none
Determining if a domain has been upgraded

    Question

  • Hi there,

    I've been looking at a client's setup where the Domain is Windows 2003 and running in native mode. All domain controllers are Windows Server 2012R2.

    Authenticated users is missing from the Pre-Windows 2000 Compatibility Group and Enterprise domain controllers is missing from the Windows Authentication Access Group.

    Is there any way of finding out if the domain was upgraded from 2000 to 2003 or was a new set up?

    Additionally, is it safe to add back the Enterprise Domain Controllers to the WAA Group? I've seen authenticated users being removed from the Pre Win 2000 Compatibility group but never seen Enterprise Domain Controllers missing from the WAA Group.

    Thanks,

    HA


    • Edited by ha20 Tuesday, December 13, 2016 11:25 AM typo
    Tuesday, December 13, 2016 11:20 AM

Answers

  • You probably can tell from the DomainUpdates container in the System container of your domain in ADUC. See this article:

    https://msdn.microsoft.com/en-us/library/cc223705.aspx

    The Windows2003Updates container will have a whenCreated attribute (in "Attribute editor" of ADUC) that will indicate when the domain was upgraded.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Wendy JiangModerator Monday, December 19, 2016 8:13 AM
    • Marked as answer by ha20 Monday, December 19, 2016 8:24 PM
    Tuesday, December 13, 2016 2:24 PM
  • I see no reason why Authenticated Users should not be in the Pre-Windows 2000 Compatibility Group, or why the Enterprise Domain Controllers group should not be in the Windows Authentication Access Group. They are members by default at least in Windows Server 2003, and also in Windows Server 2008 R2.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ha20 Wednesday, March 29, 2017 1:49 PM
    Monday, December 19, 2016 9:32 PM

All replies

  • You probably can tell from the DomainUpdates container in the System container of your domain in ADUC. See this article:

    https://msdn.microsoft.com/en-us/library/cc223705.aspx

    The Windows2003Updates container will have a whenCreated attribute (in "Attribute editor" of ADUC) that will indicate when the domain was upgraded.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Wendy JiangModerator Monday, December 19, 2016 8:13 AM
    • Marked as answer by ha20 Monday, December 19, 2016 8:24 PM
    Tuesday, December 13, 2016 2:24 PM
  • Hi,
    Please launch ADSIEdit.msc, connect to configuration container and find CN=WellKnown Security Principals, you will find that the Enterprise Domain Controllers group is listed there
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 14, 2016 3:15 AM
    Moderator
  • Hi Richard,

    Thanks very much. Can I presume it's ok to add Enterprise Domain Controllers back to the WAA Group?

    Regards,

    HA

    Monday, December 19, 2016 8:25 PM
  • Hi Wendy,

    Thanks. I can see the group but my question is is it ok to add back into the WAA Group? I'm not sure why someone would have removed it in the first place.

    Thanks,

    HA

    Monday, December 19, 2016 8:26 PM
  • I see no reason why Authenticated Users should not be in the Pre-Windows 2000 Compatibility Group, or why the Enterprise Domain Controllers group should not be in the Windows Authentication Access Group. They are members by default at least in Windows Server 2003, and also in Windows Server 2008 R2.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ha20 Wednesday, March 29, 2017 1:49 PM
    Monday, December 19, 2016 9:32 PM