Agreed. The only issue I've seen with downlevel clients in our native mode deployments has been the password complexity issues I've noted before, where users with non-complex passwords prior to enabling enforced complexity cannot change their own passwords.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 8:45 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > Define your troubles. My guess would would be name res issues > because people start to forget about WINS once they move to > AD and W2K Machines. > > > I have tens of thousands of Win9x and NT4 clients and > hundreds of NT4 Servers that are functioning well in a Native > mode domain environments and have been for a couple of years. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Reynolds > Sent: Thursday, June 19, 2003 11:22 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > I have had trouble with win98 and nt4 ws when I went to > Native, and did not have an NT4 domain controller. What did I > do wrong. > > > > > > -------------------------------------------------------------- > ---------- > - > FIGHT BACK AGAINST SPAM! > Download Spam Inspector, the Award Winning Anti-Spam Filter > http://mail.giantcompany.com > > > ----- Original Message ----- > From: "W2K List" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, June 19, 2003 7:17 AM > Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > You can have NT 4 servers and still switch to Native mode. > However, the servers cannot be Domain Controllers. > > Denny > > > > > -----Original Message----- > > From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 19, 2003 9:45 AM > > To: [EMAIL PROTECTED] > > > > Correct about servers but clients are really irrelevant > with regards > > to Native vs. Mixed mode. > > > > -----Original Message----- > > From: rick reynolds [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 19, 2003 9:29 AM > > To: [EMAIL PROTECTED] > > > > You need to run in mixed mode until the last nt4 server or client > > leaves the > > network, > > also, if you run mixed mode, you can still roll-back, > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, June 19, 2003 4:21 AM > > Subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > I have completed a rollback with Windows 2000 AD back to > NT4 and had > > no > > problems with the W2K clients authenticating back to NT4. > Maybe this > > was just look and something to do with the reasonings behind the > > rollback but > > thought it was worth a mention. > > > > > > J > > > > > > > from: Ken Cornetet <[EMAIL PROTECTED]> > > > > date: Wed, 18 Jun 2003 21:42:27 > > > > to: [EMAIL PROTECTED] > > > > subject: RE: [ActiveDir] A number of NT4.0 to AD upgrade > > questions > > > > > > > > Comments inline > > > > > > > > -----Original Message----- > > > > From: Mike Baudino [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, June 18, 2003 2:47 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] A number of NT4.0 to AD upgrade questions > > > > > > > > > > > > > > > > > > > > > > > > > > > > All, > > > > > > > > I'm not convinced, after reading the Microsoft > documentation, that > > we've > > > > all got our answers nailed down on an in-place upgrade. So, I'd > > like to > > > > submit these questions to you to get the "real world" answer. > > > > > > > > Since we lack sufficient budget to perform a proper > > migration we'll > > need > > > > to do in-place upgrades to our domains and then > > consolidate some of > > the > > > > rogue domains into our structure (as well as cleaning things up > > after > > > > upgrade). All domains will remain mixed mode until we're able to > > > > complete application testing. One of our main drivers > is the need > > to > > > > consolidate domains as well as eventually eliminate our > dependence > > on > > > > the SAM. > > > > > > > > > > > > 1. One of my concerns is following the upgrade of the PDC it > > will be > > > > the only AD domain controller in the domain. Our current DNS > > settings > > > > for servers and workstations are to our enterprise DNS servers, > > which > > > > are not AD-compatible. We anticipate creating a new > DNS structure > > for > > > > AD and then using forwarders to the other DNS servers for > > non-AD-related > > > > address resolution. It's my expectation that NT4.0 > > clients w/o the > > AD > > > > client will not be impacted by this in any way. Is > this correct? > > > > > > > > That's OK. Just make your AD DNS a subdomain of your > existing DNS > > > > domain. For example, if your main DNS domain is > > "acme.com" and your > > NT > > > > domain is "ACME", then create your AD forest as > > "acme.acme.com". Put > > > > nameserver records in your existing DNS zone that delegates > > > > acme.acme.com to the DNS server running on your DC. Have > > your AD DNS > > > > server forward to your existing DNS to resolve anything > > not in your > > AD > > > > DNS domain. > > > > > > > > The only thing that will break is windows 95, which > > doesn't do "DNS > > > > devolution" (trying acme.acme.com, then acme.com). I > don't know if > > the > > > > AD client fixes this or not. > > > > > > > > 2. It's also my expectation that the Win2k clients will be > > impacted > > > > depending on their configuration. For example, Win2k > client that > > does > > > > not have the DNS domain for AD listed in the suffix for > the client > > nor > > > > in the DNS search order would not realize that there was an AD > > domain > > > > controller in their midst and would continue to > > authenticate to the > > > > domain as they had prior to the upgrade. And Win2k clients that > > have > > > > the DNS domain for AD in their suffix or search order would > > > > prefferentially authenticate against the new AD DC to the extent > > that > > > > they would begin to ignore their local BDC. This is one area of > > > > significant concern as we don't want to overload any of > the domain > > > > > controllers. I thought there was a client reg entry that would > > > > eliminate this. > > > > > > > > If you put the nameserver records in your existing DNS > zone, your > > > > win2k/XP clients WILL switch to AD authentication. When > > you convert > > your > > > > NT4 domain ("ACME" in my examples) to AD (acme.acme.com), > > your 2k/xp > > > > workstations will change their primary DNS domain to your AD DNS > > domain > > > > (acme.acme.com) regardless of what's in the interface > > specific DNS. > > They > > > > will then use your existing DNS (acme.com) to find > nameservers for > > the > > > > AD DNS. From there, they will find the DC. > > > > > > > > 3. Should we, once we complete the upgrade of the > PDC, build a > > new > > > > DC, > > > > move all Operations Masters roles to the new DC and > > rebuild the old > > from > > > > scratch as Win2k, so as to avoid any legacy issues? > We'll also be > > bring > > > > up other AD DC's to split the roles up between boxes. > > > > > > > > You don't have to. Might be nice. > > > > > > > > 4. If something goes wrong and after an hour or two, > > or sooner, > > find > > > > that we need to turn off the AD DC and fire back up the > > offline BDC > > and > > > > promote it to PDC, are the Win2k clients going to be OK? > > I thought > > I > > > > remembered that if a box authenticated against the domain using > > Kerberos > > > > it never would go back to NTLM. > > > > > > > > w2k/xp clients will NOT go back to NTLM authentication > to a domain > > once > > > > they have used kerberos. If you wanted to drop back to > a BDC, you > > will > > > > have to remove and rejoin all the w2k/xp workstations to > > the domain. > > > > > > > > Thanks, > > > > Mike > > > > > > > > As in everything else of this magnitude: test, test, test! > > > > > > > > ******************* PLEASE NOTE ******************* > > > > This E-Mail/telefax message and any documents accompanying this > > > > transmission may contain privileged and/or confidential > > information > > and > > > > is intended solely for the addressee(s) named above. If > > you are not > > the > > > > intended addressee/recipient, you are hereby notified > that any use > > of, > > > > disclosure, copying, distribution, or reliance on the > contents of > > this > > > > E-Mail/telefax information is strictly prohibited and may > > result in > > > > legal action against you. Please reply to the sender > > advising of the > > > > error in transmission and immediately delete/destroy the > > message and > > any > > > > accompanying documents. Thank you. > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/[EMAIL PROTECTED]/ > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
