Windows 2000 machines will use the new NTLM2 to authenticate; just the older machines will use NTLM. And if you install the Active Directory Client on the NT or 9x machines they will use the NTLM2.
$0.02 -----Original Message----- From: Greg Francis [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 11:27 PM To: Dozal, Tim; leon; [EMAIL PROTECTED] Subject: Re: Active Directory Security Migration Questions: ----- Original Message ----- From: "Dozal, Tim" <[EMAIL PROTECTED]> To: "leon" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 14, 2002 11:10 AM Subject: RE: Active Directory Security Migration Questions: > I am no AD expert but my experience is that in Mixed mode you will use NTLM (i.e NT 4) authentication (plain test transmission)) when connecting between hosts on the network. If your infrastructure has any non-windows 2000/XP machines then you must use mixed mode. If you are building a whole new environment and have no need to connect to legacy OS's then you can run in native mode and take advantage of the higher level security of the Kerberos authentication model (I think MD5 crypto on the transmissions). Most migrations will not be able to do this because they are not replacing every host with a windows 2000 or newer OS. > > I welcome people to expand on this for my own knowledge also. > > -Tim This isn't quite correct. Mixed-mode is only required if you want to have NT4 backup domain controllers in your domain. Once all of the DCs in a domain are W2K, you can convert to native mode. You can have NT4 member servers and workstations in a native mode domain. You can also have Win9x machines in a native mode domain but they never really join the domain anyway. Greg Greg Francis, Sr. System Administrator Central Computing and Network Support Services Gonzaga University -- Spokane, Washington 509-323-6896 [EMAIL PROTECTED]
