In that case I would expect NT4.0 member servers and workstations to be
irrelevant and the only real concern, which by now we should all know
about, is NT4.0 BDC's. But you're right. Because of our shoestring
budget, basically $0.00 (but we can add a lot of 0's to the left of the
decimal to make it look bigger), we're forced to run mixed until we replace
all BDC's. They're leased so at least it's not forever.
Thanks
"Sullivan, Kevin" <[EMAIL PROTECTED]>@mail.activedir.org on 06/19/2003
08:45:16 AM
Please respond to [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
To: <[EMAIL PROTECTED]>
cc:
Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
Correct about servers but clients are really irrelevant with regards to
Native vs. Mixed mode.
-----Original Message-----
From: rick reynolds [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 9:29 AM
To: [EMAIL PROTECTED]
You need to run in mixed mode until the last nt4 server or client leaves
the
network,
also, if you run mixed mode, you can still roll-back,
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, June 19, 2003 4:21 AM
Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
> I have completed a rollback with Windows 2000 AD back to NT4 and had
no
problems with the W2K clients authenticating back to NT4. Maybe this
was
just look and something to do with the reasonings behind the rollback
but
thought it was worth a mention.
>
> J
>
> > from: Ken Cornetet <[EMAIL PROTECTED]>
> > date: Wed, 18 Jun 2003 21:42:27
> > to: [EMAIL PROTECTED]
> > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions
> >
> > Comments inline
> >
> > -----Original Message-----
> > From: Mike Baudino [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, June 18, 2003 2:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions
> >
> >
> >
> >
> >
> >
> > All,
> >
> > I'm not convinced, after reading the Microsoft documentation, that
we've
> > all got our answers nailed down on an in-place upgrade. So, I'd
like to
> > submit these questions to you to get the "real world" answer.
> >
> > Since we lack sufficient budget to perform a proper migration we'll
need
> > to do in-place upgrades to our domains and then consolidate some of
the
> > rogue domains into our structure (as well as cleaning things up
after
> > upgrade). All domains will remain mixed mode until we're able to
> > complete application testing. One of our main drivers is the need
to
> > consolidate domains as well as eventually eliminate our dependence
on
> > the SAM.
> >
> >
> > 1. One of my concerns is following the upgrade of the PDC it
will be
> > the only AD domain controller in the domain. Our current DNS
settings
> > for servers and workstations are to our enterprise DNS servers,
which
> > are not AD-compatible. We anticipate creating a new DNS structure
for
> > AD and then using forwarders to the other DNS servers for
non-AD-related
> > address resolution. It's my expectation that NT4.0 clients w/o the
AD
> > client will not be impacted by this in any way. Is this correct?
> >
> > That's OK. Just make your AD DNS a subdomain of your existing DNS
> > domain. For example, if your main DNS domain is "acme.com" and your
NT
> > domain is "ACME", then create your AD forest as "acme.acme.com". Put
> > nameserver records in your existing DNS zone that delegates
> > acme.acme.com to the DNS server running on your DC. Have your AD DNS
> > server forward to your existing DNS to resolve anything not in your
AD
> > DNS domain.
> >
> > The only thing that will break is windows 95, which doesn't do "DNS
> > devolution" (trying acme.acme.com, then acme.com). I don't know if
the
> > AD client fixes this or not.
> >
> > 2. It's also my expectation that the Win2k clients will be
impacted
> > depending on their configuration. For example, Win2k client that
does
> > not have the DNS domain for AD listed in the suffix for the client
nor
> > in the DNS search order would not realize that there was an AD
domain
> > controller in their midst and would continue to authenticate to the
> > domain as they had prior to the upgrade. And Win2k clients that
have
> > the DNS domain for AD in their suffix or search order would
> > prefferentially authenticate against the new AD DC to the extent
that
> > they would begin to ignore their local BDC. This is one area of
> > significant concern as we don't want to overload any of the domain
> > controllers. I thought there was a client reg entry that would
> > eliminate this.
> >
> > If you put the nameserver records in your existing DNS zone, your
> > win2k/XP clients WILL switch to AD authentication. When you convert
your
> > NT4 domain ("ACME" in my examples) to AD (acme.acme.com), your 2k/xp
> > workstations will change their primary DNS domain to your AD DNS
domain
> > (acme.acme.com) regardless of what's in the interface specific DNS.
They
> > will then use your existing DNS (acme.com) to find nameservers for
the
> > AD DNS. From there, they will find the DC.
> >
> > 3. Should we, once we complete the upgrade of the PDC, build a
new
> > DC,
> > move all Operations Masters roles to the new DC and rebuild the old
from
> > scratch as Win2k, so as to avoid any legacy issues? We'll also be
bring
> > up other AD DC's to split the roles up between boxes.
> >
> > You don't have to. Might be nice.
> >
> > 4. If something goes wrong and after an hour or two, or sooner,
find
> > that we need to turn off the AD DC and fire back up the offline BDC
and
> > promote it to PDC, are the Win2k clients going to be OK? I thought
I
> > remembered that if a box authenticated against the domain using
Kerberos
> > it never would go back to NTLM.
> >
> > w2k/xp clients will NOT go back to NTLM authentication to a domain
once
> > they have used kerberos. If you wanted to drop back to a BDC, you
will
> > have to remove and rejoin all the w2k/xp workstations to the domain.
> >
> > Thanks,
> > Mike
> >
> > As in everything else of this magnitude: test, test, test!
> >
> > ******************* PLEASE NOTE *******************
> > This E-Mail/telefax message and any documents accompanying this
> > transmission may contain privileged and/or confidential information
and
> > is intended solely for the addressee(s) named above. If you are not
the
> > intended addressee/recipient, you are hereby notified that any use
of,
> > disclosure, copying, distribution, or reliance on the contents of
this
> > E-Mail/telefax information is strictly prohibited and may result in
> > legal action against you. Please reply to the sender advising of the
> > error in transmission and immediately delete/destroy the message and
any
> > accompanying documents. Thank you.
> >
> > List info : http://www.activedir.org/mail_list.htm
> > List FAQ : http://www.activedir.org/list_faq.htm
> > List archive:
> > http://www.mail-archive.com/[EMAIL PROTECTED]/
> >
> >
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
