Hello Greg Jaworski here again to briefly talk about two issues when raising the domain functional level (and/or) the forest functional level to Windows Server 2008 R2. While we have loads of documentation on this and numerous blogs there are a few issues that customers have hit that are a little harder to find.
The first one was first documented (to my knowledge) by Brian Puhl who is a Microsoft employee, but this was not blogged on one of our sites. The link to that blog is below (it is external so the usual warnings apply). I have provided some details below.
So when you raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 or gasp Windows 2000 the krbtgt password will be changed. Some TechNet articles have stated that the krbtgt password is periodically changed but that is not true. There is obvious concern that this password does not change, but this password is very complex and this account is also disabled by default. So back to the topic at hand this password change should not cause issues since we remember the previous password. I have not seen any issues with Windows systems, but I have seen issues with Unix/Linux systems that use 3rd party AD integration software. In that case simply recycling the daemon fixed the issue since this caused the application to retrieve new Kerberos tickets. This is one of those “it should not break anything” but it should be documented as part of raising the DFL to Windows Server 2008 so that you can be prepared if the unexpected does happen.
The second one is related to the .NET framework prior to version 4.0. Versions of .NET prior to .NET 4.0 do not support the DomainMode enumeration function against a Windows Server 2008 R2 domain or forest. Now not being a developer I have no idea what that function does (well I could guess 🙂 ), but if you have .NET applications that use Active Directory you will want to test and make sure these work, and apply this hotfix if needed. (You did test….right…right)
2260240 FIX: “The requested mode is invalid” error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest
What is the Impact of Upgrading the Domain or Forest Functional Level?
Understanding Active Directory Domain Services (AD DS) Functional Levels
How to raise Active Directory domain and forest functional levels
FIX: “The requested mode is invalid” error message when you run a managed application that uses the .NET Framework 3.5 SP1 or an earlier version to access a Windows Server 2008 R2 domain or forest
Replication Version Number for your KrbTGT account password?
W2K3 to W2K8 and W2K8R2 Active Directory Upgrade Considerations
Upgrade Domain Controllers: Microsoft Support Quick Start for Adding Windows Server 2008 or Windows Server 2008 R2 Domain Controllers to Existing Domains