Backout from Native Mode

[Guest]

Is there any way to backout after going to Native Mode?
Could I restore the 2 AD Domain Controllers from tape? OR,
Could I create a new BDC, and then take it off-line just in case my Native
Mode Domain is messed up?

 

[Danny Sanders]

Kurt,

You seem overly concerned with your domain being in Native mode. By
upgrading your existing PDC you will not have to set the domain to Native
mode.

Not sure how you are fixed for servers but if your original PDC can not
handle the upgrade and you have a new server you could remove Win 2k and
install NT 4.0 on it as a BDC, promote to PDC then upgrade this PDC to Win
2k/Win 2k3 and AD.

hth
DDS W 2k MVP MCSE

 

[Guest]

Hi,

I have 2 Domain Controllers running Active Directory in Mixed Mode.
Could I add a 3rd and take it off-line, in case my move to Native Mode does
not go well. Then start it up and claim all roles?

Kurt

 

[Danny Sanders]

Could I add a 3rd and take it off-line, in case my move to Native Mode
does

not go well. Then start it up and claim all roles?

You can try it. I'm not sure, it should work.

The switch to native mode ONLY affects replication between an AD DC and a NT
4.0 BDC in the SAME domain. If you ahve a BDC in the domain remove it, if
you don't there is really nothing to worry about.

hth
DDS W 2k MVP MCSE

 

[Andrei Ungureanu]

just to be sure make a system state backup from a domain controller. After
that go for it ... you have nothing to worry about it ... as this change is
smooth and if you don't use NT4 DCs .. it will not affect you.

 

[ptwilliams]

Although all the documentation states that you cannot go back to mixed mode
once you've gone up to native mode is this completely true or just not
recommended? After all, it's only one attribute on the domain object -
nTMixedDomain. Has anyone ever tried setting this attribute back to 1?
I've not read that the ability to go back is hard coded into Windows
itself...

I guess that's one to test - problem is going through the hassle of creating
VM NT DCs : )


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi,

I have 2 Domain Controllers running Active Directory in Mixed Mode.
Could I add a 3rd and take it off-line, in case my move to Native Mode does
not go well. Then start it up and claim all roles?

Kurt

 

[Cary Shultz [A.D. MVP]]

Paul,

When I have a chance I might just take a look at this. Anyway, there has
been a lot of talk about how to 'demote' a WINNT 4.0 BDC in this newsgroup.

Some people have answered that you just delete the computer account and all
is good. Other people have answered that you have to follow the procedure
to remove a 'DC' from AD. I would learn more towards the latter but have
not had to ever do it ( well, can not remember it if I have! ). So, it just
might be a nice time to take a look at this. Cannot promise that this will
happen in the next two hours ( or two days, for that matter ). But it will
be on my list of things to do....

Hope that all is well with you!

Cary

 

[Enkidu]

Is there any way to backout after going to Native Mode?
Could I restore the 2 AD Domain Controllers from tape? OR,
Could I create a new BDC, and then take it off-line just in case my Native
Mode Domain is messed up?

If you are in mixed mode there is absolutely no drama in going to
native mode. It just means that you will no longer have any NT4 BDCs.

Cheers,

Cliff

 

[ptwilliams]

Hi Cary,

All's well thanks! Hope everything's OK with you too.

If you're in a position to test this that would be cool. I'd sure like to
know. I've noticed there are often times when the docs say it can't be done
but it can -it's just not supported (like RIS and Win2000 server for example
;-)

Also, re. the whole NT BDC removal, I've dished out the advice that as
they're only read-only replicas they can be turned off and the computer
object removed -and the people I gave this advice never came back and said
things didn't go as planned ;-)

The main issues (that I've seen) with NT 5.x machines not being demoted
properly seem to stem from replication - the KCCs trying to create links,
etc. Obviously this doesn't happen with NT as they don't use Frs. I've not
got round to removing any of our NT 4 BDCs yet. When I do (probably not any
time soon!) I'll have a dig around with LDP and NTFSUTIL see if there is any
metadata used, etc.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Paul,

When I have a chance I might just take a look at this. Anyway, there has
been a lot of talk about how to 'demote' a WINNT 4.0 BDC in this newsgroup.

Some people have answered that you just delete the computer account and all
is good. Other people have answered that you have to follow the procedure
to remove a 'DC' from AD. I would learn more towards the latter but have
not had to ever do it ( well, can not remember it if I have! ). So, it just
might be a nice time to take a look at this. Cannot promise that this will
happen in the next two hours ( or two days, for that matter ). But it will
be on my list of things to do....

Hope that all is well with you!

Cary

 

[Cary Shultz [A.D. MVP]]

Paul,

Have just completed some testing in the lab. Created a WINNT 4.0 PDC
running DHCP, WINS and DNS and then created a WINNT 4.0 BDC. I then created
a WIN2000 Pro client. All went well - as expected. NetBIOS name is NATHAN
and the dns name is nathan.com.

I created two user accounts on the PDC and they replicated to the BDC. I
then tried to edit something on the BDC ( clearly not gonna work ) and it
did not work ( as expected ).

I then upgraded the WINNT 4.0 PDC to WIN2000 and Active Directory. No
problems. The two user account objects were there. I then created three
additional user account objects on the 2K DC in the default location (
USERS ) and they replicated to the BDC quickly. I then edited all five on
the 2K DC with ADModify ( added a couple of things that do not appear in the
Users Manager for Domains and one thing - logon.bat - that does ). All was
good. I then created an OU and created three more user account objects in
that OU and they did indeed show up in the Users Manager for Domains. All
as expected.

