I want to devote a few posts on known issues encountered on the upgrade path from a Windows 2003 Active Directory to Windows 2008 R2. Even though Windows 2008 has been out for a few years, and now we have R2, most people are still running their AD on Windows 2003. I’m sure many folks are looking at W2K8 R2, though, and are ready to move forward once they have a little cash.
One of my IT pro maxims is “Never be first through the minefield.” Though I don’t believe the adage “Never deploy a new Microsoft OS until its first service pack comes out” applies any more, it’s good to wait long enough that the bleeding-edge adopters developed a “known issues” list.
Do you still have any NT 4.0 computers in your domain? Surprisingly, many manufacturing companies do because the embedded operating systems in their manufacturing equipment is running NT 4 and can’t be upgraded. KB article 942564 details a problem where NT 4 computers can’t logon to a Windows 2008 / R2 domain because of a change to the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the Default Domain Controllers (DDC) GPO. Note that you can’t change the GPO as recommended in the KB article until AFTER you’ve upgraded your first DC to W2K8 R2.
Speaking of NT 4, if you have clients in your forest that don’t support SMB signing, KB 731654 applies to you. What, you say you don’t KNOW if you have clients in that state? Look at it as an opportunity to talk to your customer base! These GPO changes to the DDC GPO affects NT 4 systems, but you should also check other products in your environment like NAS filers running older, non-Windows operating systems. You also have to update this after you’ve upgraded the first DC in each domain to R2.
I’d like to thank my friend Derek Weigel for providing a number of these tips, encountered in his own upgrade research.