Tim, There are several differences but most of them are unseend by the end users. Already mentioned is the use of Kerberos when running in native mode. Windows NT clients still use NTLM. With native mode you gain the capability to use nested groups and Universal Security Groups. As for the best time to switch as soon as you have removed all your NT 4.0 BDCs and you are sure you will not have to reinstate them, make the switch to native mode.
Dennis Depp Oak Ridge National Lab -----Original Message----- From: Dozal, Tim [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 6:39 PM To: Tomasz Onyszko; [EMAIL PROTECTED] Subject: RE: Active Directory Security Migration Questions: So as I understand it from what people have sent back to me: The only difference between running in mixed or native mode is that you can not have any NT 4 BDC's in native mode. Other than that the domain will behave similar? If that's the case is there any best practices available for when to use native and when to use mixed? And along this line is there a security impact from those choices? Tim Dozal Lab Manager - ECSBU Cisco Systems Inc. e: [EMAIL PROTECTED] p: (206)-256-2900 x3280 f: (206)-256-3640 -----Original Message----- From: Tomasz Onyszko [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 3:25 PM To: Dozal, Tim; [EMAIL PROTECTED] Subject: Re: Active Directory Security Migration Questions: Dozal, Tim <[EMAIL PROTECTED]> napisal w swojej wiadomosci: > I am no AD expert but my experience is that in Mixed mode you will use > NTLM (i.e NT 4) authentication (plain test transmission)) when > connecting between hosts on the network. Older NTLM authentication is used in both modes (mixed and native) when client cann't use Kerberos v5 authentication in example, when You connect with regular Windows 98 client to the Windows 2000 Server, which is a member of a AD domain, and the Windows 98 client host also is the member of this domain. Any non-Kerberos enabled client will use NTLM v1 or v2 authentication > If your infrastructure has any non-windows 2000/XP machines then you > must use mixed mode. >From my expirience that is not true. In native mode You can use a legacy non-Windows >2000 clients in Your network. You cann't only use Windows NT BDC at this network. In >mixed and native mode You can use NTLM v1 or v2 authetication if You don't disable >this possibility through the settings in the registry or through GPO. Tomasz Onyszko