Ran a bunch of tests. In the ADUC MMC the BDC does show up under the Domain
Controllers OU. It also shows up in ADSIEdit ( obviously ) but does not
have the CN=nTFRSubscription object ( clearly ). However, it does not show
up in the ADSS MMC. Also does not show up in the DNS MMC.

Ran dcdiag /c /v on the WIN2000 DC and it is the only DC that shows up. No
NT 4.0 BDC. Ran netdiag /v and same thing. If you run repadmin /showreps
it is empty. Same for repadmin /showconn and replmon. If you run nltest
/bdc_query:nathan the NT 4.0 BDC is found to be 'In_Synch'. If you run
nltest /dclist:nathan it finds both ( although the 2K DC is listed by the
fqdn - nathanpdc.nathan.com - while the NT BDC is listed by its computer
name - nathanbdc ).

I then attempted to remove the bdc via ntdsutil. However, it does not show
up ( in the 'List Servers in Site' section only the WIN2000 DC is there ).
So, we do not need to worry about this.

I then attempted to delete the computer account object from the Domain
Controllers OU. Naturally, it could not be deleted. Simply needed to
change the userAccountControl value from 8192 to 4096. Then I could delete
it. Gone.

Then gave it a minute or two. Went to the BDC and rebooted. Able to log on
without any problem. Simply turned off the BDC and rebooted the WIN2000 Pro
client. No problems. Except that the logon script did not work too well
( as all of the shared folders were on the BDC! ).

So, in a nutshell all you need to do is to remove the BDC from the Domain
Controllers OU and turn it off ( naturally you would need to take care of
any services that might be running on the machine or any shared folders or
what not ). Then, a week later simply remove it completely and possibly
recycle...or not!

Cary

 

[ptwilliams]

Well, I hate to say it but I figured as much ;-) Although, it's good to now
know!

If this test domain is still up and running can you try changing to native
and then back again (after making some changes and ensuring they've not
replicated)?

The attribute is nTMixedDomain on the DC=domainName,DC=com sub-folder of the
domain NC.

0 (zero) is native mode

I look forward to your answer...


I take it Nathan is your son?

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Paul,

Have just completed some testing in the lab. Created a WINNT 4.0 PDC
running DHCP, WINS and DNS and then created a WINNT 4.0 BDC. I then created
a WIN2000 Pro client. All went well - as expected. NetBIOS name is NATHAN
and the dns name is nathan.com.

I created two user accounts on the PDC and they replicated to the BDC. I
then tried to edit something on the BDC ( clearly not gonna work ) and it
did not work ( as expected ).

I then upgraded the WINNT 4.0 PDC to WIN2000 and Active Directory. No
problems. The two user account objects were there. I then created three
additional user account objects on the 2K DC in the default location (
USERS ) and they replicated to the BDC quickly. I then edited all five on
the 2K DC with ADModify ( added a couple of things that do not appear in the
Users Manager for Domains and one thing - logon.bat - that does ). All was
good. I then created an OU and created three more user account objects in
that OU and they did indeed show up in the Users Manager for Domains. All
as expected.

Ran a bunch of tests. In the ADUC MMC the BDC does show up under the Domain
Controllers OU. It also shows up in ADSIEdit ( obviously ) but does not
have the CN=nTFRSubscription object ( clearly ). However, it does not show
up in the ADSS MMC. Also does not show up in the DNS MMC.

Ran dcdiag /c /v on the WIN2000 DC and it is the only DC that shows up. No
NT 4.0 BDC. Ran netdiag /v and same thing. If you run repadmin /showreps
it is empty. Same for repadmin /showconn and replmon. If you run nltest
/bdc_query:nathan the NT 4.0 BDC is found to be 'In_Synch'. If you run
nltest /dclist:nathan it finds both ( although the 2K DC is listed by the
fqdn - nathanpdc.nathan.com - while the NT BDC is listed by its computer
name - nathanbdc ).

I then attempted to remove the bdc via ntdsutil. However, it does not show
up ( in the 'List Servers in Site' section only the WIN2000 DC is there ).
So, we do not need to worry about this.

I then attempted to delete the computer account object from the Domain
Controllers OU. Naturally, it could not be deleted. Simply needed to
change the userAccountControl value from 8192 to 4096. Then I could delete
it. Gone.

Then gave it a minute or two. Went to the BDC and rebooted. Able to log on
without any problem. Simply turned off the BDC and rebooted the WIN2000 Pro
client. No problems. Except that the logon script did not work too well
( as all of the shared folders were on the BDC! ).

So, in a nutshell all you need to do is to remove the BDC from the Domain
Controllers OU and turn it off ( naturally you would need to take care of
any services that might be running on the machine or any shared folders or
what not ). Then, a week later simply remove it completely and possibly
recycle...or not!

Cary

 

[Cary Shultz [A.D. MVP]]

Paul,

It is alive and kicking and I have left it such because I figured you would
ask this. I remember you posting something about this. I did see that
attribute when I used ldp.exe to check things out ( was specifically looking
for it ). Right now it is indeed set to 0 ( Mixed Mode ).

And, yes, Nathan is our son. We have had the most fantastic day with him
today. He is a pure joy and the reason for everything that I do. What an
incredible little creature he is! I hope that you are fortunate enough to
have some children. They change everything completely.

I do not remember what it was like before he arrived some four months ago.
And I do not want to!

Anyway, enough of the proud papa raving!

Cary