John - it sounds like Mark is talking about a 2000 domain
- not that it makes too much of a difference, but 2000 doesn't know about
functional levels (especially not about forest functional levels). Mark,
correct me if I'm wrong.
However, since in 2000 the domain mode really only
effects the domain, you should be able to revert to mixed mode by turning back
the clock. I wouldn't do so by restoring every DC though - I'd just
restore one (the PDCE) and then DCPROMO the rest. Any other option would be
too risky - although the other suggestion made by Phil to keep one DC offline
during the process and then if required to seize roles on it is also a good
one. Nevertheless, all other DCs need to be cleaned from the metadata and
re-promoted. Not nice, but the "most supported" way.
Ofcourse, you'll want to discuss a point of no-return:
this would be after you've started to leverage the new features of the native
domain, such as creating Universal Security Groups and nesting these into UGs
of other domains, leveraging SIDhistory (although I hear this also works
in mixed mode, but is not supported...)
The rollback possibility is a interesting issue.
I've looked into this and came across the following quote from Microsoft:
"While the Windows Server 2003
functional level provides a number of features and advantages, you might
choose not to move to this functional level if your environment is not ready.
For example, you might choose not to enable the Windows Server 2003 functional
level for one of the following reasons: ... bla bla 1 bla bla 2 ...
3.You need to retain the ability to fall back to Windows NT
4.0."
This gives me the
feeling that the "move to native mode rollback" is not possible/supported. But
... curious as I am ... why not? Of course, you can get in all sorts of
trouble when you apply changes that use the native mode features. This could
be the one and only reason why a rollback is not supported, but as a
user/customer I want to be able to revert my changes whenever I don't like
them :-) ... Let's dig into this ...
The ntMixedDomain attribute
on the domainDNS object is set to
1 when a domain is converted to native mode. Looking
at how functional levels operate in Windows 2003 domains... There's a new attribute in the schema, actually multiple attributes,
but they're defined as msDS-Behavior-Version. For a domain functional
level, it's written to the domain
container. For a forest functional level, it's written to the partitions
container.
So, I'm having the feeling that it is possible to revert the move to
native mode by restoring EVERY DC in the DOMAIN with a backup made before the
change. I don't think it's necessary to restore every DC in the FOREST because
the ntMixedDomain attribute is stored in the domain partition, not in the
configuration partition... However, undoing an increase in Forest Functional
Level in Windows Server 2003 appears to need a restore of every DC in the
forest...
Any other ideas?
Cheers!
John
p.s. Throwing the users/developers in the dungeons like Joe suggests is
probably a better idea .... uuuh, I mean test lab in stead of
dungeon of course ;-) ...
1.
Theoretical until you have conclusively proved in your own lab. Most likely
unsupported as a rollback mechanism by MS.
2.
Not necessarily true. There have been scattered reports of Samba and other
SMB emulation packages choking and also I have personally seen some weird
stuff with group memberships. Specifically pre-Native mode we had the
Everyone security principal in the Winds Users Group. Going to Native mode
that didn't work any longer and I had to add Domain Users. MS PSS never was
able to give me an explanation and since I had a workaround, I wasn't
willing to keep paying for them to try and learn.
3.
Absolutely. Domain Local Group Scope is a great one as well as same group
nesting.
Personally, I would say throw the developers in the lab and have them
make sure their shit doesn't break.
joe
We have a domain about to go to
native mode (2 others have already switched with absolutely no problems, of
course.) This last domain is the result of an acquisition, and there is a
skeptical staff of developers there who are trying to push back the change
saying they need extensive testing in the lab beforehand (because they’re
spooked by the “never go back” warning).
As much as I know Native Mode
means I can never put a NT 4 BDC back in that domain (like I’d want to), I
need industry expert back-up to the following facts I’d like to
present:
- Although the change is not
reversible, we could restore from AD backup and be back where we
were
- The change does not prevent
downlevel applications or users from authenticating to the domain (PDCE is
still present afterwards)
- Native Mode provides a few new
capabilities we didn’t have before (Universal groups, nesting,
etc.)
If I am incorrect on any of this
*or* if you have some
suggestions on things I should add, please let me know. Thanks guys, as
always.
Mark
Creamer
Systems
Engineer
Cintas
Corporation
http://www.cintas.com
Honesty
and Integrity in Everything We Do