RE: [ActiveDir] Mixed Exchange and Mixed AD Modes

[joe]

Title: Message

People were scared of change. Change should cause concern but only enough to make sure the change is done correctly. Some people take it a bit far and use it as an excuse to never move forward. We have a ton of people in our company who feel we never should have come down out of the trees.... err I mean shouldn't have gotten off of mainframes. They still push on a daily basis to get us back there. Our email manager who "micromanages" the Exchange teams is one of those people. We have a conference room listing that has to be maintained on a flat file DN on a mainframe for him to believe anything about conference rooms which are maintained in AD and E2K. There isn't anything or anyone who could convince him that probably doesn't make sense. I tried, we found we had a huge disjoint of "thousands" of rooms. My solution was to keep all of the info in AD and have it auto updated when the rooms were registered with MS's AutoAccept Agent. Oh no, that is wrong, we need to make sure some person has to physically touch the data and move it to the mainframe so someone reads it on one window of a PC, types it into a 3270 Session Emulator Window. That is our method of tracking these conference rooms and how they should be configured...   I would say the CA tech support didn't know what they were doing. We get these kinds of responses out of EMC and others on a regular basis. Just because they have a product that runs on Windows doesn't mean they have a clue how it is supposed to run or what to do when it breaks.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Wednesday, February 11, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mixed Exchange and Mixed AD Modes It wouldn’t be the first time I was mistaken :-) I’d rather you guys set the record straight…   The security package I saw in particular was eTrust Admin 1.2.  You’d load a server with eTrust Directory, and put an agent on NT4 and Win2k DCs and it provisioned users between the directories.  Well, my lab AD domain was in native mode, and it refused to connect to the domain, said it couldn’t find it or something like that.  I talked to CA tech support and they said that it’s “looking for an NT4 DC and that version doesn’t work with native mode.”  I rebuilt AD and left it in mixed mode and tried again, and then no problems.  Keep in mind, there was an agent on the DC itself, and it was not doing anonymous requests – it had a domain admin account to run under so it could create users.  I never looked into the issue very deeply because it was a good excuse to get the new and greatly improved version 2.0.  When I saw the eTrust issue and CA said it was native mode incompatibility, I took their word for it, partly because when I was reading all the RKs and books I could find on Win2k back then (around 2000-2001) there were tons of warnings about native mode being a one-way ticket and how it could break things that were looking for…. well that’s where it gets vague exactly what was supposed to break and why, but it scared everyone I knew and no one wanted to “risk” going to native mode.  I did try to reassure them (management, other techs) and the common concern was misconception that downlevel clients would not work in native mode – that belief was very widespread.  But I never saw anything else break, and can’t seem to find the info on what it was people were so scared of. ??   Rich   From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 9:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mixed Exchange and Mixed AD Modes   I have to call you out on this one Rich... Sorry buddy. Times places and dates please. :oP   Authentication and machines looking for the PDC should have no problems. I have a ton of old NT4 code that hasn't the foggiest clue it runs against W2K whether in native or not.   I have seen an issue but it was in how the well known security principals were handled. I forwarded it to MS and they said nah and I said actually look at what I am saying and then they said... ooooh. And realized there were a couple of other places that could be impacted.   The issue I was with the Everyone well known principal in the WINS USERS group on domain controllers. In mixed mode, that will work and you have no issues. Going to native caused that to break on us. That was SP1 when I last tested it though so possibly something since then has fixed the functionality. There was mentioned that that could possibly impact someone using say the DNS specific admin groups etc as well. My only experience is directly what I specified here.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, February 10, 2004 9:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mixed Exchange and Mixed AD Modes Make a last check that you don’t have any older software that might be doing authentication that looks for an NT PDC, and that you don’t have any strange stuff that must be run on a DC.  I’ve seen a security admin package break when I switched to Native mode – native mode changes the security model for the domain and can sometimes break poorly written apps that do old-style authentication against NT.  Sorry I’m not being more specific on that, but I can’t recall the specifics of what changes as quickly as someone else here could probably point it out (please do people J ).  If you don’t have this concern either then I don’t know of any other issues you’d have. Rich   From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 8:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Mixed Exchange and Mixed AD Modes   Should not be a problem at all.  You only need to stay in Mixed Mode if you have NT4 DCs which you don't.  External trusts will still work also.   Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406     From: Jb Leney [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 8:57 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Mixed Exchange and Mixed AD Modes Hi, this is a (hopefully) quick question that I have not had much luck researching.   We're running Exchange 5.5 and Exchange 2000. Our domain is in Mixed mode.   We have a business need to go to Native mode very soon, maybe even today.   We have no more NT4 DC's, although we do have two-way trusts with several NT4 domains.   Question: Will flipping the switch to Native mode negatively impact our Exchange site and/or any trust relationships?   Any advice would be greatly appreciated!   Thanks,   -Jbl     -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.