RE: [ActiveDir] Native Mode

[joe]

Title: Native Mode

Hey Rocky.   Assuming everything is configured and working properly you will see   1. Authentication working fine. 2. Any changes being done from the legacy clients not working fine as they make changes on the PDC.   Things that can throw a monkey wrench into this...   1. Name Res issues 2. A BDC that hasn't been replicating  but is being crutched by the fact that a DC will forward a logon request to the PDC for verification... So say you have a BDC/DC that hasn't replicated in a while, the passwords slowly go out of sync for users. However the DC/BDC keeps forwarding what it thinks are bad passwords to the PDC for verification and it says they are fine so the people log on... But then the PDC is no longer there, wham those users no longer can log on...     I do want to say also that there are functional changes in how the DCs handle certain things as well when going to Native mode. Specifically we saw an issue with our use of the builtin Everyone group. We previously had added that to the WINS USERS group on our DCs so that DCs running WINS could be queried for their records by anyone. This is great for troubleshooting if you have knowledgeable admins out in the field. When we switched to native mode this functionality broke, we actually had to add Domain Users for all of our domains to the groups instead of Everyone. I sent that to MS a couple of years ago and they admitted that there was an issue there and that it could affect some other things like what we were doing but never gave me answer as to what really happened.   I do recommend to everyone (real people not the security principal) that they TEST TEST TEST TEST changes like this in their lab environment with their LOB apps to make sure they don't run into something strange.         joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Wednesday, January 28, 2004 8:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Native Mode People,   So please tell me ... if there is only one PDC Emulator, and it goes down, what happens to NT4 clients trying to authenticate and logon?   Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company www.jws.com     _____________________________________     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kuhlman, Philip S Sent: Tuesday, January 27, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Native Mode Yep, all the downlevel (NT 4.0, etc) clients need is the PDC emulator, native mode doesn't matter.  Note that all of the downlevel authentication will be done through the DC that holds the PDC emulator role, so make sure it can handle the load if you have a lot of them.   Phil Phil S. Kuhlman Infrastructure Computing Services Sandia National Laboratories [EMAIL PROTECTED] (505) 844-6101 ________________________________________________ "Not the victory but the action; Not the goal but the game; In the deed the glory" Hartley Burr Alexander, University of Nebraska From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 9:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Native Mode That’s right partner - -only in reference to DC’s – you can have NT 4.0 boxes on the wire   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sudhir Kaushal Sent: Tuesday, January 27, 2004 6:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Native Mode   Hi All, I would like to thanks to all the members of this forum who helped me to carry out my Migration from NT 4.0 to Win2K successfully. Just wanted to clear one doubt. Is native mode related only to domain controllers? Can we have NT 4.0 clients in Native Mode? Or do we need everything to be in Win2K including domain controllers and clients?  Regards, Sudhir Kaushal Systems Administrator ( Hosted Team ) eGain Communications Pvt. Ltd. Hello - (+91 20) 4222812, (+91 20) 4228607, Ext-126