none
Fonctionnement Relation d'approbation après migration

    Question

  • Bonjour,

    Dans le cadre de la migration AD2003R2 vers AD2012R2, j'ai intégré 3 nouveaux DC 2012R2 dans mon AD2003R2 qui a 3 DC 2003R2. Au final les DC 2003R2 seront supprimés et remplacés par les 3 DC 2012R2. Tous les DC ont le catalogue global.

    Je transferai les rôles FSMO d'un DC master 2003R2 vers un DC 2012R2 futur DC master.

    Les réplications  se font correctement entre les DC.

    Le DNS également.

    Il y a une relation d'approbation entre mon domaine et un autre domaine. les commandes C:\nslookup nomdemondomaine et C:\nslookup nomdelautredomaine   et nltest /dclist:nomdemondomaine et nltest /dclist:nomdelautredomaine ont été exécitées avec succès.

    Il y a t'il des dispositions particulières, pour que cette relation d'approbations continue de fonctionner après cette migration?

    Quelqu'un aurait un retour d'expérience sur ce type de problématique?

    Merci de votre aide.

    Cordialement,

    Serge

    Serge

    mercredi 21 mars 2018 09:46

Réponses

  • Bonjour,

    Il y a aucun impact au niveau les relations d'approbation si vous remplacer les contrôleur de domaine. Chaque relation d'approbation est représentée dans la base de l’annuaire par un objet TDO donc indépendamment du contrôleur de domaine.

    Quand il y a une authentification inter-domaine ou forêt ,  le DNS va chercher un DC disponible dans chaque domaine pour assurer l'authentification.

    Il faut juste s'assurer que les nouveaux DCs ont le même niveau d'ouverture de flux que les anciens DCs.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    mercredi 21 mars 2018 15:47
    Modérateur
  • Petite nuance : il y a un impact si la relation est dérivée d'un trust type NT4, auquel cas cela ne marchera pas. Pour tous les autres ca marche.

    Il y a également des impacts potentiels sur un tel bond avec du legacy ; cf matrice d'impact ci-dessous :

