Applies to:

Centrify DirectControl 5.1.0 and above

Question:

We have domain and forest functional level at 2003 but will be upgrading to Windows 2008/R2 in the environment.  Are there best practices for this upgrade?

Answer:

In Windows Server 2003, AES was not supported.

However, Windows Server 2008 introduced a new encryption type, AES, that can be used when Active Directory is running at Domain Controller Functional Level 2008. Centrify DirectControl 4.2.x and later version support AES encryption, but the support needs to be enabled before it can be used.

You need to:

1)     Run ‘adkeytab –r -u <AD user>’ as root.  This will update the keytab with the AES entries.

2)     Restart adclient with ‘/usr/share/centrifydc/bin/centrifydc restart’.  This will cause that adclient to re-negotiate with the DC to accept AES encrypted tickets.

Note: This can also be added to Centrify GP:

Configuration -> Policies -> Centrify Settings--> Common UNIX Settings --> Specify commands to Run

Remember to delete the command after the GP set up (90-120 mins later)

Note: If customers need DES for NFSv4, then they need to fix both the adclient side as well as the AD side for enctype. W2003->W2008 upgrade changes the KRBTGT password hash. This invalidates all the TGTs that were issued prior to upgrade. Adclients will need to be restarted by issuing centrifydc restart command.