Re: upgrading domain/forest function level question

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
• Date: Mon, 3 Jul 2006 23:21:20 +0200

---

If they need access to the NT 4.0 BDC, there is *really* no way to give
them access. A NT 4.0 BDC only hold a writeable copy of the SAM. You will
not be able to manually add this user account to the NT 4.0 BDC. Any new
users would not have access to the NT BDC.

actually I think you mean a read only copy when talking about BDCs.
However, when you having w2k clients/servers and higher AND kerberos
authentication is used the NT4 BDC would not be used for authentication.
Authentication would be done by de AD DCs including adding groups to the
access token. If data on the NT4 BDC is secured by groups there would no
issue, assuming those groups are already in the NT4 BDC before increasing
the DFL (!!!I guess!!!). If you would need to add new created group that
would NEVER replicate to the NT4 BDC and you would not be able to use it.
I don't recommend this scenario as you never know what else might go wrong!

A better way, although not supported by MS, would be to use UPromote and
demote the NT4 BDC to a NT4 member server.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Danny Sanders" <DSanders@xxxxxxxxxxxxxxx> wrote in message
news:uu4k0rtnGHA.3440@xxxxxxxxxxxxxxxxxxxxxxx

I read somewhere that I can upgrade the domain/forest and if I did the
domain would simply cease to replicate with the NT DC. If that is true,
is there any chance that client machines would still attempt to
authenticate through the NT DC?

Your problem would *really* come into play when adding new users to
domain. If you add them to the AD DC that new user's account will not be
replicated to the NT 4.0 BDC.

If they need access to the NT 4.0 BDC, there is *really* no way to give
them access. A NT 4.0 BDC only hold a writeable copy of the SAM. You will
not be able to manually add this user account to the NT 4.0 BDC. Any new
users would not have access to the NT BDC.

hth
DDS W 2k MVP MCSE

<google@xxxxxxxxxxxxx> wrote in message
news:1151886682.575183.53950@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have a single domain forest with a four Windows 2003 domain
controllers and one NT4 domain controller. I would like to upgrade the
domain and forest to 2003 function level, but at this time I can
neither upgrade nor retire the NT domain controller. Am I stuck in
mixed mode or can I still upgrade the function level anyway?

I read somewhere that I can upgrade the domain/forest and if I did the
domain would simply cease to replicate with the NT DC. If that is true,
is there any chance that client machines would still attempt to
authenticate through the NT DC?

Finally, does the domain/forest function level have any bearing on
whether or not I can run Exchane in native mode? Currently, I have
three Exchange servers (all 2003) running in mixed mode. Is it possible
and/or safe to switch Exchange to native mode?

Any insight would be greatly appreciated.

thank you

.

---

• Follow-Ups:
  • Re: upgrading domain/forest function level question
    • From: Danny Sanders

• References:
  • upgrading domain/forest function level question
    • From: google
  • Re: upgrading domain/forest function level question
    • From: Danny Sanders

• Prev by Date: Re: Group Policy work around
• Next by Date: Re: upgrading domain/forest function level question
• Previous by thread: Re: upgrading domain/forest function level question
• Next by thread: Re: upgrading domain/forest function level question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: upgrading domain/forest function level question ... A NT 4.0 BDC only hold a writeable copy of the SAM. ... authentication is used the NT4 BDC would not be used for authentication. ... (microsoft.public.win2000.active_directory) Re: Old BDC cant see/sync with new 2003 AD ... Since you installed a new box you created a new domain so the NT4 BDC has no ... PDC to sync with and knows absolutely nothing about this new domain even ... The primary site had the PDC while the ... (microsoft.public.windows.server.migration) Re: Old BDC cant see/sync with new 2003 AD ... >PDC to sync with and knows absolutely nothing about this ... >this new domain and the BDC will have to be rebuilt(only ... >domain with a NT4 BDC). ... >> or do a fresh install of the OS (in which case I would ... (microsoft.public.windows.server.migration) Re: Question about NT4 BDCs ... If you configure the function level as interim mode, the NT4 BDC will still ... (microsoft.public.windows.server.migration) Re: Backout from Native Mode ... > I created two user accounts on the PDC and they replicated to the BDC. ... The two user account objects were there. ... >> Paul Williams ... (microsoft.public.win2000.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.active_directory  > 2006-07