Windows 2012 root certification authority in a 2003 Domain/ Forest level

Similar Messages

• Migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 and 2 other Domain External and Forest Trusts

  Is there anything that needs to be done or considered when migrating from 2003 domain/forest level to 2008R2 with all DC's at 2008R2 with 2 other 2003 separate Domain incoming
  and outgoing Trusts, one Trust that is a Forest Trust and the other is an External Trust? Is there any chance or risks that doing this upgrade will break either one of these Trust relationships? Some of the user accounts with SID history have been migrated
  from both Domain Trusts to our domain. Any chance that this upgrade will break these relationships for users that are using SID history for access to folders and files in their old Domains? If so what can be done to protect these trusts and SID history, prior
  to moving the Domain to 2008R2

  Hi,   
  Based on my knowledge,
  the Upgrade of the function level do not affect the trust relationship.
  Besides, before you upgrade the Functional Level,
  verify that all DCs in the domain are, at a minimum, at the OS version to which you will raise the functional level.
  Once the Functional Level has been upgraded, new DCs on running on downlevel versions of Windows Server cannot be added to the domain or forest.
  For more information about function level, we can refer to following links:
  Understanding Active Directory Domain Services (AD DS) Functional Levels
  http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx
  What is the Impact of Upgrading the Domain or Forest Functional Level?
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Best Regards,
  Erin

• Hyper-v 2012 R2 Live migration issue in 2003 Domain function Level

  hi Team ,
  i recently build 2012 R2 Hyper-v Cluster with three node. Everrything working fine with out any issue . Cluster working also fine. Later i came across one issue when tried to Live migration virtual machine from one host to another . it failed all the time
  while quick migration is working . i gone through few articles and find it is known issue with hyper-v 2012 R2 where domain functional level is set to 2003 . although they have provided Hotfix but no solution.
  http://support.microsoft.com/kb/2838043
  Please let me know if any one face similar issue and able to resolve by any hotfix. My host are updated .
  Thanks
  Ravindra
  Ravi

  Hi Ravi1987,
  The KB2838043 is applied for Server 2012 node, Could you offer us the related cluster error event id, or you can refer the following article to check your cluster
  network binding order is correct or not.
  Configuring Windows Failover Cluster Networks
  http://blogs.technet.com/b/askcore/archive/2014/02/20/configuring-windows-failover-cluster-networks.aspx
  You can try to install recommended hotfixes and updates for Windows Server 2012 R2-based failover clusters first, then monitor this issue again.
  The KB download:
  Recommended hotfixes and updates for Windows Server 2012 R2-based failover clusters
  http://support.microsoft.com/kb/2920151
  More information:
  Windows Server 2008 R2 Live Migration – “The devil may be in the networking details.”
  http://blogs.technet.com/b/askcore/archive/2009/12/10/windows-server-2008-r2-live-migration-the-devil-may-be-in-the-networking-details.aspx
  I’m glad to be of help to you!

• Logon failure after upgrade Windows 2003 domain functional level and schema

  Before upgrade:
  Windows 2003 Std server: Domain functional level 2000, Schema verion 30
  Crystal Report XI R2: Authentication: Windows AD
  Logon OK.
  After Upgrade:
  Windows 2003 Std + Windows 2008: Domain functional level 2003, Schema verion 44
  Crystal Report XI R2: Authentication: Windows AD
  Logon Error: An error has occurred: java.lan.NullPointerException
  Is it a Tomcat problem?  OR Java runtime problem?  OR XI R2 problem?
  Anyone can help to fix it!?  Thanks!!

  OK, I try again in the testing lab and simplify the combination.  We only consider Windows 2003 ONLY.
  Before AD upgrade:
  AD/Domain Controller: Windows 2003 Std server: Domain functional level 2000, Schema verion 30
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon OK.
  Upgrade cmbination 1
  Step 1:
  Upgrade Domain controller: Windows 2003 to Windows 2003 R2 (Domain functional level 2000, Schema verion 31 )
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon OK.
  Step 2:
  Upgrade Domain Functional Level: Windows 2003 R2 (Domain functional level 2003, Schema verion 31)
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon Fail
  Logon Error: An error has occurred: java.lan.NullPointerException
  Upgrade combination 2
  Direct upgrade Domain Functional Level: Windows 2003 (Domain functional level 2003, Schema verion 30)
  Crystal Report XI R2: run on Windows 2003 memeber server
  Operating OS: Windows XP/Vista/7: Authentication: Windows AD
  Logon Fail
  Logon Error: An error has occurred: java.lan.NullPointerException
  In this testing, we can conclude that the Domain Functional Level upgrade from 2000 to 2003. The MI logon will fail.
  Q1. Crystal Report XI R2 cannot run on Windows 2003 server (Domain Functional Level: 2003)?
  Q2. If Crystal Report XI R2 can run on Domain Functional Leve: 2003, how to fix our problem?
  Do you have any idea to help us?  Thanks!
  Edited by: Initiator on Jul 20, 2010 6:22 AM

