Switching to native mode, when to, scared!

[Tim Richardson]

We currently in the midst of a migration so we have an NT and a 2000
(mixed mode) domain, critical systems are distrubted across the two
domains which have trusts created in both directions.

Our database, intranet, backup and blackberry servers are in the 2000
domain whilst our 8 terminal servers and exchange server are still in
the NT domiain. No users have been migrated to the 2000 domain so the
NT domain is still the primary login domain.

Having the 2000 domain in mixed mode is impeding our developement of
it. Everything i have read suggests that switching to native mode
shouldn't cause any problems, but i'm still not 100% sure.

There are no NT machines in the 2000 domain, but i need to ensure that
authentication between the two domain does not get broken. The
database servers aren't a problem as our bespoke application that's
running in the NT domain uses SQL authentication. The intranet, backup
and blackerry servers on the other hand, are. I also need to make sure
that when the users are migrated to the 2000 domain that they can
still access the exchange server in the NT domain.

Any help would be greatly apprechiated.

Tim Richardson.

 

[Joe Richards [MVP]]

The main thing you need to be concerned with is... do you have any NT DOMAIN
CONTROLLERS. If you do, you can't go native. If you have NT workstations or
members, that is fine.

Of course, do the switch in your test lab and see how it goes with all of your
LOB apps. That is the real test of it.

joe

 

[Herb Martin]

Unless you have tens of thousands of users there is no
hurry.

And, when you decide it is time (a few weeks) the only
real effect is on the DCs and the new features you get in
AD.

Older clients are NOT affected by the modes etc.

The only thing you really lose is the ability to revert to
an NT domain OR to have new BDCs.

Almost no one ever uses either of those, but if you keep
the ability for a few weeks to revert to NT it will give
you confidence.

BTW, a good strong backup of your NT PDC before you
start is almost JUST AS GOOD.

 

[Cary Shultz [A.D. MVP]]

Tim,

Essentially the only thing that is affected by the switch is Domain
Controllers. In a Mixed Mode AD Environment you may have functioning
Windows NT 4.0 Backup Domain Controllers. In a Native Mode AD Environment
you many not have any functioning Windows NT 4.0 Backup Domain Controllers.

This switch has no effect on the clients. It simply affects the ability or
inability to have Windows NT 4.0 Backup Domain Controllers.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

Note that mode switch (mixed to native) is a one-way-street hence good backup
of key resources and extensive tests are always recommended to help alleviate
your concerns.

 

[Tim.Richardson]

Thanks for all your responses.

Unfortunately we don't have any kind of test environment. The business
is growing at such a rate that any spare servers are immediately
utilised for production purposes.

The main feauture i'm missing by having the domain in mixed mode is the
ability to nest groups. It's not the end of the world, but it'll will
quite messy with all the corners i'll have to cut to achieve the same
results.

We have no NT machines, whether BDCs or workstations in the 2000
domain, just an NT and a 2000 domain, joined by two trusts in each
direction. Users log into the NT domain, their accounts are then
trusted by the 2000 domain allowing us to grant their NT accounts
access to the intranet server. Similarly the blackberry server service
account logs into the 2000 domain, this is then trusted by the NT
domain allowing the service account access to the exchange server.

It's this inter-domain functionality i'm worried about losing. If we
switch to native mode, will accounts authenticated in their respective
domains still be trusted to access resources in the other domain?
Thanks for your help,

Tim Richardson

 

[Herb Martin]

Thanks for all your responses.

Unfortunately we don't have any kind of test environment. The business
is growing at such a rate that any spare servers are immediately
utilised for production purposes.

Make full backs and you will be fine.

If you don't have backup tools, buy them,
as sooner or later you WILL NEED them
when it is too late if you don't have them.

The main feauture i'm missing by having the domain in mixed mode is the
ability to nest groups. It's not the end of the world, but it'll will
quite messy with all the corners i'll have to cut to achieve the same
results.

If you don't need it, it doesn't matter for small
domains. Large domains and forests replicate
better but that's in the tens of thousands before
you likely would care.

We have no NT machines, whether BDCs or workstations in the 2000
domain, just an NT and a 2000 domain, joined by two trusts in each
direction.

Then you can go to Native mode at will.

Users log into the NT domain, their accounts are then
trusted by the 2000 domain allowing us to grant their NT accounts
access to the intranet server. Similarly the blackberry server service
account logs into the 2000 domain, this is then trusted by the NT
domain allowing the service account access to the exchange server.

External trusts to/from NT domain work the same
in either mode.

The most likely problem you MIGHT have is that
many people overlook the need to continue to support
NetBIOS name resolution (and WINS server if you
have more than one subnet) on Win2000.

You still need NetBIOS resolution (possibly WINS server)
and if you use WINS Server you must make ALL of your
machines (including DCs, fileservers, etc) WINS clients
of the same (replicated) WINS database.

It's this inter-domain functionality i'm worried about losing. If we
switch to native mode, will accounts authenticated in their respective
domains still be trusted to access resources in the other domain?
Thanks for your help,

Native mode is strictly about the DCs of the SAME domain
and increased functionality of the AD itself.

 

[Joe Richards [MVP]]

I had one domain I switched to native that had over 400 trusts to NT4 domains,
not a single trust had an issue.

This doesn't necessarily mean you won't, but it means it is possible to not have
issues.

joe

 

[Herb Martin]

I had one domain I switched to native that had over 400 trusts to NT4 domains,
not a single trust had an issue.

This doesn't necessarily mean you won't, but it means it is possible to not have
issues.

Ah, but you, Joe, no how to maintain NetBIOS
name resolution. <grin>