Event details
126 Comments
Janine-PatrickMicrosoft
It looks like we have had several people on this thread on Windows Server 2012 / 2012 R2. Just a reminder that this version is approaching the end of its support per our normal lifecycle. Here are some pages with options and details: https://www.microsoft.com/en-us/sql-server/sql-server-2012-eos
https://www.microsoft.com/en-us/windows-server/extended-security-updates
To 'overcome' our Server 2003 woes, one of our developers has suggested he build some sort of 'Kerberos Proxy', that would essentially receive AES Kerberos tickets and spit out the same ticket encrypted in RC4.
After I'd picked myself up off the floor and finished laughing, I was shocked that management were actually exploring this as a real possibility.
Question:
I need to dissuade them from going anywhere near this path. Would this actually work? Do you know of any security guidance against this kind of proxy (essentially creating a man-in-the-middle attack on yourself?)? Any large sticks I can beat these people with?
Cliff_FisherI don't believe this would be possible due to various tamper protections, but either way, this is absolutely not supported by Microsoft.- Thanks Cliff. Any chance you have references to these tamper protections?
- any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.
- Our recommendations in this case would be to: 1. Upgrade your legacy Server 2003 systems to a supported OS that is still getting security updates 2. Air gap any legacy systems you cannot immediately upgrade 3. Place any legacy systems you cannot immediately upgrade into their own domain structure The hardening included in the November update is there to help our customers be more secure as we know RC4 and DES are easily compromised. So along the lines of keeping things as secure/safe as possible, we would not recommend doing *anything* to try to work around the hardening. So while the Kerberos proxy idea is innovative it is not something we would recommend doing. You'd be better off spending those resources trying to upgrade those 2003 boxes.
- Is SMB over QUIC ever coming to on-premises SKUs?
- Hi. I can't give a true roadmap for the future here, but I can say that Azure Edition VMs can be run on-prem as guests on Azure Stack HCI. This is not the final story, but I can't explain further. I will say that nothing in Azure Edition is guaranteed to stay Azure Edition-only. It is meant to be a "state of the art" OS SKU, where features go there first then more broadly. Hotpatch is a pretty good example of this - that feature obviously has a future in every single Windows-based SKU we make.
- What is the product to check in SCCM to get updates for Server 2022? Looks like the legit option is Windows Server 1903 or later?
- I believe that's "Microsoft Server operating system21H2"
- Artem PronichkinBoris is spot on. "Microsoft server operating system 21H2" covers both Windows Server 2022 and Azure Stack HCI, version 21H2. Those are two slightly different operating systems that share a lot in common, and therefore there's a single category for both, using unified name.
- Or what is Server 2022 - HotPatch Category?
- Artem PronichkinHotPatch category is only for hotpatch which is a special "live" update mechanism. So far, it's only available in Windows Server 2022 Datacenter: Azure Edition which is a special OS edition. Unless you run this OS edition, you can ignore this category.
- Janine-Patrick
Sharing a great video from our December 2022 Windows Server Summit, featuring Orin Thomas and Sonia Cuff. Demos upgrading, lots more: https://youtu.be/u_qZjD8CIi8
I hope there's not a question limit!
When upgrading Domain Controllers, I've never done in place upgrades. I heard somewhere long ago its not the done thing, but I can't remember where or why.
I've always built new DC's, then stolen the IP address and promoted in place, all the way back from 2003 until now in 2019.
The young whipper snappers on my team tells me this is an old way of thinking....
Question:
Are in-place upgrades of Domain Controllers properly supported now, or even recommended? Any Caveats we should be aware of?
- I personally have had good experience upgrading DCs as long as not SBS. Took one from Server 2008, to Server 2019, had to stop at 2012R2 first... But all of their accounts, applications, databases etc. Came through. The first step was to P2V the server on new hardware using Hyper-V.
- Cliff_FisherThe recommended way to upgrade a domain is to promote domain controllers that run newer versions of Windows Server & demote older DCs as needed. Details here: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/upgrade-domain-controllers Keep in mind that FRS should also be migrated to DFSR as part of your upgrade, especially if you are deploying Server 2022.
Hello! Thank you for taking the time to answer questions from the community. I have two questions:
- Windows Server 2022 Azure Edition, in the Azure Portal the Hotpatch status - Enablement status says Enabled while the Readiness status says Unknown. Is this indicative of an issue?
- Are there any local log files / event logs to review hotpatch information?
- Poornima_PriyadarshiniThanks, for attending. 1) No 2) Not logs, but the configuration tells that.
- Hi Justin, I am the owner of Azure Edition (but not the hotpatch backend). This is some weirdness going on in the Azure Update backend that I don't have great insight into. I will ping those folks and see what the answer is right now, try to get back to you here asap.
- Heard back - they said you need to open a support case to investigate this, you shouldn't be seeing this behavior. It's not a broad outage according to them, something weird going on with your tenant.
- Jeff Woolsey, My org is beginning the process of replacing our 2012R2 file server VMs, going to Server 2022. We've started the inventory process with Storage Migration Services, but some shares are returning errors that the inventory failed on x number of folders. We're not seeing any logging that gives us insight on which folders it might be having trouble with. We can only assume at this point that someone has managed to break ntfs inheritance and stripped "Administrators" and "System" of access to the folder. Is the inventory recording this anywhere, or are we currently on our own as to what folders / files are failing?
- Hi JB, I own SMS and can answer here: the inventory logging is pretty light, unfortunately (the original design was just to quickly count, not look for details, for performance reasons). We have a work item to improve this, but in the meantime you can just start a transfer and let it log the actual failures, then download the errors log to find your miscreants. You can run as many transfers as you want and if most of data isn't going to transfer, it will be over with pretty fast :(. In fact it might be better just to use ICACLS to grant admin and system rights back all over the source machine first, just to eliminate the issue.
- Thanks Ned! I have some PowerShell tooling to survey the NTFS permissions, but of course that takes some time. Knowing that I can just run the transfer, and then see what's breaking is helpful!
- In my quest to shut down my remaining Server 2008 R2 servers. In a few instances I can't decommission them. Is it possible to do an in place upgrade to 2012 R2 then 2016 to buy me some time?
- Rob-HindmanNote also that some customers move their WS 2008 R2 servers to VMs and run them in Azure IaaS before upgrading them to WS 2012 R2 or WS 2016 or WS 2019. -Rob.
- Yes, this is technically supported. Though as always please make sure you have verified backups and you will want to verify any third party services/apps running on those boxes will handle the upgrade as expected.
- It may be supported from an OS perspective, but if, for example, you're running older versions of SQL Server they may not be supported on WS2012 R2 or 2016. Also, things like WSFCs cannot be upgraded in place so that's also an issue. TL;DR consider more than just the OS.
- Will preforming the upgrade break any domain trusts? Or will the trust and any folder permissions carry over?
- Cliff_FisherNot typically, but can you be more specific about your concern?