• Identity Management for UNIX (aka Windows Services for Unix) Adding 2012 DC to a prep'd 2003 domain.

  We have been successfully using Windows Services for Unix on a 2003 domain for passwd and group maps.
  I prep'd the domain to allow a 2012 R2 server to be added and then added the IdMU role/feature on this new 2012R2 DC. Now the passwd map is still OK but the group map now shows full usernames rather than short names.
  i.e. what DID show with "ypcat group" as ...
  "infra-shared::65550:gfer,jhug,shig", now shows as
  "infra-shared::65550:Garry Ferguson,Jason Hughes,Steve Higgins"
  and so is not usable. I have had to revert to local /etc/group files on all our unix machines!!
  Help/comments would be really appreciated!
  Garry Ferguson

  Hi Gaz Ferg,
  SFU 3.5 is used to installed on windows 2003 and windows XP. SFU 3.5 cannot used on Windows 2012, that makes customer cannot user NFS and user name Mapping services on Windows
  2012.  From windows 2003 R2, NFS is a build-in component in OS, we need to add Roles/Features to use NFS.
  1. What is change in 2012R2
  IDMU component, which was used to authenticate Linux users has been removed. Now a Windows server cannot play role of NIS Master server. 
  Passwords cannot sync to the Unix Machines. Maps can not sync between Windows and Unix computers.
  2. What has not change in 2012R2
  Following methods to authenticate and map a Unix user to Window user are available:-
  Active Directory
  Active Directory Lightweight Directory Services (AD LDS)
  Username Mapping Protocol store (MS-UNMP
  Local passwd and group files
  Unmapped UNIX Username Access (UUUA) (applies to Server for NFS using AUTH_SYS only)
  You can find more information about this here –
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  http://blogs.msdn.com/b/shan/archive/2006/12/13/sfu-sua-idmu-fun-with-names.aspx
  More information:
  Install Identity Management for UNIX Components
  http://technet.microsoft.com/en-us/library/cc731178.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Windows 2012 Certificate of authority

  Hi,
  Can anyone tell me if I can setup a windows 2012 r2 Certificate of Authority server with a windows 2008 AD domain?

  Yes.  Assuming your 2008 domain is at 2008 functional level, you would join your 2012 R2 domain controller to the domain as a 2008 functional level domain and then install the Certificate Services role.
  . : | : . : | : . tim

• SCSM 2012 with 2003 domain functional level supported?

  All,
  I am running SCCM 2007. Now I need to install Service Manager 2012SP1. Domain functional level is 2003 with 2008 DC.
  will this allow me to install SCSM 2012SP1 with full features? or will it be reduced functionality?
  will there be any schema extension when I install SCSM 2012? pleas note we already have SCCM 2007 running.
  can I upgrade SCCM 2007 to SCCM 2012?  
  it would be helpful if you could share some link about whether its possible or not.
  Thanks.
  KailashC

  Thomas,
  Thanks for your response. Can I do a direct upgrade SCCM 2007 SP3 to SCCM 2012 or do I need to plan a migration? I mean fresh install SCCM 2012 and then migrate the data over ?
  Thanks.
  KailashC

• Trusted root certification authority.

  Hello,
  I notice with every server and client machine in our organisation, that some how 2 root certificates (purpose: All) are getting added automatically.
  These root certificates are already expired and not related to our current enterprise CA server.
  I checked RSOP.html on client machine and or GPO's on DC, but could not figure out the source.
  Any help greatly appreciated.
  Thanks.

