question

AralelemathMaheshCognizant-1711 avatar image
0 Votes"
AralelemathMaheshCognizant-1711 asked DaisyZhou-MSFT commented

Legacy Server authentication from Windows 2016 DCs

Hi,

We are in process of upgrading all DCs in Domain to Windows 2016 from Windows 2008R2.We have few legacy Windows 2003/XP systems in environment and just worried about the impact as SMBv1 is not enabled in Widows 2016 by default and not encouraged to do so.

Is there a possibility of defining all Windows 2003/XP to get authenticated from Windows 2008R2 DC only?
As of now not seeing issues since Windows 2008R2 DCs are still available.

Any thoughts on this will be really helpful.

Regards
Mahesh

windows-serverwindows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AralelemathMaheshCognizant-1711,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @AralelemathMaheshCognizant-1711,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
Again thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @AralelemathMaheshCognizant-1711,

Thank you for posting here.

Is there a possibility of defining all Windows 2003/XP to get authenticated from Windows 2008R2 DC only?
A: Usually, if Windows 2003/XP machines are in the same sites as DCs with Windows 2008R2 DC, then Windows 2003/XP machines will find Windows 2008R2 DC to authenticate firstly.

If you have 2008 R2DCs and 2016 DCs in your domain now, during the downtime, you can try to shut down 2008 R2 DC and keep 2016 DCs running if possible, then check if Windows 2003/XP machines can be authenticated by 2016 DC without any failure.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

The 2003 / XP members should not be a problem at this point in time, but also note they're no longer supported so things can change. Better to update them to a supported operating system.

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AralelemathMaheshCognizant-1711 avatar image
0 Votes"
AralelemathMaheshCognizant-1711 answered

Hi Patrick,

Thanks
Yes, upgrade is definite one but wanted to ensure no impact till everything moves to latest version.

If i understand correctly, you are saying there shouldn't be any issue for Windows 2003/XP systems to get authenticated from Windows 2016 DCs even though SMB1 in Windows 2016 is not enabled manually?

I was thinking, due to SMB1 un availability, these Windows 2003/XP systems might face login issues /sysvol access issue/Group Policy loading issue.
Is that not the case and no impact ?

Regards
Mahesh

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

You could check it here and if needed during interim SMBv1 can be enabled on Server 2016.
https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3#smb-v1-on-smb-server-1

--please don't forget to Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AralelemathMaheshCognizant-1711 avatar image
0 Votes"
AralelemathMaheshCognizant-1711 answered

Hi Daisy,

Thanks for the details.
We are checking this but bit difficult in production environment as we need to plan this and observe.
If in case these legacy clients are reaching Windows 2016 DCs and getting failed for GPO, SYSVOL or anything, wanted to have the alternate plan in hand.

Is there anything we can do for these legacy clients to reach only Legacy DCs for authentication?
I remember, we use to hard code the DC name in LMHost file during NT days. Anything like that is still possible?

Regards
Mahesh

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @AralelemathMaheshCognizant-1711,

Thank you for your update.

Is there anything we can do for these legacy clients to reach only Legacy DCs for authentication?
A: There is no way to do for these legacy clients to reach only Legacy DCs for authentication.

According to the discussion with my colleagues, if there is indeed an older version of the machine that uses SMBv1, the only way may be to enable SMBv1 on the 2016 DC. However, doing so may increase some risks as you mentioned.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.