I stand corrected. We've been in native mode from day 1 so I tend to
forget that some of the things we can't work without don't apply to
mixed mode.
al
Rick Kingslan wrote:
>
> Note the bottom paragraph of the Q article -
>
> "In a Mixed-mode domain, universal groups cannot be created. If a
> Windows 2000-based computer is located in a down-level or Mixed-mode
> domain, different behavior occurs. Other domains may be in Native mode
> and universal groups may have been created that contain the user as a
> member. The domain controller authenticating the logon request will add
> the SIDs of the global groups of which the user is a member to the
> user's token and the local computer adds SIDs for groups of which the
> user is a member on the local computer as appropriate. When an attempt
> to use resources in another domain occurs, the computer hosting the
> resource contacts a domain controller for that domain, which adds the
> SIDs of the groups local to that domain (which may include universal
> groups) of which the user is a member to the user's token. "
>
> EN states he's in mixed-mode. GC's are of minimal use in a mixed-mode
> environment - and clearly play no part in Group SIDs as the LSA handles
> that for Global and LD groups. The GC only cares when we're dealing
> with Universals.
>
> Tested this two years ago to prove it out to a customer. They are
> mandatory for Exchange 2000. Not, however for mixed mode logon. GC's
> are nice to have, especially if you want to use UPNs for logon.
>
> In fact, if EN is using UPN's, the user will be denied.
>
> Rick Kingslan - Microsoft MVP [Windows NT/2000]
> Microsoft Certified Trainer
> MCSA, MCSE+I - Windows NT / 2000
>
> "Any sufficiently advanced technology
> is indistinguishable from magic."
> --- Arthur C. Clarke
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] On Behalf Of Al
> > Lilianstrom
> > Sent: Friday, May 31, 2002 8:35 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] 2 AD DCs but only one accepting
> > authentication
> >
> >
> > You can't logon with out a GC. So when DC1 goes away so will
> > your ability to logon. See
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q21697
> 0 for more.
>
> al
>
> > EN wrote:
> >
> > I have 2 AD DCs, and when the first created DC of the domain fails,
> > the 2nd DC doesn't accept logons. I'm running mixed mode the GC only
> > being on the first DC shouldn't matter right? Has anyone else
> > encounted this type of problem? When I promoted the 2nd server to a
> > DC, everything went smoothly,
> > sysvol and netlogon shares were created properly.
> >
> > Each DC has a DNS server as well, with the 1st DC having an AD
> > Integrated DNS, while the 2nd has a Primary DNS, and yet another stand
>
> > alone has a secondary dns. All the dns records "seem" right, in that
> > the svr records are showing up in each DNS server.
> >
> > Any ideas on what too look for to maybe solve this problem?
> >
> > thanks
> >
> > Ernesto
> >
>
> --
>
> Al Lilianstrom
> CD/OSS/CSI
> [EMAIL PROTECTED]
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Al Lilianstrom
CD/OSS/CSI
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