  Hi,
  You are welcome.
  You may enable CAPI2 log to monitor certificate store operations, which is under Applications and Services Logs\Microsoft\Windows\CAPI.
  After you enable CAPI2 log, delete those 2 root certificates, wait to see whether they will be added again. If they do, check CAPI2 log to find detailed information.
  More information for you:
  Enable CAPI2 event logging to troubleshoot PKI and SSL Certificate Issues
  http://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• MDT 2012 to Migrate from Windows 2003 32 Bit to Windows 2012 R2 64 Bit

  I have used MDT for so long however only for client OS upgrade - XP to Windows 7/8.
  We wish to use MDT to migrate from Windows 2003 32 Bit to Windows 2012 R2 64 Bit. All servers are virtual on HyperV or VMWare - plan is to use USMT hardlink Migration.
  Is this supported? Has anyone used this for server migration?
  Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

  Thanks Keith for your reply.
  Even is USMT does not work, we are ok. SMIGdeploy will be helpful.
  Basically, want MDT to run some scripts on the Windows 2003 server, post which install Windows 2012 and join it to the existing domain with the same computer name.
  Then hydration kit to help with the installation of features etc. Also, we would like to take a complete backup to a WIM before migrating.
  I am sure this is workable.
  Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

• PKI setup ovwer Windows 2012 R2

  Hi, Anyone knows how to setup PKI over win 2012 with two tier hierarchical model and how it
  will work?

  Hi,
  See if below link helps you.
  http://blogs.technet.com/b/xdot509/archive/2012/10/21/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-i-installing-a-root-certification-authority-with-powershell.aspx
  http://blogs.technet.com/b/xdot509/archive/2012/10/24/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-ii-installing-a-root-certification-authority-with-the-gui.aspx
  http://blogs.technet.com/b/xdot509/archive/2012/10/27/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iii-post-configuration-of-root-certification-authority.aspx
  Thanks.
  Regads,
  Calin

• Multiple Subordinate Issuing CA in Windows 2012 for redudancy

  Good Afternoon,
  I would like to have 2 Subordinate Issuing CA's ( Both Windows 2012 R2)  in one site, with only one of them as preferred / active issuing certs to my workstations and the other one as backup redundant CA .  The backup CA should only issue Certs
  if the primary one goes down. 
  How can i go about setting this configuration ? Is it as simple as starting CA services on the primary one and stopping CA Services on the other backup CA server ?
  Also, our Domain/Forest functional level is currently 2003.  It needs to on 2003 due to some dependencies.  Can we have Root and other Issuing CA's on Windows 2012 R2 OS servers without upgrading DFL/FFL to 2012 R2 ?

  Vadims,
  I am noticing a weird issue in my environment. Perhaps if you could advise on this or maybe this is how it's supposed to work. Need your expertise.
  We are currently using EAP-TLS for our wireless authentication. We have a production Radius Server and a Testing Radius Server.  On both of  Radius /NPS Server, We are have selected "Microsoft:Smart or certificate" as the authentication
  type under EAP  in our NPS / Radius server.
  We currently have an Root CA which is also the Issuing CA setup on the same Windows 2003 DC. This has published client computer certs to all our workstations/laptops in the domain.  The client /computer cert is used during authentication to connect
  to our corporate wireless. 
  The plan is to retire this 2003 server and setup everything new on Windows 2012 platform.
  So, I have setup a new Windows 2012 Root  and Issuing CA server in parallel to the Windows 2003 server for testing .  This 2012 ROOT CA is standalone and has not been joined to our domain . So it is not conflicting with the current 2003 CA.  On
  the new 2012 issuing CA server, i created a computer template and issued it to a cpl of workstations for testing purposes.    I can see a new computer certificate coming from this new issuing CA in the " Personal Certificates" store of
  those test workstations in addition to existing certificates issued by the 2003 CA.    My Test Radius Server has been configured to use a certficate from this 2012 CA as its proof of identity.
  Now i am unable to connect to corporate wireless from these workstations.  The moment i delete this client computer cert coming from new 2012 CA, the workstation is able to authenticate successfully to the Radius server and connect.  Is it that
  2 client certs which are in the personal certificate store of that PC are conflicting with each other ?  I am not clear as in why would they conflict with each and why upon deleting the new cert, i can connect successfully using the old client cert ? 

• Joining Windows 2012 Server to SBS 2011 Domain

  Hi All,
  I have been trying to get a new Windows 2012 Server to join a SBS 2011 domain. The error message I am getting is:
  The following error occurred attempting to join the domain: xxxx. The specified domain does not exist or could not be contacted.
  I have a bunch of other Windows 7/XP workstations that have joined successfully. I have also tried disabling TCP/IP v6 on the 2012 server and joining the domain with the netdom command. The SBS 2011 server is listed as the primary DNS server on the 2012
  server.
  What else can I try here?
  Thanks,
  DR.