    ACTIVE DIRECTORY UPGRADE IMPACTS
     
    Issue Min. DC
    Communication with workstation, member servers and domains NT 4.0 are no more possible. 2008 R2
    No more trusts can be made with NT 4.0 domain. 2008 R2
    Windows 2000 clients will not communicate with domain controllers. 2008 R2
    Sambe clients, Network Storage Area, Storage Area Network and Applications lying on old authentication mecanism (equivalent to NT 4.0) will no more be able to communicate by default. 2008 R2
    DES Encryption is disabled by default: service using this functionnality will no more be able to get tickets from the KDC service.  This feature can be reenabled by GPO as a legacy algorithm, but will be permanently removed in futur OS version release. 2008 R2
    KDC service uses new algorythms : AES128, AES256 and RC4. Service using DES should be reconfigured to use one of those new algorythm. 2008 R2
    A new protection mecanism Channel Binding Token (CBT) arise. This mecanism could block connection against non-Windows Servers (Kerberos and NTLM). This mecanism can be downgraded to allow compliance with such systems. Upgrading non-windows client authentication mecanism to be compliant with default CBT settingsis the preferred solution. 2008 R2
    Lan Manager (LM) is disabled by default. 2008 R2
    The LDAP service now fullfile the RFC2696 requierement and answer to LDAP request differently. If a client is not compatible with RFC2696, this behavior could be leveraged by activating the policy setting "disable strict restart blob check". 2008 R2
    SMB signing is enable by default. If a client is not compatible with it, this setting could be deactivated by Group Policy. 2008 R2
    Once forest or domain Functional Level is set to 2008 R2 or above, it will no more be possible to add a new domain controller with an Operating System lower than 2008 R2. 2008 R2
    Application using .Net 3.5 with SP1 or a lower version can face issue when using the enumeration function "DomainMode". (see http://support.microsoft.com/kb/2260240) 2008 R2
    Outlook 2003 has to be patched to be compliant with Active Directory 2008 or greater (kb968614). 2008 R2
    Office Communication Server has to patched to be compliant with Active Directory 2008 or greater (kb958980). 2008 R2
    Secure Channel Signing can generate error message about issue with a secure channel establishment. This can be dealled by disabling the Secure Channel Signing parameter named domain member: Digitally encrypt or sign secure channel data (alaways). 2008 R2
    Some LDAP request may fail when the response contains more than one page. This issue could be addressed by adding a new registry key on each Domain controller to set the DS Heuristics to 1. 2008 R2
    The SID S-1-18-1 and S-1-18-2 could not be mapped to computers hosting Windows 7 or Windows Server 2008 R2 and joind to an Active Directory domain (kb2830145). 2012
    when setting-up a new DC, the next button may be missing during the Options phase. This occurs when no site's subnet plan could not be identified against the DC IP address, or existing site. This also occurs when the DSRM password is not fetching the password policy or is not confirmed (kb2737807). 2012
    When installing Active Directory on a server, the process stucks at step Creating NTDS Settings. This happens when the local administrator password is the same as the administrator of the domain or when a network issue is blocking the replication process. (kb2737935) 2012
    When instaling Active Directory Domain Services (ADDS) using the Servers Manager console, the message "the server is not operational" appears. This occurs when the target server is in a Workgroup as the NTLM authentication is disabled (kb2738697). 2012
    Adprep /domainprep /gpprep is not automatically run as part of installing the first DC that runs Windows Server 2012 in a domain. If it has never been run previously in the domain, it must be run manually (kb2737129). 2012
    Warnings can appear during prerequisite validation and then reappear during the installation (kb2737416). 2012
    "Format of the specified domain name is invalid" appears if you are removing the last DC in a domain where pre-created RODC accounts still exist. This affects Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 (kb2737424). 2012
    Domain controller does not start, c00002e2 error occurs, or "Choose an option" is displayed because an administrator used Dism.exe, Pkgmgr.exe, or Ocsetup.exe to remove the DirectoryServices-DomainController role. 2012
    IFM verification can have limitations. See https://support.microsoft.com/kb/2737516 2012
    Install-AddsDomainControllercmdlet returns parameter set error for RODC when you try to attach a server to an RODC account if you specify arguments that are already populated on the pre-created RODC account (2737535). 2012
