recommend to migrate FRS to DFSR
https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405
i have started this process.. BUT.. no issues so far..
PS C:\Windows\system32> Dfsrmig /setglobalstate 1
Current DFSR global state: 'Start'
New DFSR global state: 'Prepared'
All domain controllers have migrated successfully to the Global state ('Prepared').
Migration has reached a consistent state on all domain controllers.
Succeeded.
PS C:\Windows\system32> Dfsrmig /setglobalstate 2
Current DFSR global state: 'Prepared'
New DFSR global state: 'Redirected'
Migration will proceed to 'Redirected' state. The SYSVOL share
will be changed to SYSVOL_DFSR folder,
which is replicated using DFSR.
Succeeded.
PS C:\Windows\system32> Dfsrmig /getmigrationstate
All domain controllers have migrated successfully to the Global state ('Redirected').
Migration has reached a consistent state on all domain controllers.
Succeeded.
PS C:\Windows\system32> Get-WmiObject -Namespace "root\MicrosoftDFS" -Class DfsrReplicatedFolderInfo | Select-Object ReplicatedFolderName, ReplicationGroupName, State
ReplicatedFolderName ReplicationGroupName State
-------------------- -------------------- -----
SYSVOL Share Domain System Volume 4
so everything is good .. all i have to do now is Dfsrmig /setglobalstate 3 and wait for it to finish .. hopefully without error..
MYQUERY ..is i forgot we use DSF managment to share folders out .. approx 15 namespaces.. By completing this migration... Should I expect any issues or before i run step setglobalstate 3 .. is there something i should do first ???
thanks for all help in advance!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So I ran the Dfsrmig /setglobalstate 3 and
PS C:\Windows\system32> Dfsrmig /getmigrationstate
All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.
the sysvol folder on the cdrive is now gone and C:\Windows\SYSVOL_DFSR is there in its place on allcontrollers..
also the current share is still sysvol... i am gusing that doesnt change...
At this point i am guessing that i am good to go.. on to other things...and i want to say thanks
PS C:\Windows\system32> Dfsrmig /getmigrationstate
All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.
the sysvol folder on the cdrive is now gone and C:\Windows\SYSVOL_DFSR is there in its place on allcontrollers..
also the current share is still sysvol... i am gusing that doesnt change...
At this point i am guessing that i am good to go.. on to other things...and i want to say thanks
Before raising. I recommend to migrate FRS to DFSR
https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405
Please read this as well.
https://docs.microsoft.com/en-us/archive/blogs/askds/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level
-->I read that ntlm is no longer used. Is that true and what issues does that bring.
No. This is not true.