2003 native mode with NT4 DC's


J

James

Hi,

If I have a 2003 native mode domain with NT4 DC's, will the NT4 ones still
attempt to authenticate clients?

I am faced with a scenario where I want to move a mixed mode 2003/NT4 domain
to native mode, but it will not be easy, for other reasons to decomission
the NT4 DC's, as they run other key applications. If they will still pose a
potential problem, is there anyway to tell them not to be a DC without
removing them from the domain?
The primary reason I need to move the mixed mode domain to native, is
because exchange 5.5 will be migrated to 2003 (mixed mode method). There are
lots of public folders with exchange 5.5 distribution lists for permissions.
These will not work if a domain is in mixed mode, with a mixed exchange
5.5/2003 org, as universal security groups cannot be used in a mixed mode
domain. I'd rather avoid having to re-permission the public folders with
individual accounts...hence the reason for this.

Clients are 98-XP. WINS is used.

Thanks,

James
 
Ad

Advertisements

D

Doug Frisk

James said:
Hi,

If I have a 2003 native mode domain with NT4 DC's, will the NT4 ones still
attempt to authenticate clients?

Yep. They'll also still attempt to replicate account information from the
PDC emulator, but will be refused making them forever out of date. This
could eventually lead to an account that has had a password changed being
validated under the old password which is on the BDC, or an account that's
been disabled or even deleted being authenticated by the BDC. (Now, given
that these accesses would be rejected by any servers participating in the
"real" domain the security threat isn't perilous, but the confusion threat
is off the scale.

Past that, any application running on a DC will find in the local NetBIOS
I am faced with a scenario where I want to move a mixed mode 2003/NT4
domain
to native mode, but it will not be easy, for other reasons to decomission
the NT4 DC's, as they run other key applications.

See above, the apps *will* have authentication issues *at the least*.
If they will still pose a
potential problem, is there anyway to tell them not to be a DC without
removing them from the domain?

There is no supported method of "demoting" an NT4 Domain controller.
The primary reason I need to move the mixed mode domain to native, is
because exchange 5.5 will be migrated to 2003 (mixed mode method). There
are
lots of public folders with exchange 5.5 distribution lists for
permissions.
These will not work if a domain is in mixed mode, with a mixed exchange
5.5/2003 org, as universal security groups cannot be used in a mixed mode
domain. I'd rather avoid having to re-permission the public folders with
individual accounts...hence the reason for this.

Clients are 98-XP. WINS is used.

Do what it takes to move the apps over to other member servers.

Going native with NT4 DCs still functioning is pointing a gun at your head.
 
M

Mark Renoden [MSFT]

Hi James

You can't move to Windows 2003 native mode with NT4 BDC's still in the mix.
Unfortunately, there's no way of "demoting" and NT4 BDC so that it's just a
member server. It involves a re-install or requires you to upgrade the
machine to Windows Server 2003.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
P

ptwilliams

I've not used this myself, but have read many people in these groups say
that it works and it works well:
-- http://utools.com/UPromote.asp

That'll demote a BDC to a member server...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Hi James

You can't move to Windows 2003 native mode with NT4 BDC's still in the mix.
Unfortunately, there's no way of "demoting" and NT4 BDC so that it's just a
member server. It involves a re-install or requires you to upgrade the
machine to Windows Server 2003.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ad

Advertisements

D

Doug Frisk

ptwilliams said:
I've not used this myself, but have read many people in these groups say
that it works and it works well:
-- http://utools.com/UPromote.asp

That'll demote a BDC to a member server...

Note I said "no supported method" in my response. ;-)

But then again, given that as of last month you can't get PSS support for
NT4 and they're no longer making security hotfixes available retaining NT4
is probably not the best idea at this point.

I'm suspecting that the app in question requires it run on a BDC for some
reason though, so the original poster may be between a rock and a hard
place.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top