Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2018: Upgrade Domain Controller from W2K3 to W2K8/W2K8R2

Authentication Service ,  

12 April,16 at 10:57 AM

Applies to:

Centrify DirectControl 5.1.0 and above



We have domain and forest functional level at 2003 but will be upgrading to Windows 2008/R2 in the environment.  Are there best practices for this upgrade?



In Windows Server 2003, AES was not supported.


However, Windows Server 2008 introduced a new encryption type, AES, that can be used when Active Directory is running at Domain Controller Functional Level 2008. Centrify DirectControl 4.2.x and later version support AES encryption, but the support needs to be enabled before it can be used.


You need to:

1)     Run ‘adkeytab –r -u <AD user>’ as root.  This will update the keytab with the AES entries.

2)     Restart adclient with ‘/usr/share/centrifydc/bin/centrifydc restart’.  This will cause that adclient to re-negotiate with the DC to accept AES encrypted tickets.


Note: This can also be added to Centrify GP:


Configuration -> Policies -> Centrify Settings--> Common UNIX Settings --> Specify commands to Run


Remember to delete the command after the GP set up (90-120 mins later)



Note: If customers need DES for NFSv4, then they need to fix both the adclient side as well as the AD side for enctype. W2003->W2008 upgrade changes the KRBTGT password hash. This invalidates all the TGTs that were issued prior to upgrade. Adclients will need to be restarted by issuing centrifydc restart command.