KDC 37 after installation of new 2019 domain controller

Question

Hi,

 

I have an issue with RDP protocol after installation 2 new 2019 DC.

I have to migrate 4 2008R2 to 2019 and i see article about KB5008380—Authentication updates (CVE-2021-42287) but i'm a little bit confused about what to do exactly on old 2008R2 dc and new 2019 and the order

https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 

 

2019 are all up to date June 2023

2008R2 don't receive updates anymore no ESU

 

Do i need to install only KB5008605 of 2021 november on all old 2008R2 and create registry entry PacRequestorEnforcement with 1 or 2

Thanks in advanced for any answer

Answer 1

The 2008 are being retired right? If so there's nothing really needs done about that.

The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR

I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

--please don't forget to upvote and Accept as answer if the reply is helpful--