Hey Nicolas - how is life is South Africa? I see Jorge has basically touched all aspects of why you'd want to prepare for a forest DR, if you really want to undo the switch to native mode of a Win2k domain.
He's even given you a usable workaround to test just that "business critical SNA application that HAS to live on a DC" to see if it still works after it was switched to native (disable replication to other DCs). I would add, that you may also consider moving all FSMO roles to that DC so you don't run into issues related to the FSMO's not being on a native mode DC during your tests. However, could you elaborate a little on that "business critical SNA application that HAS to live on a DC" - does it A: have to live on a DC because it's a DC, or B: have to live on THAT machine (name/IP), which happens to be a DC? If B, the workaround is obvious. If A, I'd like to know why? /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Freitag, 22. April 2005 13:16 To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Good question! That would not work... Why? With NTDSUTIL you have the following options: ? - Show this help information Help - Show this help information List NC CRs - Lists Partitions and cross-refs. You need the cross-ref of a Application Directory Partition to restore it. Quit - Return to the prior menu Restore database - Authoritatively restore entire database Restore database verinc %d - ... and override version increase Restore object %s - Authoritatively restore an object Restore object %s verinc %d - ... and override version increase Restore subtree %s - Authoritatively restore a subtree Restore subtree %s verinc %d - ... and override version increase "Restore subtree %s - Authoritatively restore a subtree" means: Increase the version of the objects within the subtree in the backup. So if you have made several changes to objects within the subtree and you also created new objects within the subtree, AND you want to revert to an older version of the backupped objects (the ones you changed) in the subtree you Authoritatively restore that subtree. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a subtree" you're simply saying increase the version of the objects within the subtree in the backup. You are NOT saying REPLACE the contents of that subtree! There is a difference in that! "Restore database - Authoritatively restore entire database" means: Increase the version of ALL objects in the database in the backup (all objects in the domain NC, all objects in the config NC and all objects in app NCs, BUT NOT the objects in the schema NC. At the moment it is not possible to authoritatively restore your schema without doing a disaster rec.!!). You also need to take your SYSVOL into account!!! You should be carefull with this one!!! So if you have made several changes to objects within the database and you also created new objects within the database, AND you want to revert to an older version of the backupped objects (the ones you changed) in the database you Authoritatively restore that database. The newly created objects WILL NOT DISAPPEAR as you may think. With an "Authoritatively restore a database" you're simply saying increase the version of the objects within the database in the backup. You are NOT saying REPLACE the contents of that database with the one from the backup! There is a difference in that! So if you created new objects like USGs, done some group nesting, etc. you could not revert the database back to mixed mode because "configurations exist that are not supported in mixed and then you would have inconsistencies. If that would be possible that would create one hell of a KB article from MS to explain how to solve that one If you want to REPLACE you'll have to do a Disaster Rec. See also: http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/ en-us/Default.asp?url=/resources/documentation/windows/2000/server/reski t/en -us/distrib/dsfl_utl_TDNO.asp http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/ en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reski t/en -us/distrib/dsbj_brr_zldg.asp Answer to your question? Jorge -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/22/2005 9:23 AM Subject: RE: [ActiveDir] Native Mode Switch Perfect sense, thank for the reply. Understand about Lanman rep to downlevel versions. What effect would it have if a DC was authorativelly restored pre native mode and the other dc's were native mode? This presumes no group nesting had taken place. On the DC, the built in groups (scema admin, ent admin) that had become USG, would be DGG allready. This would re-introduce a value of 1 in the nTMixedDomain attrib on the domain NC. Would the domain "shift back" to mixed mode? Thanks for your time so far Jorge. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 21 April 2005 01:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch As you know, changing the mode or FL switch to an upper level introduces new features. One of the consequences is that the DCs will not accept Lanman repl which is used by legacy DCs (NT4). Some of the features that are introduced are also not supported by NT4 DCs. One of the examples is UNIVERSAL SECURITY GROUPS (USGs) (group nesting is another). USGs only exist in at least DFL w2k native mode. If you switch to native mode and create USGs and use them to secure resources. Lets say that you want to go back to mixed mode... you would need to first undo all new introduced functionalities like the USGs and the group nesting. Does this make sense? #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/21/2005 12:03 PM Subject: RE: [ActiveDir] Native Mode Switch I hear you. I do know what the switch achieves in terms of functionality, I understand the litterature, have done this, have explained the same to clients, however I am faces with the Question of Why this is a non reversible switch? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 20 April 2005 09:07 PM To: 'Nicolas Blank '; Jorge de Almeida Pinto; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch Manually re-writing the attribute will not work. Also see: http://support.microsoft.com/kb/322692 http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad. htm Jorge -----Original Message----- From: Nicolas Blank To: 'Jorge de Almeida Pinto'; ActiveDir@mail.activedir.org Sent: 4/20/2005 8:25 PM Subject: RE: [ActiveDir] Native Mode Switch Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
