-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also, you cannot have Universal Security groups in Mixed mode, only Native. Furthermore, you can take full advantage of Group Nesting. Domain Local groups can contain other Domain Local groups from the same domain, and Global groups can include other Global groups from the same domain. Universal groups can contain User accounts, Computer accounts, Global groups, and Universal groups from any domain. In addition you can only change the scope of a group in Native mode, although never for Universal groups, because they have least restrictive scope and membership. Note switching to Native mode is a one way process, you cannot switch back!
adam > -----Original Message----- > From: Dozal, Tim [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 15, 2002 6:39 PM > To: Tomasz Onyszko; [EMAIL PROTECTED] > Subject: RE: Active Directory Security Migration Questions: > > > So as I understand it from what people have sent back to me: > > The only difference between running in mixed or native mode > is that you > can not have any NT 4 BDC's in native mode. Other than that > the domain > will behave similar? If that's the case is there any best > practices available for when to use native and when to use mixed? > And > along this > line is there a security impact from those choices? > > Tim Dozal > Lab Manager - ECSBU > Cisco Systems Inc. > e: [EMAIL PROTECTED] > p: (206)-256-2900 x3280 > f: (206)-256-3640 > > > -----Original Message----- > From: Tomasz Onyszko [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 15, 2002 3:25 PM > To: Dozal, Tim; [EMAIL PROTECTED] > Subject: Re: Active Directory Security Migration Questions: > > > Dozal, Tim <[EMAIL PROTECTED]> napisal w swojej wiadomosci: > > > I am no AD expert but my experience is that in Mixed mode > you will use > > > NTLM (i.e NT 4) authentication (plain test transmission)) when > > connecting between hosts on the network. > Older NTLM authentication is used in both modes (mixed and > native) when > client cann't use Kerberos v5 authentication in example, when You > connect with regular Windows 98 client to the Windows 2000 > Server, which > is a member of a AD domain, and the Windows 98 client host also is > the member of this domain. Any non-Kerberos enabled client will > use NTLM v1 > or v2 authentication > > > If your infrastructure has any non-windows 2000/XP > machines then you > > must > use mixed mode. > From my expirience that is not true. In native mode You can > use a legacy > non-Windows 2000 clients in Your network. You cann't only use > Windows NT > BDC at this network. In mixed and native mode You can use NTLM v1 > or v2 authetication if You don't disable this possibility through > the settings in the registry or through GPO. > > Tomasz Onyszko > > > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPOWAefI5n5MLsAGMEQIJHACfZfvqLEedjnD2iyAc2UGldBafQbIAoOGj sZU1+ZxnSBnM+TXaUElOWnj+ =/wDA -----END PGP SIGNATURE-----