  I am having the same issue has the OP. I have my DNS settings pointing to the sbs server that hosts the domain and DNS. I am receiving the same error.
  Server 2012 R2 Standard
  SBS 2011 Essentials
  Jerry T

• Exchange Server 2003 SP2 - Forest and Domain Functional Level Limitations

  Hi All
  Bit of a legacy question and theres not much clarity out there..
  I need to confirm the highest DFL and FFL Supported by Microsoft for Exchange 2003 SP2?
  We currently have a mix of 2003 R2 and 2008 R2 domain controllers with the FFL and DFL currently set at 2003 R2.
  The plan is to move to Exchange 2010 in the very near future, so the question is do we need to wait until we upgrade to Exchange 2010 Before upgrading the DFL and FFL to 2008 R2?
  From what Ive read we will need to complete the Exchange upgrade first before moving forward with the functional level upgrades..
  Thanks in advance
  Bull

  Hi Bull,
  As Ed mentioned, Exchange server 2003 and Exchange 2010 support Windows Server 2003 domain functional level and Windows Server 2003 forest functional level, also supported in higher environment.
  More details about it, please refer to “Supported Active Directory environment” section:
  http://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx
  Note that we cannot add new DCs which are the less version of Windows Server
  cannot be added to the domain or forest. More details about
  the Impact of Upgrading the Domain or Forest Functional Level, for your reference:
  http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
  Best Regards,
  Allen Wang

• Upgrading PowerShell 2.0 to 3.0 on a Windows Server 2008 SP 2 Enterprise Certification Authority server

  Hello All:
  Are there any caveats to upgrading PowerShell 2.0 to 3.0 on a customer's Certification Authority server? The customer will also be upgrading to SCCM 2012  and employ this server as a Distribution Point.
  Any feedback would be greatly appreciated.
  Thank you.

  Hi Erik,
  I haven't tried to upgrade powershell on Certification Authority server, however, Windows Management Framework 3.0 requires Microsoft .NET Framework 4.0, and you need to change .NET version on server 2008 SP2.
  For more detailed installation instruction, please follow this article:
  Windows Management Framework 3.0
  If there is anything else regarding this issue, please feel free to post back.
  Best Regards,
  Anna Wang

• Replace Windows 2003 DC with Windows 2012 R2 Foundation

  Hi
  We are a small office (7 users) that currently have one Windows 2003 Server configured as a domain controller running DNS,DHCP and file services for users. All computers (7) are joined into local domain. All users have mapped drives to 2003 server shares
  and redirected (offline) folders for my-documents configured.
  Due to an old hardware, we decided to buy a new server with Windows 2012 R2 FOUNDATION licence. For our company I thing this will be the best choice, since Foundation has CAL's 'included' in license, and for our requirements will be more than enough.
  Foundation server limit is that server must be the root domain controller in a domain that has no trusts at the root of the forest. My question is how can we 'replace' old server with a new one (what are the steps) ? I'm thinking the following scenario:
  - install server and promote it to a DC with a new local domain name in the new forest
  - copy all data from old server the the new one
  - put all computers out of old domain and put them back into the new domain that is running on 2012 foundation.
  - power off old server 
  Most of the work will be with computers, that need to be reconfigured to a new domain ?
  Is this the right approach, are there any other (better) options ? 
  Just thinking... Is it possible to join 2012 Foundation into existing domain, than transfer all roles from old server to the new one, and at the end demote old server and power it off (I know this is standard approach in Windows Server Standard editions
  Thank you in advance
  Mike

  Hi,
  There is no necessary to create a new domain. we can add the new DC to your current domain, then transfer FSMO, related settings and main service roles to the new DC.
  Reference the link provided by Alceryes to add Windows Server 2012 R2 to your current domain. and then reference link below for
  Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2：
  http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Besides, for DHCP migration from 2003 to 2012, you can reference：
  http://blogs.technet.com/b/canitpro/archive/2013/04/29/step-by-step-migration-of-dhcp-from-windows-server-2003-to-windows-server-2012.aspx
  For DNS migration, install DNS server role on Windows Server 2012 R2, and configure it as secondary DNS servers to the old DNS servers. Do replication, once completed, change it from secondary to primary. Remove old server and also clear their record in
  new DNS. Checklist: Migrate a DNS Server(also applied for WS 2012 R2), for your reference:
  https://technet.microsoft.com/en-us/library/cc755303.aspx
  It is better to do a test lab and backup related data before migration in your current environment.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]