RE: [ActiveDir] native mode

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

John - it sounds like Mark is talking about a 2000 domain - not that it makes too much of a difference, but 2000 doesn't know about functional levels (especially not about forest functional levels).  Mark, correct me if I'm wrong.   However, since in 2000 the domain mode really only effects the domain, you should be able to revert to mixed mode by turning back the clock.  I wouldn't do so by restoring every DC though - I'd just restore one (the PDCE) and then DCPROMO the rest. Any other option would be too risky - although the other suggestion made by Phil to keep one DC offline during the process and then if required to seize roles on it is also a good one. Nevertheless, all other DCs need to be cleaned from the metadata and re-promoted.  Not nice, but the "most supported" way.   Ofcourse, you'll want to discuss a point of no-return: this would be after you've started to leverage the new features of the native domain, such as creating Universal Security Groups and nesting these into UGs of other domains, leveraging SIDhistory (although I hear this also works in mixed mode, but is not supported...) From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 09:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode The rollback possibility is a interesting issue. I've looked into this and came across the following quote from Microsoft: "While the Windows Server 2003 functional level provides a number of features and advantages, you might choose not to move to this functional level if your environment is not ready. For example, you might choose not to enable the Windows Server 2003 functional level for one of the following reasons: ... bla bla 1 bla bla 2 ... 3.You need to retain the ability to fall back to Windows NT 4.0."   This gives me the feeling that the "move to native mode rollback" is not possible/supported. But ... curious as I am ... why not? Of course, you can get in all sorts of trouble when you apply changes that use the native mode features. This could be the one and only reason why a rollback is not supported, but as a user/customer I want to be able to revert my changes whenever I don't like them :-) ... Let's dig into this ...   The ntMixedDomain attribute on the domainDNS object is set to 1 when a domain is converted to native mode. Looking at how functional levels operate in Windows 2003 domains... There's a new attribute in the schema, actually multiple attributes, but they're defined as msDS-Behavior-Version. For a domain functional level, it's written to the domain container. For a forest functional level, it's written to the partitions container.   So, I'm having the feeling that it is possible to revert the move to native mode by restoring EVERY DC in the DOMAIN with a backup made before the change. I don't think it's necessary to restore every DC in the FOREST because the ntMixedDomain attribute is stored in the domain partition, not in the configuration partition... However, undoing an increase in Forest Functional Level in Windows Server 2003 appears to need a restore of every DC in the forest...   Any other ideas?   Cheers! John   p.s. Throwing the users/developers in the dungeons like Joe suggests is probably a better idea .... uuuh, I mean test lab in stead of dungeon of course ;-) ...     From: Joe [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 1:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode 1. Theoretical until you have conclusively proved in your own lab. Most likely unsupported as a rollback mechanism by MS.   2. Not necessarily true. There have been scattered reports of Samba and other SMB emulation packages choking and also I have personally seen some weird stuff with group memberships. Specifically pre-Native mode we had the Everyone security principal in the Winds Users Group. Going to Native mode that didn't work any longer and I had to add Domain Users. MS PSS never was able to give me an explanation and since I had a workaround, I wasn't willing to keep paying for them to try and learn.   3. Absolutely. Domain Local Group Scope is a great one as well as same group nesting.     Personally, I would say throw the developers in the lab and have them make sure their shit doesn't break.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, November 04, 2003 5:22 PM To: [EMAIL PROTECTED] We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning).   As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present:   Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.)   If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always.   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do