For those of you contemplating a W2K8 or R2 upgrade from W2K3, here’s another tidbit to check. If you add a W2K8 or R2 DC to an existing W2K3 domain, (very) old clients that can only use LAN Manager (LM) authentication instead of Kerberos will break. This is because W2K8 and W2K8 R2 have changed policy to never store the easily-hackable LM hash in the local SAM database or in AD, which the old clients require.
If you do still have old computers in the domain that require this, first you have my sympathy :). Second, you need to look at KB946405 on how to re-enable it again.