RE: [ActiveDir] native mode

[Jorge de Almeida Pinto]

Hi Everyone,   More than a month ago there was a discussion about Domain/Forest Functional Levels and how roll back. One of the other issues mentioned was application compatibility (see below). I know, maybe a bit late but I think this is the answer to the questions still not answered (unless I missed something) Check out MS-KBQ322692: HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003   A few quotes:   APPLICATION/PROGRAM COMPATIBILITY: Verify the compatibility of all programs or services with Windows Server 2003 domain controllers and Windows Server 2003 forest mode. Use lab environment to thoroughly test production programs and services for compatibility issues. Contact vendors for confirmation of capability. ROLL BACK OF FUNCTIONALITY LEVEL: Prepare a back out plan that includes of one of the following: Disconnect at least two domain controllers from each domain in the forest. -or- Create a system state backup of at least two domain controllers from each domain in the forest. Before the back out plan can be used, all domain controllers in the forest must be decommissioned before the recovery process. Note that level increases cannot be authoritatively restored. So all domain controllers that are replicated in the level increase must be decommissioned. After all the previous domain controllers are decommissioned, bring up the disconnected domain controllers or restore the domain controllers from backup. Remove the metadata from all the other domain controllers, and then re-promote them. This is a non-trivial process and must be avoided     So reverting to a previous functional level sounds like a Forest or Domain Recovery scenario. The complexity of reverting the functional level also depends on the changes implemented after the raising of the functional level. Undoing the raising of the functional will also undo the changes implemented after the raising. Example: lets say you raised the domain functional level to use sidhistory. After that a object migration was done. Undoing the functional level will also undo the objectmigration. This is one of the "simplest" examples (others: group nesting, universal security groups, etc.). It could get more complicated when Exchange is implemented throughout the forest after the raising of the functional level.   Microsoft's wording on undoing the raising of a functional level: THIS IS A NON-TRIVIAL PROCESS AND MUST BE AVOIDED. Just like the renaming of repositioning of W2K3 domains. That's also something you don't want to do! ;-)   Regards, Jorge   PS1.: I'm new to this mailinglist. I have been "listening" for about a month or so and I hope I can contribute to it. PS2.: Have a nice Christmas and a happy ending!   From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Thursday, November 06, 2003 08:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode Interesting discussion ... you're telling that "any other option would be too risky". I've had this discussion with MS before and they (initially) said the exact same thing (you're scaring me Guido ;-) ... However, I'm convinced that restoring every single DC of a domain that was taken at a *healthy* point in time eventually leads to the same situation as restoring a single one and repromoting the rest. It's a matter of convergence ... Eventually the MS guys agreed with me (at least the ones I've discussed this issue with).   The best practice of restoring a single DC from backup and repromoting all others is described in the Forest Recovery white paper. However, in a situation in which you need a Forest Recovery a piece of "magic" has occurred that corrupted your complete forest. Unless you know how and when this corruption entered your AD it is wise to restore a single DC, test this one very thoroughly and then repromote the others, to make sure that you do not reintroduce the corruption. In the case of Mark, the "corruption" would be the switch to native mode, which is made at a specific point in time and can therefore be reverted by using backups from all other DCs. One of the advantages of restoring all DCs from backup is that you do not need to do any seizing of FSMOs, cleanup metadata and that kind of stuff.   Which method to choose is a matter of taste and also depends on your environment. Repromoting every single DC (except 1) is a hell of a job in large environments that have limited bandwidth like we European guys ;-). The install from media option in W2003 reduces the impact of repromotion in W2003 environments, but that's not what Mark is at I presume.   John From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 22:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode John - it sounds like Mark is talking about a 2000 domain - not that it makes too much of a difference, but 2000 doesn't know about functional levels (especially not about forest functional levels).  Mark, correct me if I'm wrong.   However, since in 2000 the domain mode really only effects the domain, you should be able to revert to mixed mode by turning back the clock.  I wouldn't do so by restoring every DC though - I'd just restore one (the PDCE) and then DCPROMO the rest. Any other option would be too risky - although the other suggestion made by Phil to keep one DC offline during the process and then if required to seize roles on it is also a good one. Nevertheless, all other DCs need to be cleaned from the metadata and re-promoted.  Not nice, but the "most supported" way.   Ofcourse, you'll want to discuss a point of no-return: this would be after you've started to leverage the new features of the native domain, such as creating Universal Security Groups and nesting these into UGs of other domains, leveraging SIDhistory (although I hear this also works in mixed mode, but is not supported...) From: John Reijnders [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 09:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode The rollback possibility is a interesting issue. I've looked into this and came across the following quote from Microsoft: "While the Windows Server 2003 functional level provides a number of features and advantages, you might choose not to move to this functional level if your environment is not ready. For example, you might choose not to enable the Windows Server 2003 functional level for one of the following reasons: ... bla bla 1 bla bla 2 ... 3.You need to retain the ability to fall back to Windows NT 4.0."   This gives me the feeling that the "move to native mode rollback" is not possible/supported. But ... curious as I am ... why not? Of course, you can get in all sorts of trouble when you apply changes that use the native mode features. This could be the one and only reason why a rollback is not supported, but as a user/customer I want to be able to revert my changes whenever I don't like them :-) ... Let's dig into this ...   The ntMixedDomain attribute on the domainDNS object is set to 1 when a domain is converted to native mode. Looking at how functional levels operate in Windows 2003 domains... There's a new attribute in the schema, actually multiple attributes, but they're defined as msDS-Behavior-Version. For a domain functional level, it's written to the domain container. For a forest functional level, it's written to the partitions container.   So, I'm having the feeling that it is possible to revert the move to native mode by restoring EVERY DC in the DOMAIN with a backup made before the change. I don't think it's necessary to restore every DC in the FOREST because the ntMixedDomain attribute is stored in the domain partition, not in the configuration partition... However, undoing an increase in Forest Functional Level in Windows Server 2003 appears to need a restore of every DC in the forest...   Any other ideas?   Cheers! John   p.s. Throwing the users/developers in the dungeons like Joe suggests is probably a better idea .... uuuh, I mean test lab in stead of dungeon of course ;-) ...     From: Joe [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 1:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] native mode 1. Theoretical until you have conclusively proved in your own lab. Most likely unsupported as a rollback mechanism by MS.   2. Not necessarily true. There have been scattered reports of Samba and other SMB emulation packages choking and also I have personally seen some weird stuff with group memberships. Specifically pre-Native mode we had the Everyone security principal in the Winds Users Group. Going to Native mode that didn't work any longer and I had to add Domain Users. MS PSS never was able to give me an explanation and since I had a workaround, I wasn't willing to keep paying for them to try and learn.   3. Absolutely. Domain Local Group Scope is a great one as well as same group nesting.     Personally, I would say throw the developers in the lab and have them make sure their shit doesn't break.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, November 04, 2003 5:22 PM To: [EMAIL PROTECTED] We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning).   As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present:   Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.)   If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always.   Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do   This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. LogicaCMG global sponsors, Gartner Symposium, Cannes, 4th -7th November 2003 http://symposium.gartner.com/story.php.id.3323.s.5.html Please note that LogicaCMG does not have control over content from,or availability of, this website This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.