This is incorrect, you can switch from mixed mode to native mode as soon as you don't have NT4 BDC's. NT4/Win9x clients/servers will work with a Native Mode AD Domain just fine.
The roll back is correct with mixed mode though once you get very far into the migration a rollback becomes more and more unfeasible as it will involve rebuilding your DC's that have been migrated to W2K. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick reynolds Sent: Thursday, June 19, 2003 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] A number of NT4.0 to AD upgrade questions You need to run in mixed mode until the last nt4 server or client leaves the network, also, if you run mixed mode, you can still roll-back, ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 19, 2003 4:21 AM Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > I have completed a rollback with Windows 2000 AD back to NT4 and had > no problems with the W2K clients authenticating back to NT4. Maybe this was just look and something to do with the reasonings behind the rollback but thought it was worth a mention. > > J > > > from: Ken Cornetet <[EMAIL PROTECTED]> > > date: Wed, 18 Jun 2003 21:42:27 > > to: [EMAIL PROTECTED] > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > Comments inline > > > > -----Original Message----- > > From: Mike Baudino [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, June 18, 2003 2:47 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > > > > > > > > All, > > > > I'm not convinced, after reading the Microsoft documentation, that > > we've all got our answers nailed down on an in-place upgrade. So, > > I'd like to submit these questions to you to get the "real world" > > answer. > > > > Since we lack sufficient budget to perform a proper migration we'll > > need to do in-place upgrades to our domains and then consolidate > > some of the rogue domains into our structure (as well as cleaning > > things up after upgrade). All domains will remain mixed mode until > > we're able to complete application testing. One of our main drivers > > is the need to consolidate domains as well as eventually eliminate > > our dependence on the SAM. > > > > > > 1. One of my concerns is following the upgrade of the PDC it will be > > the only AD domain controller in the domain. Our current DNS > > settings for servers and workstations are to our enterprise DNS > > servers, which are not AD-compatible. We anticipate creating a new > > DNS structure for AD and then using forwarders to the other DNS > > servers for non-AD-related address resolution. It's my expectation > > that NT4.0 clients w/o the AD client will not be impacted by this in > > any way. Is this correct? > > > > That's OK. Just make your AD DNS a subdomain of your existing DNS > > domain. For example, if your main DNS domain is "acme.com" and your > > NT domain is "ACME", then create your AD forest as "acme.acme.com". > > Put nameserver records in your existing DNS zone that delegates > > acme.acme.com to the DNS server running on your DC. Have your AD DNS > > server forward to your existing DNS to resolve anything not in your > > AD DNS domain. > > > > The only thing that will break is windows 95, which doesn't do "DNS > > devolution" (trying acme.acme.com, then acme.com). I don't know if > > the AD client fixes this or not. > > > > 2. It's also my expectation that the Win2k clients will be impacted > > depending on their configuration. For example, Win2k client that > > does not have the DNS domain for AD listed in the suffix for the > > client nor in the DNS search order would not realize that there was > > an AD domain controller in their midst and would continue to > > authenticate to the domain as they had prior to the upgrade. And > > Win2k clients that have the DNS domain for AD in their suffix or > > search order would prefferentially authenticate against the new AD > > DC to the extent that they would begin to ignore their local BDC. > > This is one area of significant concern as we don't want to overload > > any of the domain controllers. I thought there was a client reg > > entry that would eliminate this. > > > > If you put the nameserver records in your existing DNS zone, your > > win2k/XP clients WILL switch to AD authentication. When you convert > > your NT4 domain ("ACME" in my examples) to AD (acme.acme.com), your > > 2k/xp workstations will change their primary DNS domain to your AD > > DNS domain > > (acme.acme.com) regardless of what's in the interface specific DNS. They > > will then use your existing DNS (acme.com) to find nameservers for the > > AD DNS. From there, they will find the DC. > > > > 3. Should we, once we complete the upgrade of the PDC, build a new > > DC, > > move all Operations Masters roles to the new DC and rebuild the old > > from scratch as Win2k, so as to avoid any legacy issues? We'll also > > be bring up other AD DC's to split the roles up between boxes. > > > > You don't have to. Might be nice. > > > > 4. If something goes wrong and after an hour or two, or sooner, find > > that we need to turn off the AD DC and fire back up the offline BDC > > and promote it to PDC, are the Win2k clients going to be OK? I > > thought I remembered that if a box authenticated against the domain > > using Kerberos it never would go back to NTLM. > > > > w2k/xp clients will NOT go back to NTLM authentication to a domain > > once they have used kerberos. If you wanted to drop back to a BDC, > > you will have to remove and rejoin all the w2k/xp workstations to > > the domain. > > > > Thanks, > > Mike > > > > As in everything else of this magnitude: test, test, test! > > > > ******************* PLEASE NOTE ******************* > > This E-Mail/telefax message and any documents accompanying this > > transmission may contain privileged and/or confidential information > > and is intended solely for the addressee(s) named above. If you are > > not the intended addressee/recipient, you are hereby notified that > > any use of, disclosure, copying, distribution, or reliance on the > > contents of this E-Mail/telefax information is strictly prohibited > > and may result in legal action against you. Please reply to the > > sender advising of the error in transmission and immediately > > delete/destroy the message and any accompanying documents. Thank > > you. > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
