Re: 2003 native mode with NT4 DC's

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Doug Frisk (PublicNews_at_removeme.fazwak.com)
Date: 02/03/05 

Date: Wed, 2 Feb 2005 20:40:13 -0600

"James" <lynxo78@nospamherexxx.hotmail.com> wrote in message
news:420168a0$0$29373$45beb828@newscene.com...
> Hi,
>
> If I have a 2003 native mode domain with NT4 DC's, will the NT4 ones still
> attempt to authenticate clients?

Yep. They'll also still attempt to replicate account information from the
PDC emulator, but will be refused making them forever out of date. This
could eventually lead to an account that has had a password changed being
validated under the old password which is on the BDC, or an account that's
been disabled or even deleted being authenticated by the BDC. (Now, given
that these accesses would be rejected by any servers participating in the
"real" domain the security threat isn't perilous, but the confusion threat
is off the scale.

Past that, any application running on a DC will find in the local NetBIOS
name cache the <1C> "I'm a domain controller" record, all apps running on
the NT4 DCs will authenticate with the local DC only.

>
> I am faced with a scenario where I want to move a mixed mode 2003/NT4
> domain
> to native mode, but it will not be easy, for other reasons to decomission
> the NT4 DC's, as they run other key applications.

See above, the apps *will* have authentication issues *at the least*.

>If they will still pose a
> potential problem, is there anyway to tell them not to be a DC without
> removing them from the domain?

There is no supported method of "demoting" an NT4 Domain controller.

> The primary reason I need to move the mixed mode domain to native, is
> because exchange 5.5 will be migrated to 2003 (mixed mode method). There
> are
> lots of public folders with exchange 5.5 distribution lists for
> permissions.
> These will not work if a domain is in mixed mode, with a mixed exchange
> 5.5/2003 org, as universal security groups cannot be used in a mixed mode
> domain. I'd rather avoid having to re-permission the public folders with
> individual accounts...hence the reason for this.
>
> Clients are 98-XP. WINS is used.

Do what it takes to move the apps over to other member servers.

Going native with NT4 DCs still functioning is pointing a gun at your head.

Relevant Pages

  • Design/Pattern guidance to refector my current design for unit testing
    ... short requiredRoleID, out UserAccount account); ... When the application consuming AuthMgr starts up, ... Authenticate auth = new Authenticate; ... // This stuff is all here so I can unit test the authentication system ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Child Domain access
    ... > You wrote...."So you logon TO A PC using a set of credentials from a ... > should be able to authenticate in the child domain with domain / ent admin ... > account which exists in the TRUSTED parent domain? ... So if the PC is in the child domain you can logon to IT ...
    (microsoft.public.windows.server.active_directory)
  • Re: Requiring User Name and Password for Connection to Network Res
    ... If you don't have a matching account on the server, and if the Guest account on ... then the server should request that you authenticate ...
    (microsoft.public.windowsxp.network_web)
  • Windows cannot connect to the domain & Event ID 3210 5722 - Lots of Details!
    ... domain controller for domain DOMAIN, ... This inability to authenticate might be caused by ... password for this computer account is not recognized. ... DNS addresses and there is only one network card in the computer. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event 8213 due to deleted 5.5 services account
    ... The System Attendant is already running as local system account. ... > because your Exchange Organization is still in Mixed Mode. ... > Native mode: An organization that is running in native mode can contain ...
    (microsoft.public.exchange.admin)