    "Unable to perform Exchange schema conflict check" error, and prerequisites check fails when you configure the first Windows Server 2012 DC in an existing domain because DCs are missing the SeServiceLogonRight for Network Service or because WMI or DCOM protocols are blocked kb2737560). 2012
    AddsDeployment module with the -Whatif argument shows incorrect DNS results and shows that DNS server will not be installed but it will be (kb2737797). 2012
    You receive the error "Access is denied" when you create a child domain remotely by using Install-AddsDomain if the DNSDelegationCredential has a bad password (kb2738060). 2012
    You receive access denied errors after you log on to a local administrator domain account. When you log on using a local Administrator account rather than the built-in Administrator account and then create a new domain, the account is not added to the Domain Admins group (kb2738746). 2012
    "The system cannot find the file specified" Adprep /gpprep error, or tool crashes because the infrastructure master is implements a disjoint namespace (kb2743345). 2012
    Windows Server 2012 Adprep cannot be run on Windows Server 2003. Adprep will display "not a valid Win32 application" error on Windows Server 2003, 64-bit version (kb2743367) 2012
    ADMT 3.2 cannot be installed on Windows Server 2012 by design (kb2753560). 2012
    DFS Replication diagnostic report does not display correctly because of changes in Internet Explorer 10 (kb2750857). 2012
    Remote Group Policy updates are visible to users due to scheduled tasks run in the context of each user who is logged on. The Windows Task Scheduler design requires an interactive prompt in this scenario (kb2741537). 2012
    ADM files are not present in SYSVOL in the GPMC Infrastructure Status option and GP replication can report "replication in progress" because GPMC Infrastructure Status does not follow customized filtering rules (kb2741591). 2012
    "The service cannot be started" error during AD DS configuration ( installing or removing AD DS, or cloning) because the DS Role Server service is disabled (kb2737880). 2012
    Two DHCP leases are created for each domain controller when you use the VDC cloning feature. his happens because the cloned domain controller received a lease before cloning and again when cloning was complete (kb2742836). 2012
    Domain controller cloning fails and the server restarts in DSRM in Windows Server 2012 (kb2742844) 2012
    Domain controller cloning does not re-create all service principal names. Some three-part SPNs are not recreated on the cloned DC because of a limitation of the domain rename process (kb2742874). 2012
    "No logon servers are available" error after cloning domain controller: log on as .\administrator to troubleshoot the cloning failure (kb2742908). 2012
    Domain controller cloning fails with error 8610 in dcpromo.log. Cloning fails because the PDC emulator has not performed inbound replication of the domain partition, likely because the role was transferred (kb2742916). 2012
    You receive the error "Index was out of range" after you run New-ADDCCloneConfigFile cmdlet while cloning virtual DCs, either because the cmdlet was not run from an elevated command prompt or because your access token does not contain the Administrators group (kb2742927). 2012
    Domain controller cloning fails with error 8437: "invalid parameter was specified for this replication operation" because an invalid clone name or a duplicate NetBIOS name was specified. 2012
    DC Cloning fails with no DSRM, duplicate source and clone computer. The cloned virtual DC boots in Directory Services Repair Mode (DSRM), using a duplicate name as the source DC because the DCCloneConfig.xml file was not created in the correct location or because the source DC was rebooted before cloning (kb2742970). 2012
    Domain controller cloning error 0x80041005. The cloned DC boots into DSRM because only one WINS server was specified. If any WINS server is specified, both Preferred and Alternate WINS servers must be specified (kb2743278). 2012
    You receive error "Server is not operational" after you run the New-ADDCCloneConfigFile cmdlet because the server cannot contact a global catalog server (kb2745013). 2012
    Domain controller cloning event 2224 provides incorrect guidance. Event ID 2224 incorrectly states that managed service accounts must be removed before cloning. Standalone MSAs must be removed but Group MSAs do not block cloning (kb2747974). 2012
    You cannot unlock a BitLocker-encrypted drive after you upgrade to Windows 8 and you receive an "Application not found" error when you try to unlock a drive on a computer that was upgraded from Windows 7 (kb2748266). 2012

