2008R2/2003 mixed domain

Status
Not open for further replies.

Milkwerm

Dabbler
Joined
Jun 26, 2011
Messages
40
I've been trying to get AD auth working in a 2003/2008R2 mixed domain. The 2008 box holds the FSMO roles. twice now when trying to join the domain it has corupted the secure channel key and I have had to reset it (nltest SC_CHANGE_PWD & netdom reset <servername>) on the 2K8 DC. If I point it at the 2k3 box it joins OK and I can see the AD groups, configure permissions etc, but after a reboot of the NAS they disappear and I cant seem to get them back.. Anyone else got this working in a mixed domain?? :confused:

NB. this is for CIFS shares, Using 8r7263 nightly
 

Everyone

Dabbler
Joined
Sep 7, 2011
Messages
17
Yes, but not with FreeNAS specificly. I did a 2003 to 2008R2 AD upgrade, had to keep the 2003 DC's around for a few months until we figured this issue out. Unfortunately it's been a while and I can't remember exactly what had to be done. I do remember having to change a few things in the security policy for the DC though. Something to do with the way older versions of Samba handle encryption and authentication. You have to lower the level of a few things on the 2008 DC for it to be compatible.
 

mr_mike_m

Dabbler
Joined
Jul 22, 2011
Messages
16
Yes, but not with FreeNAS specificly. I did a 2003 to 2008R2 AD upgrade, had to keep the 2003 DC's around for a few months until we figured this issue out. Unfortunately it's been a while and I can't remember exactly what had to be done. I do remember having to change a few things in the security policy for the DC though. Something to do with the way older versions of Samba handle encryption and authentication. You have to lower the level of a few things on the 2008 DC for it to be compatible.

I'm in the same boat. I have one 2003 DC and two 2008's. I did the following:

  1. Log on to a Windows Server 2008-based domain controller.
  2. Click Start, click Run, type gpmc.msc, and then click OK.
  3. In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
  4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
  5. In the Properties dialog box, click the Enabled option, and then click OK.

The above steps are from:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;942564

I also found this item regarding a Kerberos setting in /etc/krb5.conf, but haven't tried it yet.
http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/
 
Status
Not open for further replies.
Top