RE: [ActiveDir] native mode

[John Reijnders]

The rollback possibility is a interesting issue. I've looked into this and came across the following quote from Microsoft: "While the Windows Server 2003 functional level provides a number of features and advantages, you might choose not to move to this functional level if your environment is not ready. For example, you might choose not to enable the Windows Server 2003 functional level for one of the following reasons: ... bla bla 1 bla bla 2 ... 3.You need to retain the ability to fall back to Windows NT 4.0."   This gives me the feeling that the "move to native mode rollback" is not possible/supported. But ... curious as I am ... why not? Of course, you can get in all sorts of trouble when you apply changes that use the native mode features. This could be the one and only reason why a rollback is not supported, but as a user/customer I want to be able to revert my changes whenever I don't like them :-) ... Let's dig into this ...   The ntMixedDomain attribute on the domainDNS object is set to 1 when a domain is converted to native mode. Looking at how functional levels operate in Windows 2003 domains... There's a new attribute in the schema, actually multiple attributes, but they're defined as msDS-Behavior-Version. For a domain functional level, it's written to the domain container. For a forest functional level, it's written to the partitions container.   So, I'm having the feeling that it is possible to revert the move to native mode by restoring EVERY DC in the DOMAIN with a backup made before the change. I don't think it's necessary to restore every DC in the FOREST because the ntMixedDomain attribute is stored in the domain partition, not in the configuration partition... However, undoing an increase in Forest Functional Level in Windows Server 2003 appears to need a restore of every DC in the forest...   Any other ideas?   Cheers! John   p.s. Throwing the users/developers in the dungeons like Joe suggests is probably a better idea .... uuuh, I mean test lab in stead of dungeon of course ;-) ...     From: Joe [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 1:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode 1. Theoretical until you have conclusively proved in your own lab. Most likely unsupported as a rollback mechanism by MS.   2. Not necessarily true. There have been scattered reports of Samba and other SMB emulation packages choking and also I have personally seen some weird stuff with group memberships. Specifically pre-Native mode we had the Everyone security principal in the Winds Users Group. Going to Native mode that didn't work any longer and I had to add Domain Users. MS PSS never was able to give me an explanation and since I had a workaround, I wasn't willing to keep paying for them to try and learn.   3. Absolutely. Domain Local Group Scope is a great one as well as same group nesting.     Personally, I would say throw the developers in the lab and have them make sure their shit doesn't break.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, November 04, 2003 5:22 PM To: [EMAIL PROTECTED] We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning).   As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present:   Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.)   If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always.   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do