    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    mercredi 21 mars 2018 22:13
  • Le plus important pour l'approbation est de garantir la résolution de nom entre les domaines. 

    N'oubliez pas de mettre a jour les redirecteurs. S'ils ne sont pas à jour l'impact ne sera visible que si les anciens ne sont pas en ligne ou sont rétrogradés. 


    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    jeudi 22 mars 2018 05:31
    Modérateur

Toutes les réponses

  • Bonjour,

    Il y a aucun impact au niveau les relations d'approbation si vous remplacer les contrôleur de domaine. Chaque relation d'approbation est représentée dans la base de l’annuaire par un objet TDO donc indépendamment du contrôleur de domaine.

    Quand il y a une authentification inter-domaine ou forêt ,  le DNS va chercher un DC disponible dans chaque domaine pour assurer l'authentification.

    Il faut juste s'assurer que les nouveaux DCs ont le même niveau d'ouverture de flux que les anciens DCs.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    mercredi 21 mars 2018 15:47
    Modérateur
  • Petite nuance : il y a un impact si la relation est dérivée d'un trust type NT4, auquel cas cela ne marchera pas. Pour tous les autres ca marche.

    Il y a également des impacts potentiels sur un tel bond avec du legacy ; cf matrice d'impact ci-dessous :

    ACTIVE DIRECTORY UPGRADE IMPACTS
     
    Issue Min. DC
    Communication with workstation, member servers and domains NT 4.0 are no more possible. 2008 R2
    No more trusts can be made with NT 4.0 domain. 2008 R2
    Windows 2000 clients will not communicate with domain controllers. 2008 R2
    Sambe clients, Network Storage Area, Storage Area Network and Applications lying on old authentication mecanism (equivalent to NT 4.0) will no more be able to communicate by default. 2008 R2
    DES Encryption is disabled by default: service using this functionnality will no more be able to get tickets from the KDC service.  This feature can be reenabled by GPO as a legacy algorithm, but will be permanently removed in futur OS version release. 2008 R2
    KDC service uses new algorythms : AES128, AES256 and RC4. Service using DES should be reconfigured to use one of those new algorythm. 2008 R2
    A new protection mecanism Channel Binding Token (CBT) arise. This mecanism could block connection against non-Windows Servers (Kerberos and NTLM). This mecanism can be downgraded to allow compliance with such systems. Upgrading non-windows client authentication mecanism to be compliant with default CBT settingsis the preferred solution. 2008 R2
    Lan Manager (LM) is disabled by default. 2008 R2
    The LDAP service now fullfile the RFC2696 requierement and answer to LDAP request differently. If a client is not compatible with RFC2696, this behavior could be leveraged by activating the policy setting "disable strict restart blob check". 2008 R2
    SMB signing is enable by default. If a client is not compatible with it, this setting could be deactivated by Group Policy. 2008 R2
    Once forest or domain Functional Level is set to 2008 R2 or above, it will no more be possible to add a new domain controller with an Operating System lower than 2008 R2. 2008 R2
    Application using .Net 3.5 with SP1 or a lower version can face issue when using the enumeration function "DomainMode". (see http://support.microsoft.com/kb/2260240) 2008 R2
    Outlook 2003 has to be patched to be compliant with Active Directory 2008 or greater (kb968614). 2008 R2
    Office Communication Server has to patched to be compliant with Active Directory 2008 or greater (kb958980). 2008 R2
    Secure Channel Signing can generate error message about issue with a secure channel establishment. This can be dealled by disabling the Secure Channel Signing parameter named domain member: Digitally encrypt or sign secure channel data (alaways). 2008 R2
    Some LDAP request may fail when the response contains more than one page. This issue could be addressed by adding a new registry key on each Domain controller to set the DS Heuristics to 1. 2008 R2
    The SID S-1-18-1 and S-1-18-2 could not be mapped to computers hosting Windows 7 or Windows Server 2008 R2 and joind to an Active Directory domain (kb2830145). 2012
    when setting-up a new DC, the next button may be missing during the Options phase. This occurs when no site's subnet plan could not be identified against the DC IP address, or existing site. This also occurs when the DSRM password is not fetching the password policy or is not confirmed (kb2737807). 2012
    When installing Active Directory on a server, the process stucks at step Creating NTDS Settings. This happens when the local administrator password is the same as the administrator of the domain or when a network issue is blocking the replication process. (kb2737935) 2012
    When instaling Active Directory Domain Services (ADDS) using the Servers Manager console, the message "the server is not operational" appears. This occurs when the target server is in a Workgroup as the NTLM authentication is disabled (kb2738697). 2012
    Adprep /domainprep /gpprep is not automatically run as part of installing the first DC that runs Windows Server 2012 in a domain. If it has never been run previously in the domain, it must be run manually (kb2737129). 2012
    Warnings can appear during prerequisite validation and then reappear during the installation (kb2737416). 2012
    "Format of the specified domain name is invalid" appears if you are removing the last DC in a domain where pre-created RODC accounts still exist. This affects Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 (kb2737424). 2012
