<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Verdana; font-size: 10pt; color: #000000'>Lab'ing is great, but it doesn't help with the support issue later on.<span> It might work, but if it breaks later and I call the TAC, the TAC looks at the data sheet and says, R2 is not there. ;)<br><br>Since there will be multiple AD servers, some at 2003, some at 2008R2, we have the option to simply continue pointing to the 2003 servers (which are 2003R2 I believe!).<br><br>I guess I can open a TAC case and ask them to clarify whether 2008 R2 is supported or not. Minimally I will have that to go back to management with.<br><br><br><br><span name="x"></span>---<br>Lelio Fulgenzi, B.A.<br>Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1<br>(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)<br>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>Cooking with unix is easy. You just sed it and forget it. <br> - LFJ (with apologies to Mr. Popeil)<br><span name="x"></span><br></span><br><hr id="zwchr"><b>From: </b>"Jason Aarons (US)" <jason.aarons@us.didata.com><br><b>To: </b>"Bill Riley" <bill@hitechconnection.net>, cisco-voip@puck.nether.net<br><b>Sent: </b>Tuesday, February 8, 2011 9:54:28 AM<br><b>Subject: </b>Re: [cisco-voip] ACS 2008 R2<br><br><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">This is a good example of why you should lab test the AD upgrade prior to production.</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">ACS 5.1 can’t talk to 2008 Domain controller in 2003 functional level. ACS runs Centrify and ACS 5.2 fixed it. I think ACS 4.2.1 has similar issue but not positive.</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">From TAC case after upgrade, “I believe you are running into a problem when a 2008 DC is running at 2003 functional level. Basically we send a ticket request to the KDC and it responds with the encryption versions it supports including AES. Since AES is the strongest encryption we choose that and send an ticket request using AES to the KDC. The KDC then responds saying it does not support AES since 2003 does not support AES encryption.</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">If this is the case then raising the domain functional level to 2008 native should resolve the issue assuming that this will not break anything else in your environment. “</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/da205761-4eb3-4896-a71f-7cc8512d5420</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">http://www.windowsitpro.com/article/kerberos/Q-Can-the-default-encryption-types-the-Kerberos-authentication-protocol-uses-in-Windows-7-and-Windows-Server-2008-R2-cause-compatibility-problems-Is-there-a-workaround-.aspx</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Yes customer was warned in advance that 2008R2 isn’t supported until ACS 5.2 was released, for whatever reason they upgraded regardless breaking VPN authentications.</span></p><p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span></p><div><div style="border-right: medium none; border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;"><p class="MsoNormal"><b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";">From:</span></b><span style="font-size: 10pt; font-family: "Tahoma","sans-serif";"> Bill Riley [mailto:bill@hitechconnection.net] <br><b>Sent:</b> Tuesday, February 08, 2011 9:31 AM<br><b>To:</b> Jason Aarons (US); cisco-voip@puck.nether.net<br><b>Subject:</b> ACS 2008 R2</span></p></div></div><p class="MsoNormal"> </p><p class="MsoNormal">From the original thread “support for MS AD 2008R2 and "mixed" 2003 R2 / 2008 R2”</p><p class="MsoNormal"> </p><p class="MsoNormal">You said that the 2008 R2 DC caused problems with ACS. What issues did you have? I am surprised there is that much dependencies between ACS and the active directory authentication. </p></div><p></p><hr size="1"><p></p>
<a href="http://dimensiondata.stream57.com/04141pm/" target="_blank"><span style="color: blue; text-decoration: none;"><img src="http://image.exct.net/lib/feed16797d620d/i/2/8c665b10-9.gif" alt="DDIPT" dfsrc="http://image.exct.net/lib/feed16797d620d/i/2/8c665b10-9.gif" border="0"></span></a>
<p><strong>
Disclaimer:
This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.
</strong></p><br>_______________________________________________<br>cisco-voip mailing list<br>cisco-voip@puck.nether.net<br>https://puck.nether.net/mailman/listinfo/cisco-voip<br></div></body></html>