RE: [ActiveDir] native mode

[deji Agba]

Guido, John.   I (personally) don't think the biggest consideration in this "roll-back" plan is whether or not it can be done, or which methodology is more "supported" than the other. In my selfish opinion, the consideration should be what it will break. What it will break depends greatly on the length of time that has transpired between when the Native switch was flipped and when the roll-back trigger is being pulled AND what changes have occurred in the environment since that time For example, since you switched to Native mode, say you have upgraded your EXC 5.5 to 2000 and have your DLs converted to UGs. Then say you have done some fancy nesting that became available to you in Native mode. Say you have installed some ERP applications that have extended the Schema based on its Native status.   Now, regardless of HOW you do your roll-back and what type of convergence occurs, how would one address the new "orphans" that will be created now that Nativity is gone?   However, if Mark's original question - "Although the change is not reversible, we could restore from AD backup and be back where we were" - is along the line of "oh, [EMAIL PROTECTED], It didn't work, let's back out!!", then I completely agree with his line of thinking. But if it is along the line of "oh, yeah, we took a backup last month or 2 months ago before the switch", then I am afraid he may be seriously disappointed. As usual, I've been known to be wrong before.   Sorry about the long rant.   Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon From: GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wed 11/5/2003 11:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode John - I've also had various discussions about this is likely not the case where "one solution fits all". While I agree it should be technically feasable to take a *healthy* backup of EVERY DC of a domain at roughly the *same* time (at least prior to switching the domain modes), you are getting into the "unsupported" area of things - that's why I said restoring one and re-promoting the others is "most supported".  As you mentioned, it's the procedure MS also supports for the forest recovery - although I hope nobody needs to go through this ;-)   I also agree that it's a lot of work, but how much work it really is mostly depends on how the network and sites are setup.  You'll certainly not like this approach with a lot of DCs in sites accross slow links (especially in 2k).   /Guido From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 6. November 2003 08:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode Interesting discussion ... you're telling that "any other option would be too risky". I've had this discussion with MS before and they (initially) said the exact same thing (you're scaring me Guido ;-) ... However, I'm convinced that restoring every single DC of a domain that was taken at a *healthy* point in time eventually leads to the same situation as restoring a single one and repromoting the rest. It's a matter of convergence ... Eventually the MS guys agreed with me (at least the ones I've discussed this issue with).   The best practice of restoring a single DC from backup and repromoting all others is described in the Forest Recovery white paper. However, in a situation in which you need a Forest Recovery a piece of "magic" has occurred that corrupted your complete forest. Unless you know how and when this corruption entered your AD it is wise to restore a single DC, test this one very thoroughly and then repromote the others, to make sure that you do not reintroduce the corruption. In the case of Mark, the "corruption" would be the switch to native mode, which is made at a specific point in time and can therefore be reverted by using backups from all other DCs. One of the advantages of restoring all DCs from backup is that you do not need to do any seizing of FSMOs, cleanup metadata and that kind of stuff.   Which method to choose is a matter of taste and also depends on your environment. Repromoting every single DC (except 1) is a hell of a job in large environments that have limited bandwidth like we European guys ;-). The install from media option in W2003 reduces the impact of repromotion in W2003 environments, but that's not what Mark is at I presume.   John From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 22:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode John - it sounds like Mark is talking about a 2000 domain - not that it makes too much of a difference, but 2000 doesn't know about functional levels (especially not about forest functional levels).  Mark, correct me if I'm wrong.   However, since in 2000 the domain mode really only effects the domain, you should be able to revert to mixed mode by turning back the clock.  I wouldn't do so by restoring every DC though - I'd just restore one (the PDCE) and then DCPROMO the rest. Any other option would be too risky - although the other suggestion made by Phil to keep one DC offline during the process and then if required to seize roles on it is also a good one. Nevertheless, all other DCs need to be cleaned from the metadata and re-promoted.  Not nice, but the "most supported" way.   Ofcourse, you'll want to discuss a point of no-return: this would be after you've started to leverage the new features of the native domain, such as creating Universal Security Groups and nesting these into UGs of other domains, leveraging SIDhistory (although I hear this also works in mixed mode, but is not supported...) From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 09:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode The rollback possibility is a interesting issue. I've looked into this and came across the following quote from Microsoft: "While the Windows Server 2003 functional level provides a number of features and advantages, you might choose not to move to this functional level if your environment is not ready. For example, you might choose not to enable the Windows Server 2003 functional level for one of the following reasons: ... bla bla 1 bla bla 2 ... 3.You need to retain the ability to fall back to Windows NT 4.0."   This gives me the feeling that the "move to native mode rollback" is not possible/supported. But ... curious as I am ... why not? Of course, you can get in all sorts of trouble when you apply changes that use the native mode features. This could be the one and only reason why a rollback is not supported, but as a user/customer I want to be able to revert my changes whenever I don't like them :-) ... Let's dig into this ...   The ntMixedDomain attribute on the domainDNS object is set to 1 when a domain is converted to native mode. Looking at how functional levels operate in Windows 2003 domains... There's a new attribute in the schema, actually multiple attributes, but they're defined as msDS-Behavior-Version. For a domain functional level, it's written to the domain container. For a forest functional level, it's written to the partitions container.   So, I'm having the feeling that it is possible to revert the move to native mode by restoring EVERY DC in the DOMAIN with a backup made before the change. I don't think it's necessary to restore every DC in the FOREST because the ntMixedDomain attribute is stored in the domain partition, not in the configuration partition... However, undoing an increase in Forest Functional Level in Windows Server 2003 appears to need a restore of every DC in the forest...   Any other ideas?   Cheers! John   p.s. Throwing the users/developers in the dungeons like Joe suggests is probably a better idea .... uuuh, I mean test lab in stead of dungeon of course ;-) ...     From: Joe [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 1:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode 1. Theoretical until you have conclusively proved in your own lab. Most likely unsupported as a rollback mechanism by MS.   2. Not necessarily true. There have been scattered reports of Samba and other SMB emulation packages choking and also I have personally seen some weird stuff with group memberships. Specifically pre-Native mode we had the Everyone security principal in the Winds Users Group. Going to Native mode that didn't work any longer and I had to add Domain Users. MS PSS never was able to give me an explanation and since I had a workaround, I wasn't willing to keep paying for them to try and learn.   3. Absolutely. Domain Local Group Scope is a great one as well as same group nesting.     Personally, I would say throw the developers in the lab and have them make sure their shit doesn't break.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, November 04, 2003 5:22 PM To: [EMAIL PROTECTED] We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning).   As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present:   Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.)   If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always.   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com/ Honesty and Integrity in Everything We Do