The month of October brought an exponential increase of Window 2008 knowledge to our group. We began the month with a Chalk Talk presentation on Windows 2008 which fortunately was framed in the context of R2. The presentation contained a wealth of information, and I can only selectively recap some main points here.
We received some useful operational tips, one of which was to leave the Server Manager, which automatically launches, open. This gives access to nearly all major administrative features without having to individually click past the UAC for each. Also, the Server Manager is now the new location for the control to disable IE Enhanced Security if needed.
We spent a lot of time considering Read-only Domain Controllers, and their possible application at Wharton San Francisco. I received an answer to a question I had about delegating "light admin functions" to a site admin. I learned that this role actually has full admin rights on the RODC box, but no access to Active Directory (slide 39.) We discussed a possible pitfall of RODC's which would be that if the WAN was down, users would be unable to log in to workstations.
One of the benefits of Windows 2008 domains is the migration of SYSVOL replication to DFSR, which is faster, more efficient, and more secure. However, the migration is not automatic and requires a complex process which was covered in-depth by the presentation (slide 74.) These will be necessary steps to undertake during the domain upgrade.
We looked at Group Policy Preferences (slide 63) which had some possible benefits for the Labs group, and which we hope to introduce to the distributed reps. The concept is that the extensions allow admins to create settings for applications which are not normally policy-aware. We were advised to leverage the "update" option which would check to see whether the setting was active, and set it if not.
One of the heavily-touted features of R2 that appeals to us is the AD Recycle Bin (p. 91.) We learned about some of the eccentricities of this feature. As it exists currently, it relies solely on PowerShell to enable it, and perform recoveries. As such, it bears no resemblance to the graphical Windows Recycle Bin that we're all familiar with. Top-level objects need to be restored first, after which sub-objects may be individually restored. (p. 94.) There is a command to purge deleted items permanently (p. 95.) Even with its limitations, it is still superior to a restore from tape of an OU, which presents many headaches!
Managed Service Accounts (p. 96) is another feature that could solve problems for us. We were referred to the Step-by-Step Guide for more in-depth information. It is another feature that is invoked from the command-line. One of the limitations is that the same account cannot be used on multiple computers.
On October 13, we took action and performed the schema upgrade. Before beginning, we confirmed that GROUCHO held both the schema master and infrastructure master roles by running:
netdom query fsmo
We found that the R2 install media includes a 32-bit version of adprep to support existing 32-bit DC's. We began the upgrade with the command:
adprep32.exe /forestprep
We ran the next command, which must be run on the infrastructure master,
adprep32.exe /domainprep /gpprep
and received an error:
Group policy upgrade failed.
[Status/Consequence]
Adprep cannot extend your existing schema
After a call to MS Support, Joe learned that it resulted from permissions on a Group Policy Object that had been changed, causing the upgrade to fail. Changing the permissions back allowed us to successfully complete the upgrade.
To prepare for the possibility of RODC's in our environment, we also ran the RODC prep step:
adprep32.exe /rodcprep
The next step was to attempt to add one of the new 2008 domain controllers to our 2003 domain. We had documented the procedure previously and it was going smoothly... until we reached the "Operating System Compatibility" window of the wizard. The message warns that by default Windows NT 4 encryption algorithms are no longer supported which could affect legacy clients and UNIX-like systems that still rely on these algorithms. This is documented in KB 942564.
Rather than introduce the new domain controller into our environment with the possibility of these problems, we instead created a dev domain for testing. There is a GPO setting that could be enabled to change the default behavior to accommodate NT 4-style encryption, but we decided to test our UNIX and Mac clients first without this setting to see if they are affected. The main functions we need to verify are domain-joins, authentication to file shares, and LDAP queries from Perl and Sendmail.
In our most recent meeting, we discussed that Joe would take on testing domain-joining UNIX machines, Jamie would test domain-join and file-sharing access on Macs running Leopard and Snow Leoopard, and Matt would test ColdFusion authentication and Outlook Live PCNS functionality.
Mike spoke about some of the client-side advantages of the upgrade that could be offered to the reps. He began researching offline domain join, which saves a reboot during the naming process of machines and could possibly work around a bug affecting sysprep and domain joins. Other departments who deploy labs could also benefit.
One of the preparation steps will be to re-examine delegated permissions and determine if 2008 has any new offerings for the process. We plan on auditing the permissions of the security group which is applied to the "admin" OU's in order to standardize permissions across OU's. We discussed how it was not possible to "un-delegate" permissions, and that such permissions needed to be individually removed once granted.
Finally, users and administration are curious about why we are upgrading and what the benefits will be. The reasons are evident in the research data we are collecting about the capabilities of Windows 2008, but it will take some extra effort to distill this amount of information into the most essential and compelling points to provide a cogent answer.
