Well, you're all partially correct. AD (whether mixed mode or not) appears the same as a "straight" NT4 domain to all downlevel (i.e. non-AD aware clients). What that means is that the PDC emulator is the only place passwords can be changed by these clients. It also means that any DC can authenticate users.
The thing to keep in mind is how NT4 style domains actually authenticate. Assuming WINS is available, a client queries WINS for domain controllers who can service the domain to which the client is trying to authenticate (looking for 1Ch records in WINS). WINS returns up to 25 domain controllers - in NO particular order - to the client. There is no guarantee that the DCs returned will be local to the client. Does that help at all? -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Mike Baudino [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2003 6:23 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] downlevel client authentication > > > All, > > Please help me resolve a "discussion" with some strong > opinions on both sides of the camp. You see, our reading on > the role of the PDC Emulator in regard to a mixed-mode domain > with downlevel clients (we're not upgrading the NT4.0 client > software) has left us with differing interpretations. > > We agree and understand that the PDC Emulator is contacted > directlry by the downlevel clients to change their passwords. > We also understand and agree that the PDC Emulator is the > source of SAM replication. > > Our disagreement is in authentication. Some folks are > reading it as all downlevel client activity, including > authentication, is done at the PDC emulator. Others read > this as the downlevel client is authenticated by the domain > controller that responds first (or the last time the client > was authenticated [we're also a bit unclear on that concept]). > > To me, this is very clear (but I could be the cause of the > confusion). In a branch office environment running mixed > mode we would have a combination of Win2k and NT4.0 domain > controllers in the field offices. The NT4.0 BDC's are not > aware of the fact that they're really part of an AD domain > and nor would the clients. Thus, if the client's don't know > about AD, and the BDC doesn't know about AD, how would the > client know that it had to contact the PDC emulator to be > authenticated? It wouldn't. Hence, downlevel client > authentication must occur at any domain controller (again, > the one that responds first [or the last one]). > > > Please help clear this up and please include a link to > something that helps clear this up. > > > Thanks, > Mike Baudino > > > > ******************* PLEASE NOTE ******************* > This E-Mail/telefax message and any documents accompanying > this transmission may contain privileged and/or confidential > information and is intended solely for the addressee(s) named > above. If you are not the intended addressee/recipient, you > are hereby notified that any use of, disclosure, copying, > distribution, or reliance on the contents of this > E-Mail/telefax information is strictly prohibited and may > result in legal action against you. Please reply to the > sender advising of the error in transmission and immediately > delete/destroy the message and any accompanying documents. Thank you. > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
