You need to run in mixed mode until the last nt4 server or client leaves the network, also, if you run mixed mode, you can still roll-back,
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 19, 2003 4:21 AM Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > I have completed a rollback with Windows 2000 AD back to NT4 and had no problems with the W2K clients authenticating back to NT4. Maybe this was just look and something to do with the reasonings behind the rollback but thought it was worth a mention. > > J > > > from: Ken Cornetet <[EMAIL PROTECTED]> > > date: Wed, 18 Jun 2003 21:42:27 > > to: [EMAIL PROTECTED] > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > Comments inline > > > > -----Original Message----- > > From: Mike Baudino [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, June 18, 2003 2:47 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > > > > > > > > All, > > > > I'm not convinced, after reading the Microsoft documentation, that we've > > all got our answers nailed down on an in-place upgrade. So, I'd like to > > submit these questions to you to get the "real world" answer. > > > > Since we lack sufficient budget to perform a proper migration we'll need > > to do in-place upgrades to our domains and then consolidate some of the > > rogue domains into our structure (as well as cleaning things up after > > upgrade). All domains will remain mixed mode until we're able to > > complete application testing. One of our main drivers is the need to > > consolidate domains as well as eventually eliminate our dependence on > > the SAM. > > > > > > 1. One of my concerns is following the upgrade of the PDC it will be > > the only AD domain controller in the domain. Our current DNS settings > > for servers and workstations are to our enterprise DNS servers, which > > are not AD-compatible. We anticipate creating a new DNS structure for > > AD and then using forwarders to the other DNS servers for non-AD-related > > address resolution. It's my expectation that NT4.0 clients w/o the AD > > client will not be impacted by this in any way. Is this correct? > > > > That's OK. Just make your AD DNS a subdomain of your existing DNS > > domain. For example, if your main DNS domain is "acme.com" and your NT > > domain is "ACME", then create your AD forest as "acme.acme.com". Put > > nameserver records in your existing DNS zone that delegates > > acme.acme.com to the DNS server running on your DC. Have your AD DNS > > server forward to your existing DNS to resolve anything not in your AD > > DNS domain. > > > > The only thing that will break is windows 95, which doesn't do "DNS > > devolution" (trying acme.acme.com, then acme.com). I don't know if the > > AD client fixes this or not. > > > > 2. It's also my expectation that the Win2k clients will be impacted > > depending on their configuration. For example, Win2k client that does > > not have the DNS domain for AD listed in the suffix for the client nor > > in the DNS search order would not realize that there was an AD domain > > controller in their midst and would continue to authenticate to the > > domain as they had prior to the upgrade. And Win2k clients that have > > the DNS domain for AD in their suffix or search order would > > prefferentially authenticate against the new AD DC to the extent that > > they would begin to ignore their local BDC. This is one area of > > significant concern as we don't want to overload any of the domain > > controllers. I thought there was a client reg entry that would > > eliminate this. > > > > If you put the nameserver records in your existing DNS zone, your > > win2k/XP clients WILL switch to AD authentication. When you convert your > > NT4 domain ("ACME" in my examples) to AD (acme.acme.com), your 2k/xp > > workstations will change their primary DNS domain to your AD DNS domain > > (acme.acme.com) regardless of what's in the interface specific DNS. They > > will then use your existing DNS (acme.com) to find nameservers for the > > AD DNS. From there, they will find the DC. > > > > 3. Should we, once we complete the upgrade of the PDC, build a new > > DC, > > move all Operations Masters roles to the new DC and rebuild the old from > > scratch as Win2k, so as to avoid any legacy issues? We'll also be bring > > up other AD DC's to split the roles up between boxes. > > > > You don't have to. Might be nice. > > > > 4. If something goes wrong and after an hour or two, or sooner, find > > that we need to turn off the AD DC and fire back up the offline BDC and > > promote it to PDC, are the Win2k clients going to be OK? I thought I > > remembered that if a box authenticated against the domain using Kerberos > > it never would go back to NTLM. > > > > w2k/xp clients will NOT go back to NTLM authentication to a domain once > > they have used kerberos. If you wanted to drop back to a BDC, you will > > have to remove and rejoin all the w2k/xp workstations to the domain. > > > > Thanks, > > Mike > > > > As in everything else of this magnitude: test, test, test! > > > > ******************* PLEASE NOTE ******************* > > This E-Mail/telefax message and any documents accompanying this > > transmission may contain privileged and/or confidential information and > > is intended solely for the addressee(s) named above. If you are not the > > intended addressee/recipient, you are hereby notified that any use of, > > disclosure, copying, distribution, or reliance on the contents of this > > E-Mail/telefax information is strictly prohibited and may result in > > legal action against you. Please reply to the sender advising of the > > error in transmission and immediately delete/destroy the message and any > > accompanying documents. Thank you. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
