Windows 10: Desktops not communicated with domain controller more the 60 days

Hi,


Due this lockdown, Most of our desktop not communicated with our domain controller more than 2 months,


Is it make any issues,

:)

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

BOINC for Windows Domain Controllers

Long story short, BOINC stopped supporting domain controllers after version 5.10.45 and 5.10.45 broke because it's HTTPS security certificates are out of date. Requirements:

• Windows Server 2003 R2 x64 Edition or newer (must be 64-bit)
• Must have domain controller role installed.

If neither of these requirements are met, just use the latest version from Berkeley.

The solution:

• Download this ZIP from TPU (thanks @Wizzard!)
• Extract everything from the ZIP to the desktop or some place you can easily access it.
• Run "boinc_5.10.45_windows_x86_64.exe" to install 5.10.45 as normal.
• After it is installed, make sure BOINC is not running. If it is running as a service, you can stop it via Services. If it is running in the tray, right click on the tray icon and click on Exit.
• Navigate to where BOINC is installed. This is usually C:\Program Files\BOINC. You should see a ca-bundle.crt file here (it'll have a different icon from the rest). If you do, you're in the right place.
• Extract the contents of the "certificates" folder to the folder where BOINC is installed. You should be prompted to replace existing files. Do it. If you do not, you're likely in the wrong directory or copied the "certificates" folder instead of its contents. It is very important that the files inside of "certificates" overwrite the installed BOINC files.
• Start BOINC again. If it is a service, go back into Services and start the BOINC service. If it is a tray application, run it from your start menu. You'll also need to start the BOINC Manager if you have it installed as a service for the next step.
• Double click on the tray icon to open the BOINC Manager if it isn't already open. Click on the "Messages" tab and verify it is able to download tasks. If it is, you're good to go. If you see "SSL connect" errors lets us know by replying to the thread.

The "certificates" are copied from 7.6.22.

 

Windows workstation trust to Domain

We had laptops which have joined the domain.

Because of COVID-19, nowadays our users have used laptops at home with no connection to the Domain. As a result, laptops can not synchronize their machine password automatically with domain controller.

The configuration on laptops and DC are:

on laptops:

MaximumPasswordAge = 30 days

DisablePasswordChange = 0

on Domain Controller: MaximumPasswoedAge = 91 days

Questions:

The questions are about the behavior of laptops in different period.

1. What will be happened in laptops and will users can continue work normally with this laptops when we reach to days 30, 60, 90 and 120 with no connection to domain?
2. If users will return back to office at 121 day, can the laptops connect to domain with no problem and work normally?

I would appreciate your explanation.