Hi there world. It’s been a particularly gnarly week: not too many questions that most people would find relevant, plus it was just crazy busy (stupid Windows 7 and R2, being all popular and whatnot, leads to a lot of USMT work for me… D-: ). Hence – late posting with not much sirloin.

Get to the choppah!

Question

I’ve installed my first few Windows Server 2008 R2 computers and tried to make them DFS Namespace V2 (i.e. “Windows Server 2008 Style”) root servers. I am having a bunch of issues setting it up though. For example, using DFSMGMT.MSC or running this command:

DFSUTIL.EXE ROOT ADDDOM \\TESTSRV\Test V2

always returns:

Could not execute the command successfully
SYSTEM ERROR - The version of the operating system installed on the server is incompatible with the functional level of the domain or forest.

I’ve had various Win2008 servers for a while now and they add as V2 roots just fine in the same domain and forest. I also cannot delete previously created links in V2 namespaces using the R2 servers, I get error:

The folder cannot be deleted. Cannot complete this function.

What’s up here?

Answer

You need to raise the forest functional level to Windows Server 2003 or higher; right now it’s at Windows 2000, I’ll wager. Windows Server 2008 R2 DFSN requires the higher level due to how it does some AD object creation operations differently than Win2008. Confirmation here.

Question

Did the default SACL’s in Active Directory change between Windows 2000 and Windows Server 2003? It seems that when Directory Services Access auditing is enabled on a Win2003 domain, the logs are much quieter, but Win2000 is noisy as heck. If true, when I upgrade a Win2000 domain to 2003 will it get less chatty?

Answer

Indeed, they did change based on the experience we had with Win2000.

clip_image001[4]

vs.

clip_image001[10]

Yeowza! Win2000 has very aggressive settings, but Win2003 makes you go set SACL’s as needed for nearly everything. This is definitely the better approach as every company will have a different idea on what they want to audit.

And no, they are not changed again by subsequent domain upgrades. They are a function of the first DCPROMO in a domain only, not any later ones. If you wanted to make an upgraded domain less chatty, examine the domain root DN; you will see where most of the SACL’s are being inherited from. :-)

Statement

I am going to $^%#&*^$&*# destroy you for posting my email address on the Internet! I hate your face so much! I get nothing but <redacted, but hilarious> spam now! AAARGGGHHH!!!!

Signed, Mike O’Reilly.

Reply

I lol’ed.

 

Have a good weekend, Earth.

Ned “has on-call phone, so expect grumpy replies Monday” Pyle