    Domain controller does not start, c00002e2 error occurs, or "Choose an option" is displayed because an administrator used Dism.exe, Pkgmgr.exe, or Ocsetup.exe to remove the DirectoryServices-DomainController role. 2012
    IFM verification can have limitations. See https://support.microsoft.com/kb/2737516 2012
    Install-AddsDomainControllercmdlet returns parameter set error for RODC when you try to attach a server to an RODC account if you specify arguments that are already populated on the pre-created RODC account (2737535). 2012
    "Unable to perform Exchange schema conflict check" error, and prerequisites check fails when you configure the first Windows Server 2012 DC in an existing domain because DCs are missing the SeServiceLogonRight for Network Service or because WMI or DCOM protocols are blocked kb2737560). 2012
    AddsDeployment module with the -Whatif argument shows incorrect DNS results and shows that DNS server will not be installed but it will be (kb2737797). 2012
    You receive the error "Access is denied" when you create a child domain remotely by using Install-AddsDomain if the DNSDelegationCredential has a bad password (kb2738060). 2012
    You receive access denied errors after you log on to a local administrator domain account. When you log on using a local Administrator account rather than the built-in Administrator account and then create a new domain, the account is not added to the Domain Admins group (kb2738746). 2012
    "The system cannot find the file specified" Adprep /gpprep error, or tool crashes because the infrastructure master is implements a disjoint namespace (kb2743345). 2012
    Windows Server 2012 Adprep cannot be run on Windows Server 2003. Adprep will display "not a valid Win32 application" error on Windows Server 2003, 64-bit version (kb2743367) 2012
    ADMT 3.2 cannot be installed on Windows Server 2012 by design (kb2753560). 2012
    DFS Replication diagnostic report does not display correctly because of changes in Internet Explorer 10 (kb2750857). 2012
    Remote Group Policy updates are visible to users due to scheduled tasks run in the context of each user who is logged on. The Windows Task Scheduler design requires an interactive prompt in this scenario (kb2741537). 2012
    ADM files are not present in SYSVOL in the GPMC Infrastructure Status option and GP replication can report "replication in progress" because GPMC Infrastructure Status does not follow customized filtering rules (kb2741591). 2012
    "The service cannot be started" error during AD DS configuration ( installing or removing AD DS, or cloning) because the DS Role Server service is disabled (kb2737880). 2012
    Two DHCP leases are created for each domain controller when you use the VDC cloning feature. his happens because the cloned domain controller received a lease before cloning and again when cloning was complete (kb2742836). 2012
    Domain controller cloning fails and the server restarts in DSRM in Windows Server 2012 (kb2742844) 2012
    Domain controller cloning does not re-create all service principal names. Some three-part SPNs are not recreated on the cloned DC because of a limitation of the domain rename process (kb2742874). 2012
    "No logon servers are available" error after cloning domain controller: log on as .\administrator to troubleshoot the cloning failure (kb2742908). 2012
    Domain controller cloning fails with error 8610 in dcpromo.log. Cloning fails because the PDC emulator has not performed inbound replication of the domain partition, likely because the role was transferred (kb2742916). 2012
    You receive the error "Index was out of range" after you run New-ADDCCloneConfigFile cmdlet while cloning virtual DCs, either because the cmdlet was not run from an elevated command prompt or because your access token does not contain the Administrators group (kb2742927). 2012
    Domain controller cloning fails with error 8437: "invalid parameter was specified for this replication operation" because an invalid clone name or a duplicate NetBIOS name was specified. 2012
    DC Cloning fails with no DSRM, duplicate source and clone computer. The cloned virtual DC boots in Directory Services Repair Mode (DSRM), using a duplicate name as the source DC because the DCCloneConfig.xml file was not created in the correct location or because the source DC was rebooted before cloning (kb2742970). 2012
    Domain controller cloning error 0x80041005. The cloned DC boots into DSRM because only one WINS server was specified. If any WINS server is specified, both Preferred and Alternate WINS servers must be specified (kb2743278). 2012
    You receive error "Server is not operational" after you run the New-ADDCCloneConfigFile cmdlet because the server cannot contact a global catalog server (kb2745013). 2012
    Domain controller cloning event 2224 provides incorrect guidance. Event ID 2224 incorrectly states that managed service accounts must be removed before cloning. Standalone MSAs must be removed but Group MSAs do not block cloning (kb2747974). 2012
    You cannot unlock a BitLocker-encrypted drive after you upgrade to Windows 8 and you receive an "Application not found" error when you try to unlock a drive on a computer that was upgraded from Windows 7 (kb2748266). 2012

    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    mercredi 21 mars 2018 22:13
  • Le plus important pour l'approbation est de garantir la résolution de nom entre les domaines. 

    N'oubliez pas de mettre a jour les redirecteurs. S'ils ne sont pas à jour l'impact ne sera visible que si les anciens ne sont pas en ligne ou sont rétrogradés. 


    • Marqué comme réponse Serge MFR mardi 3 avril 2018 09:29
    jeudi 22 mars 2018 05:31
    Modérateur