Windows Vista Tips
Home Register Members Search Windows Vista Tips File Database Links
Member Login:

Windows Vista Tips > Newsgroups > Windows Server > Active Directory > 2008 R2 DC and Older cryptography algorithms

Reply
Thread Tools Display Modes

2008 R2 DC and Older cryptography algorithms

 
 
da crusher
Guest
Posts: n/a

 
      06-01-2010

Hello Everyone,

We have introduced a 2008 R2 DC into our environment, migrated all the roles
to it, and for now are keeping some 2003 DCs for a mixed mode domain
functionality environment..

We do have some older machines (NT) that currently we cannot get rid of and
I am seeing some authentication errors on the 08 DC (IDs 5722, 5805). Since
we still have 03 DC's, the NT machines still authenticate fine.

My question is regarding KB 942564 - for our environment, I'm thinking we
would use the group policy workaround - where I get stumped is step 6:
Install third-party software updates that fix the problem, or remove client
computers that use incompatible cryptography algorithms..

Can someone please clarify this? Does this mean that even though we
correctly set the group policy, the clients still won't authenticate unless
'updates' are applied?

Thanks in advance!!!!
 
Reply With Quote
 
 
 
 
Meinolf Weber [MVP-DS]
Guest
Posts: n/a

 
      06-02-2010
Hello da,

This part belongs to 3rd party software, not using the correct algorithmus.
So with a wwong one you still can't use the GPO, there is only the option
to remove it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Everyone,
>
> We have introduced a 2008 R2 DC into our environment, migrated all the
> roles to it, and for now are keeping some 2003 DCs for a mixed mode
> domain functionality environment..
>
> We do have some older machines (NT) that currently we cannot get rid
> of and I am seeing some authentication errors on the 08 DC (IDs 5722,
> 5805). Since we still have 03 DC's, the NT machines still
> authenticate fine.
>
> My question is regarding KB 942564 - for our environment, I'm thinking
> we would use the group policy workaround - where I get stumped is step
> 6: Install third-party software updates that fix the problem, or
> remove client computers that use incompatible cryptography
> algorithms..
>
> Can someone please clarify this? Does this mean that even though we
> correctly set the group policy, the clients still won't authenticate
> unless 'updates' are applied?
>
> Thanks in advance!!!!
>
 
Reply With Quote
 
da crusher
Guest
Posts: n/a

 
      06-02-2010
Thank you for the reply Meinolf.

Just to confirm - with the GPO, all windows machines (at least NT and later)
will be able to authenticate to an 08 R2 DC. Only 3rd party apps would need
to be upgraded or removed?

Thanks again!

"Meinolf Weber [MVP-DS]" wrote:

> Hello da,
>
> This part belongs to 3rd party software, not using the correct algorithmus.
> So with a wwong one you still can't use the GPO, there is only the option
> to remove it.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hello Everyone,
> >
> > We have introduced a 2008 R2 DC into our environment, migrated all the
> > roles to it, and for now are keeping some 2003 DCs for a mixed mode
> > domain functionality environment..
> >
> > We do have some older machines (NT) that currently we cannot get rid
> > of and I am seeing some authentication errors on the 08 DC (IDs 5722,
> > 5805). Since we still have 03 DC's, the NT machines still
> > authenticate fine.
> >
> > My question is regarding KB 942564 - for our environment, I'm thinking
> > we would use the group policy workaround - where I get stumped is step
> > 6: Install third-party software updates that fix the problem, or
> > remove client computers that use incompatible cryptography
> > algorithms..
> >
> > Can someone please clarify this? Does this mean that even though we
> > correctly set the group policy, the clients still won't authenticate
> > unless 'updates' are applied?
> >
> > Thanks in advance!!!!
> >
>
>
> .
>
 
Reply With Quote
 
Meinolf Weber [MVP-DS]
Guest
Posts: n/a

 
      06-02-2010
Hello da,

Correct, see also:
http://technet.microsoft.com/en-us/l...54(WS.10).aspx

http://support.microsoft.com/kb/555038

http://support.microsoft.com/kb/288358

http://support.microsoft.com/?kbid=946405

You are even able to join Windows server 2008/Windows Vista to NT 4 domains,
but not Windows server 2008 R2/Windows 7:
http://support.microsoft.com/kb/940268/en-us?p=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you for the reply Meinolf.
>
> Just to confirm - with the GPO, all windows machines (at least NT and
> later) will be able to authenticate to an 08 R2 DC. Only 3rd party
> apps would need to be upgraded or removed?
>
> Thanks again!
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello da,
>>
>> This part belongs to 3rd party software, not using the correct
>> algorithmus. So with a wwong one you still can't use the GPO, there
>> is only the option to remove it.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello Everyone,
>>>
>>> We have introduced a 2008 R2 DC into our environment, migrated all
>>> the roles to it, and for now are keeping some 2003 DCs for a mixed
>>> mode domain functionality environment..
>>>
>>> We do have some older machines (NT) that currently we cannot get rid
>>> of and I am seeing some authentication errors on the 08 DC (IDs
>>> 5722, 5805). Since we still have 03 DC's, the NT machines still
>>> authenticate fine.
>>>
>>> My question is regarding KB 942564 - for our environment, I'm
>>> thinking we would use the group policy workaround - where I get
>>> stumped is step 6: Install third-party software updates that fix the
>>> problem, or remove client computers that use incompatible
>>> cryptography algorithms..
>>>
>>> Can someone please clarify this? Does this mean that even though we
>>> correctly set the group policy, the clients still won't authenticate
>>> unless 'updates' are applied?
>>>
>>> Thanks in advance!!!!
>>>
>> .
>>
 
Reply With Quote
 
 
 
Reply

« domain trusts setup, how to sync WINS? | Urgent:DCs split into 2 groups »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Any Samba "gotchas" if I add a Windows 2008 R2 AD server intoa 2003 native AD domain? Robert Gordon Active Directory 5 05-18-2010 03:53 PM
Windows Update Error Code: 80070005 Joe Davis Windows Update 33 05-05-2010 08:03 AM
Running ntbackup in Windows Server 2008 Marcos Windows Server 3 04-04-2010 01:28 PM
Same Issue....Please help! Quality Department Active Directory 0 02-13-2010 01:12 PM
Running DOS Games under Vista Wogerwabby Windows Vista Games 45 11-10-2009 03:33 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Windows Vista Tips - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59