You can have NT 4 servers and still switch to Native mode. However, the servers cannot be Domain Controllers.
Denny > > -----Original Message----- > From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 9:45 AM > To: [EMAIL PROTECTED] > > Correct about servers but clients are really irrelevant with > regards to > Native vs. Mixed mode. > > -----Original Message----- > From: rick reynolds [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 9:29 AM > To: [EMAIL PROTECTED] > > You need to run in mixed mode until the last nt4 server or > client leaves > the > network, > also, if you run mixed mode, you can still roll-back, > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, June 19, 2003 4:21 AM > Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > I have completed a rollback with Windows 2000 AD back to NT4 and had > no > problems with the W2K clients authenticating back to NT4. Maybe this > was > just look and something to do with the reasonings behind the rollback > but > thought it was worth a mention. > > > > J > > > > > from: Ken Cornetet <[EMAIL PROTECTED]> > > > date: Wed, 18 Jun 2003 21:42:27 > > > to: [EMAIL PROTECTED] > > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade > questions > > > > > > Comments inline > > > > > > -----Original Message----- > > > From: Mike Baudino [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, June 18, 2003 2:47 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > > > > > > > > > > > > > > > All, > > > > > > I'm not convinced, after reading the Microsoft documentation, that > we've > > > all got our answers nailed down on an in-place upgrade. So, I'd > like to > > > submit these questions to you to get the "real world" answer. > > > > > > Since we lack sufficient budget to perform a proper > migration we'll > need > > > to do in-place upgrades to our domains and then > consolidate some of > the > > > rogue domains into our structure (as well as cleaning things up > after > > > upgrade). All domains will remain mixed mode until we're able to > > > complete application testing. One of our main drivers is the need > to > > > consolidate domains as well as eventually eliminate our dependence > on > > > the SAM. > > > > > > > > > 1. One of my concerns is following the upgrade of the PDC it > will be > > > the only AD domain controller in the domain. Our current DNS > settings > > > for servers and workstations are to our enterprise DNS servers, > which > > > are not AD-compatible. We anticipate creating a new DNS structure > for > > > AD and then using forwarders to the other DNS servers for > non-AD-related > > > address resolution. It's my expectation that NT4.0 > clients w/o the > AD > > > client will not be impacted by this in any way. Is this correct? > > > > > > That's OK. Just make your AD DNS a subdomain of your existing DNS > > > domain. For example, if your main DNS domain is > "acme.com" and your > NT > > > domain is "ACME", then create your AD forest as > "acme.acme.com". Put > > > nameserver records in your existing DNS zone that delegates > > > acme.acme.com to the DNS server running on your DC. Have > your AD DNS > > > server forward to your existing DNS to resolve anything > not in your > AD > > > DNS domain. > > > > > > The only thing that will break is windows 95, which > doesn't do "DNS > > > devolution" (trying acme.acme.com, then acme.com). I don't know if > the > > > AD client fixes this or not. > > > > > > 2. It's also my expectation that the Win2k clients will be > impacted > > > depending on their configuration. For example, Win2k client that > does > > > not have the DNS domain for AD listed in the suffix for the client > nor > > > in the DNS search order would not realize that there was an AD > domain > > > controller in their midst and would continue to > authenticate to the > > > domain as they had prior to the upgrade. And Win2k clients that > have > > > the DNS domain for AD in their suffix or search order would > > > prefferentially authenticate against the new AD DC to the extent > that > > > they would begin to ignore their local BDC. This is one area of > > > significant concern as we don't want to overload any of the domain > > > controllers. I thought there was a client reg entry that would > > > eliminate this. > > > > > > If you put the nameserver records in your existing DNS zone, your > > > win2k/XP clients WILL switch to AD authentication. When > you convert > your > > > NT4 domain ("ACME" in my examples) to AD (acme.acme.com), > your 2k/xp > > > workstations will change their primary DNS domain to your AD DNS > domain > > > (acme.acme.com) regardless of what's in the interface > specific DNS. > They > > > will then use your existing DNS (acme.com) to find nameservers for > the > > > AD DNS. From there, they will find the DC. > > > > > > 3. Should we, once we complete the upgrade of the PDC, build a > new > > > DC, > > > move all Operations Masters roles to the new DC and > rebuild the old > from > > > scratch as Win2k, so as to avoid any legacy issues? We'll also be > bring > > > up other AD DC's to split the roles up between boxes. > > > > > > You don't have to. Might be nice. > > > > > > 4. If something goes wrong and after an hour or two, > or sooner, > find > > > that we need to turn off the AD DC and fire back up the > offline BDC > and > > > promote it to PDC, are the Win2k clients going to be OK? > I thought > I > > > remembered that if a box authenticated against the domain using > Kerberos > > > it never would go back to NTLM. > > > > > > w2k/xp clients will NOT go back to NTLM authentication to a domain > once > > > they have used kerberos. If you wanted to drop back to a BDC, you > will > > > have to remove and rejoin all the w2k/xp workstations to > the domain. > > > > > > Thanks, > > > Mike > > > > > > As in everything else of this magnitude: test, test, test! > > > > > > ******************* PLEASE NOTE ******************* > > > This E-Mail/telefax message and any documents accompanying this > > > transmission may contain privileged and/or confidential > information > and > > > is intended solely for the addressee(s) named above. If > you are not > the > > > intended addressee/recipient, you are hereby notified that any use > of, > > > disclosure, copying, distribution, or reliance on the contents of > this > > > E-Mail/telefax information is strictly prohibited and may > result in > > > legal action against you. Please reply to the sender > advising of the > > > error in transmission and immediately delete/destroy the > message and > any > > > accompanying documents. Thank you. > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/