We received some useful operational tips, one of which was to leave the Server Manager, which automatically launches, open. This gives access to nearly all major administrative features without having to individually click past the UAC for each. Also, the Server Manager is now the new location for the control to disable IE Enhanced Security if needed.
We spent a lot of time considering Read-only Domain Controllers, and their possible application at Wharton San Francisco. I received an answer to a question I had about delegating "light admin functions" to a site admin. I learned that this role actually has full admin rights on the RODC box, but no access to Active Directory (slide 39.) We discussed a possible pitfall of RODC's which would be that if the WAN was down, users would be unable to log in to workstations.
One of the benefits of Windows 2008 domains is the migration of SYSVOL replication to DFSR, which is faster, more efficient, and more secure. However, the migration is not automatic and requires a complex process which was covered in-depth by the presentation (slide 74.) These will be necessary steps to undertake during the domain upgrade.
We looked at Group Policy Preferences (slide 63) which had some possible benefits for the Labs group, and which we hope to introduce to the distributed reps. The concept is that the extensions allow admins to create settings for applications which are not normally policy-aware. We were advised to leverage the "update" option which would check to see whether the setting was active, and set it if not.
One of the heavily-touted features of R2 that appeals to us is the AD Recycle Bin (p. 91.) We learned about some of the eccentricities of this feature. As it exists currently, it relies solely on PowerShell to enable it, and perform recoveries. As such, it bears no resemblance to the graphical Windows Recycle Bin that we're all familiar with. Top-level objects need to be restored first, after which sub-objects may be individually restored. (p. 94.) There is a command to purge deleted items permanently (p. 95.) Even with its limitations, it is still superior to a restore from tape of an OU, which presents many headaches!
Managed Service Accounts (p. 96) is another feature that could solve problems for us. We were referred to the Step-by-Step Guide for more in-depth information. It is another feature that is invoked from the command-line. One of the limitations is that the same account cannot be used on multiple computers.
***
On October 13, we took action and performed the schema upgrade. Before beginning, we confirmed that GROUCHO held both the schema master and infrastructure master roles by running:
netdom query fsmo
We found that the R2 install media includes a 32-bit version of adprep to support existing 32-bit DC's. We began the upgrade with the command:
adprep32.exe /forestprep
We ran the next command, which must be run on the infrastructure master,
adprep32.exe /domainprep /gpprep
and received an error:
Group policy upgrade failed.
[Status/Consequence]
Adprep cannot extend your existing schema
After a call to MS Support, Joe learned that it resulted from permissions on a Group Policy Object that had been changed, causing the upgrade to fail. Changing the permissions back allowed us to successfully complete the upgrade.
To prepare for the possibility of RODC's in our environment, we also ran the RODC prep step:
adprep32.exe /rodcprep
The next step was to attempt to add one of the new 2008 domain controllers to our 2003 domain. We had documented the procedure previously and it was going smoothly... until we reached the "Operating System Compatibility" window of the wizard. The message warns that by default Windows NT 4 encryption algorithms are no longer supported which could affect legacy clients and UNIX-like systems that still rely on these algorithms. This is documented in KB 942564.
Rather than introduce the new domain controller into our environment with the possibility of these problems, we instead created a dev domain for testing. There is a GPO setting that could be enabled to change the default behavior to accommodate NT 4-style encryption, but we decided to test our UNIX and Mac clients first without this setting to see if they are affected. The main functions we need to verify are domain-joins, authentication to file shares, and LDAP queries from Perl and Sendmail.
***
In our most recent meeting, we discussed that Joe would take on testing domain-joining UNIX machines, Jamie would test domain-join and file-sharing access on Macs running Leopard and Snow Leoopard, and Matt would test ColdFusion authentication and Outlook Live PCNS functionality.
Mike spoke about some of the client-side advantages of the upgrade that could be offered to the reps. He began researching offline domain join, which saves a reboot during the naming process of machines and could possibly work around a bug affecting sysprep and domain joins. Other departments who deploy labs could also benefit.
One of the preparation steps will be to re-examine delegated permissions and determine if 2008 has any new offerings for the process. We plan on auditing the permissions of the security group which is applied to the "admin" OU's in order to standardize permissions across OU's. We discussed how it was not possible to "un-delegate" permissions, and that such permissions needed to be individually removed once granted.
Finally, users and administration are curious about why we are upgrading and what the benefits will be. The reasons are evident in the research data we are collecting about the capabilities of Windows 2008, but it will take some extra effort to distill this amount of information into the most essential and compelling points to provide a cogent answer.
Leave a comment