You only need to be in mixed mode until all NT4 domain controllers are gone in the domain. Mixed mode/Native Mode has no impact on what clients can be served.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: rick reynolds [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 9:29 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > You need to run in mixed mode until the last nt4 server or > client leaves the network, also, if you run mixed mode, you > can still roll-back, > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, June 19, 2003 4:21 AM > Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > I have completed a rollback with Windows 2000 AD back to > NT4 and had > > no > problems with the W2K clients authenticating back to NT4. > Maybe this was just look and something to do with the > reasonings behind the rollback but thought it was worth a mention. > > > > J > > > > > from: Ken Cornetet <[EMAIL PROTECTED]> > > > date: Wed, 18 Jun 2003 21:42:27 > > > to: [EMAIL PROTECTED] > > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade > questions > > > > > > Comments inline > > > > > > -----Original Message----- > > > From: Mike Baudino [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, June 18, 2003 2:47 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > > > > > > > > > > > > > > > All, > > > > > > I'm not convinced, after reading the Microsoft > documentation, that > > > we've all got our answers nailed down on an in-place > upgrade. So, > > > I'd like to submit these questions to you to get the "real world" > > > answer. > > > > > > Since we lack sufficient budget to perform a proper > migration we'll > > > need to do in-place upgrades to our domains and then consolidate > > > some of the rogue domains into our structure (as well as cleaning > > > things up after upgrade). All domains will remain mixed > mode until > > > we're able to complete application testing. One of our > main drivers > > > is the need to consolidate domains as well as eventually > eliminate > > > our dependence on the SAM. > > > > > > > > > 1. One of my concerns is following the upgrade of the > PDC it will be > > > the only AD domain controller in the domain. Our current DNS > > > settings for servers and workstations are to our enterprise DNS > > > servers, which are not AD-compatible. We anticipate > creating a new > > > DNS structure for AD and then using forwarders to the other DNS > > > servers for non-AD-related address resolution. It's my > expectation > > > that NT4.0 clients w/o the AD client will not be impacted > by this in > > > any way. Is this correct? > > > > > > That's OK. Just make your AD DNS a subdomain of your existing DNS > > > domain. For example, if your main DNS domain is > "acme.com" and your > > > NT domain is "ACME", then create your AD forest as > "acme.acme.com". > > > Put nameserver records in your existing DNS zone that delegates > > > acme.acme.com to the DNS server running on your DC. Have > your AD DNS > > > server forward to your existing DNS to resolve anything > not in your > > > AD DNS domain. > > > > > > The only thing that will break is windows 95, which > doesn't do "DNS > > > devolution" (trying acme.acme.com, then acme.com). I > don't know if > > > the AD client fixes this or not. > > > > > > 2. It's also my expectation that the Win2k clients > will be impacted > > > depending on their configuration. For example, Win2k client that > > > does not have the DNS domain for AD listed in the suffix for the > > > client nor in the DNS search order would not realize that > there was > > > an AD domain controller in their midst and would continue to > > > authenticate to the domain as they had prior to the upgrade. And > > > Win2k clients that have the DNS domain for AD in their suffix or > > > search order would prefferentially authenticate against > the new AD > > > DC to the extent that they would begin to ignore their local BDC. > > > This is one area of significant concern as we don't want > to overload > > > any of the domain controllers. I thought there was a client reg > > > entry that would eliminate this. > > > > > > If you put the nameserver records in your existing DNS zone, your > > > win2k/XP clients WILL switch to AD authentication. When > you convert > > > your NT4 domain ("ACME" in my examples) to AD > (acme.acme.com), your > > > 2k/xp workstations will change their primary DNS domain > to your AD > > > DNS domain > > > (acme.acme.com) regardless of what's in the interface > specific DNS. They > > > will then use your existing DNS (acme.com) to find > nameservers for the > > > AD DNS. From there, they will find the DC. > > > > > > 3. Should we, once we complete the upgrade of the > PDC, build a new > > > DC, > > > move all Operations Masters roles to the new DC and > rebuild the old > > > from scratch as Win2k, so as to avoid any legacy issues? > We'll also > > > be bring up other AD DC's to split the roles up between boxes. > > > > > > You don't have to. Might be nice. > > > > > > 4. If something goes wrong and after an hour or two, > or sooner, find > > > that we need to turn off the AD DC and fire back up the > offline BDC > > > and promote it to PDC, are the Win2k clients going to be OK? I > > > thought I remembered that if a box authenticated against > the domain > > > using Kerberos it never would go back to NTLM. > > > > > > w2k/xp clients will NOT go back to NTLM authentication to > a domain > > > once they have used kerberos. If you wanted to drop back > to a BDC, > > > you will have to remove and rejoin all the w2k/xp workstations to > > > the domain. > > > > > > Thanks, > > > Mike > > > > > > As in everything else of this magnitude: test, test, test! > > > > > > ******************* PLEASE NOTE ******************* > > > This E-Mail/telefax message and any documents accompanying this > > > transmission may contain privileged and/or confidential > information > > > and is intended solely for the addressee(s) named above. > If you are > > > not the intended addressee/recipient, you are hereby > notified that > > > any use of, disclosure, copying, distribution, or reliance on the > > > contents of this E-Mail/telefax information is strictly > prohibited > > > and may result in legal action against you. Please reply to the > > > sender advising of the error in transmission and immediately > > > delete/destroy the message and any accompanying documents. Thank > > > you. > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
