Mixed mode / Native mode again

[Kevin Page]

My corporate is upgrading to AD and we are having a parent domain
acme00.com and all the business units will use acme01.com to
acme10.com. For my BU, someone created our domain, acme09.com, as
native mode a year ago. We have already migrated 2 countries to this
domain already. However, the corporate suddenly told me to move
everyone to another domain called acme08.com because native mode is
having some failover problem. They said that we only have 3 global
catalog servers worldwide and native mode domain users have to
authenticate through the global catalog servers instead of their local
domain server. If the wan link failed, no one in our domain can
authenicate anymore. I have difficulty in believing that because it
wasn't mentioned in the MSDN at all. Well, i haven't tried that
though because it is too risky doing so. But what my understanding is
the logon server is controlled by "AD site and services". It should
have nothing to deal with mixed mode or native mode.

 

[Matjaz Ladava [MVP]]

Hi Kevin,

When domain is in native mode, it has possibility to use universal groups.
Universal group membership is stored in global catalog servers and it is
read from them during logon process. That is why MS suggests to place GC in
every remote site (WS2k3 changes this). Also when domain is in mixed mode,
global catalog is contacted, but as universal groups are not available in
mixed mode, there is no practical need for GC for logon process (except for
UPN discovery). Have you considered placing GC in every remote site ?

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Cary Shultz]

-----Original Message-----
My corporate is upgrading to AD and we are having a parent domain
acme00.com and all the business units will use acme01.com to
acme10.com. For my BU, someone created our domain, acme09.com, as
native mode a year ago. We have already migrated 2 countries to this
domain already. However, the corporate suddenly told me to move
everyone to another domain called acme08.com because native mode is
having some failover problem. They said that we only have 3 global
catalog servers worldwide and native mode domain users have to
authenticate through the global catalog servers instead of their local
domain server. If the wan link failed, no one in our domain can
authenicate anymore. I have difficulty in believing that because it
wasn't mentioned in the MSDN at all. Well, i haven't tried that
though because it is too risky doing so. But what my understanding is
the logon server is controlled by "AD site and services". It should
have nothing to deal with mixed mode or native mode.
.

Kevin,

Whoever told you that might mot have all of the facts!
Sorry to put it that way.

Essentially the only difference between Native Mode and
Mixed Mode is that in Native Mode you can not have any
functioning WINNT 4 BDCs whereas in Mixed Mode you can.
This fact itself leads to a few things that you can do in
Mixed Mode that you can not do in Native Mode (
like "renaming" your domain - and I use that term
loosely ). There are some wonderful things that are
available in Native Mode that are not in Mixed Mode ( like
Group nesting and Universal Groups - something that might
be of interest to you since you seem to have so many
domains! ).

Now, to the contents of your post. It seems like all of
your Business Units are separate Forests. If you want to
have an empty Root - or a "Corporate" Root - with all of
the Business Units under that then you would need to have
a contiguous namespace. If this is the case you would
call call you "root" acme.com. All of your Business Units
would have to have a xxxxx.acme.com to be a child domain (
aka member of the same domain tree ). So, you would have
BU01.acme.com, BU02.acme.com, ... BU08.acme.com,
BU09.acme.com.

Am I missing something? or are all of your "domains"
actually separate Forests ( which it seems that you have
due to discontiguous namespace ) due to legal reasons?

Remember, all domains trust each and every other domain
within the same domain tree. Depending on the Industry and
American/International law you might just need to have
separate forests.

Active Directory Sites and Services are essentially used
to control AD replication. Remember, you create Sites in
ADSS and then create subnets and associate each created
subnet with the appropriate Site. You may also need to
create site links. Site-aware clients (which would be
WIN2000 and WINXP natively ) and legacy clients ( which
would be WIN9x and WINNT ) that have the ADClient
installed ( and, thus, become site-aware ) make use of
Sites to find their local DC for authetication.

The global catalog server is needed whether you have
native Mode or Mixed Mode. ASAIK, there is no way to
force a client to use a specific DC for authentication.

When I get back home I will send you some links to MS KB
Articles.

HTH,

Cary

 

[Cary Shultz]

-----Original Message-----
Hi Kevin,

When domain is in native mode, it has possibility to use universal groups.
Universal group membership is stored in global catalog servers and it is
read from them during logon process. That is why MS suggests to place GC in
every remote site (WS2k3 changes this). Also when domain is in mixed mode,
global catalog is contacted, but as universal groups are not available in
mixed mode, there is no practical need for GC for logon process (except for
UPN discovery). Have you considered placing GC in every remote site ?

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com




.

Thank you, Matjaz.

I was going to give him some links about this ( they are
stored in My Favorites on my home computer ) but you
essentially filled him in.

Cary

 

[Kevin Page]

Thanks for everyone actively replying my question. I'm still a bit
mixed up with the role of Global Catalog server. I am assessing the
risk of NOT having a GC server in all remote locations. If there is
only 1 GC server and there are domain server in each remote location,
what would happen if the WAN link fail or the GC server crash? Does
it mean that everyone will not be able to login anymore? E.g. if i
take my laptop home, login to my home network which doesn't have any
DC or GC server, i'm still able to login and use my computer, right?
If my laptop is somewhere in a remote location where a GC can't be
contacted, it should be still able to login, is it logically correct?

Well, I understand that my logic must go wrong somewhere. We were
seriously hammered by the worm Welchia last month. We blocked all the
icmp and port 135 (Microsoft-ds) from most of the routers. Then for
some users in Taiwan, where they don't have a local domain server, it
took them at least 30 minutes to logon their computers. I asked them
to unplug their lan cables during login and it allowed them to login
fast. But these computers didn't know that they should/could go to
Hong Kong for authentication where the DC servers are "closer" to them
and the port 135 and icmp were not blocked there. And I finally found
out that I have to unblock the port 135 in Australia router to allow
the Taiwan users login fast. It was shown in their computers' "set"
environment that their logon server was Australia!

There must be something wrong in the AD sites and services where were
yet to find out. I have been digging into msdn for this kind of
question but it seems that the keywords i used ain't too exact.

 

[Matjaz Ladava [MVP]]

Yes, but at home you are logging on with cached credentials and not though
DC authentication. If you WAN link goes down, then authentication will
suffer, as GC's are needed for logon. Ws2k3 has possibility not to use GC
during logon. For w2k environments MS suggests GC in every location.
Blocking port 135 will stop authentication as clients talk with DC trough
RPC protocol. As for where your authentication process takes place, you must
look up into your sites and services, as you have some possibilities to
configure your AD in the way, that some sites get higher prioritization.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com