My comments were intended to include my experience. I have encountered an application, Crystal Enterprise v8.5, that has a problem with native mode and the way it uses AD for authentication and authorization. Generically, I acknowledged that there should not be an issue. Specifically, I identified my issue, which Ken and Rick recognize to be related to group structure, nesting, and the way in which an application could handle an error from the NT4 API.
Even for my issue there are workarounds. But it is better to identify them ahead of time.
| "Ken Cornetet" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 01/17/2003 09:57 AM
|
To: <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Authentication ? |
In the testing I've done, I couldn't get any NT4 API functions to break by using AD in native mode. Universal groups simply appear to be global groups. Any inter-domain members and nested groups just don't show up as a member. I do seem to recall, however, that if you have a universal group that contains only objects that NT4 can't handle (nested groups, inter-domain users), the NT 4 API that enumerates group membership returns an error instead of returning the fact that the group is "empty".
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 7:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authentication ?
Jim,
I'd like to hear more (and, if others want to chime in, please do) about legacy apps and sec groups. If my production environment and experience is correct, going to native mode is not going to have an effect on security groups. (Except for the obvious Universal group, nesting, etc.)
Consider: You have upgraded all of your BDC to Win2k DCs. You switch tonative mode, but all of a sudden realize that you have over 500 Windows NT 4.0 and Windows 3.1 (Not NT, Win 3.1) workstations with appllications written for that platform. So the workstations and applications cease to interoperate with the rest of the environment?
The answer is an emphatic NO. They operate fine, work with the Domain Local, Global and Universal groups.
I will, however, agree that there may be the application here and there that has a real issue with the SID format or API calls to Windows 2000 groups. As you said - test your apps. But, these should fail before going to Native - not necessarily, after.
Comments?? Anyone want to visit a site in Virginia where they can see these 500 Windows 3.1 machines in a native mode domain??? ;o)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 16, 2003 3:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authentication ?
Possibly incorrect.
If some of those legacy applications use the NT4 API you may have some
issues. For instance in my enviornment I have a "legacy application"
Crystal Enterprise - it is using an NT4 API for determining group
membership for security. As you know there is a large change in groups
from NT4 to Win2k/AD. So native mode and nested groups would be an
obvious No - No. You should examine your applications and try to
determine how they might be affected. This situation could be one
way.
In general though, most environments should have no problem moving to native
mode.
 | Jim Katoe
Mindshare Directory Services Manager MCSE,MCSA,PCLP,CCNA,CCDA,CNA Worldwide IT Infrastructure Team 825 8th Avenue, NY, NY 10019 |
email: [EMAIL PROTECTED] Office: 646.756.4587 Fax: 646.756.5951 |
| "Don Murawski (Lenox)"
<[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/16/2003 11:29 AM
| To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Authentication ? |
Let me clear up my question!
I have NO 4.0 BDCs, All Win2k DC's, but have a lot of legacy clients and applications.
Switching to native mode, I'm assuming should have NOT impact on these applications or systems.
-----Original Message-----
From: Craig Cerino [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 11:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authentication ?
Unless I am reading his email wrong - - -
He is considering going to NATIVE mode which means one of two things:
1. He already HAS Win2K Srv and a few 2k servers on the wire
2. He is planning to purchase WIN2K Srv
In EITHER case (which is just assumed since he is considering migrating) he would still have to RUN DCPROMO to upgrade the PDC and BDCs or make them member servers or remove them from the domain.
Don - we haven't heard form you since you opened the thread - - please let us know what is the case so we can stop bickering and help you.
Guys - -I am not trying to argue - - unfortunately vocal inflection and tone just don't translate well via email - - - my apologies if it appears as if I'm yelling or picking a fight.
-----Original Message-----
From: Kevin Gent [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 11:13 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Authentication ?
The only way his NT 4 PDCs and BDCs are going to become DCs in a Win2K domain is to purchase W2K and upgrade them.
----- Original Message -----
From: Craig Cerino
To: [EMAIL PROTECTED]
Sent: Thursday, January 16, 2003 8:07 AM
Subject: RE: [ActiveDir] Authentication ?
Right - - but if he wants to keep what used to be his PDC and BDC's in the loop they will either have to be made DCs by running DCPROM - - or get them out of the replication loop by making them member servers or removing them from the domain
-----Original Message-----
From: EALES, Jack - FPIL [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 7:51 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Authentication ?
switching to native mode means having NO more NT4.0 BDC's... that's when it becomes a Native domain - rather than mixed...
-----Original Message-----
From: Craig Cerino [mailto:[EMAIL PROTECTED]]
Sent: 16 January 2003 12:41
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Authentication ?
If you run DCPROMO on them and make them a DC they will.
Which you'll have to do anyway ---- or downgrade them to member servers
-----Original Message-----
From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 16, 2003 7:16 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Authentication ?
Considering switching to native mode within a month.
Is there any different in authentication methods in native mode than mixed?
Some reason their seems to be a debate around my company about some applications may be affected?
It's my understanding that making the switch to native mode means that 4.0 DC's will not longer be able to replicate.
Don L Murawski
Sr. Network Administrator - MCSE 4.0, 2000
WorldTravel BTI
1055 Lenox Park Blvd
Suite 420
Atlanta, GA 30319
Phone: (404) 923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
