Re: Native Mode possible problems...help!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Brad (brad_at_redbeards.net)
Date: 11/04/04 

Date: 3 Nov 2004 18:15:48 -0800

"Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message news:<eQ6LrIJwEHA.200@TK2MSFTNGP11.phx.gbl>...
> Let me clarify a bit - I hit the Send button too fast. Anyone who changes
> their password will still be able to logon to an NT 4.0 - but using their
> old password. The Windows 2000 DC will only accept the new password, for
> obvious reasons. And the users will not know (unless they are
> technically-savvy), which DC authenticated them. Now ask yourself, would
> you want to have this happening in your network, just for the sake of
> leaving old NT 4.0 BDC's around?
>
> Secondly, NT 4.0 workstations will slowly begin to reset their computer
> password with the PDCE (the default for NT 4.0 is 7 days), but when they
> later try to authenticate against one of the NT 4.0 BDCs, their secure
> channel will fail and the user will not be able to logon to the domain at
> all, with either the old or new password.
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
> "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
> news:OJBueEJwEHA.1564@TK2MSFTNGP09.phx.gbl...
> > They NT 4.0 domain controllers will still be able to authenticate users,
> > but they will contain domain information which will slowly start to become
> > out-of date, as the native-mode domain controllers running Windows 2000
> > Server will no longer share information with them, so for example anyone
> > who changes their password may not be able to access domain resources if
> > their logon hit an old DC. In fact, they may not be able to logon at all
> > depending on which DC answers the authentication call first. Workstations
> > will slowly start to lose their secure channel with the domain. In
> > short, odd authentication errors will start occurring.
> >
> > Why not just upgrade the BDCs to Windows 2000 Server?
> >
> > --
> > Todd J Heron, MCSE
> > Windows 2003/2000/NT
> >
> > "Brad" <brad@redbeards.net> wrote in message
> > news:3cb49ab6.0411011711.69040ced@posting.google.com...
> >> Hello,
> >> I'm hoping someone can shed a little light on this subject. At my
> >> work, we are trying to get to a pure native mode environment.
> >> Currently, we have two domain controllers running Windows Server 2000.
> >> We also have about 7 old NT servers acting as BDC's. Thus, we are
> >> running in a mixed-mode environment. My question is if I "flip the
> >> switch" to native mode, will those 7 other NT BDC's (which are on the
> >> same domain) be able to authenticate...meaning will they be able to
> >> see the rest of the domain. I understand users won't be
> >> authenticating to them, I just want to make sure the NT servers will
> >> still work. For instance, the one is doing file sharing. Will users
> >> still be able to get to those files or will these NT BDC's just drop
> >> off the domain? Thanks for any help.
> >
> >

Ok, so basically what you're saying is...even if I make the switch to
native mode and keep the NT4 BDC's unchanged, there is still the
possibility of someone authenticating to those NT4 servers (with old
credentials, eventually). So going to native mode doesn't change the
fact that those server are still domain controllers, right? Ok, think
I got it now. On a side note, you mentioned about how a user might
know which domain controller authenticates them if they are tech
savvy. How can I verify which domain controller they authenticate
with if there are, say, 2 DC's on one subnet?

Relevant Pages

  • CIFS Authentication in AD 2003
    ... We have a HPUX server running FacetWin on ... authenticate domain users looking to access its resources. ... Everything was working perfectly when our main domain controller was ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to know which Active Directory Server Ive logged on?
    ... server is the user's exchange home server. ... Users from a certain domain can authenticate against every ... location then a user is authenticated by a domain controller covering ...
    (microsoft.public.win2000.active_directory)
  • Re: How to know which Active Directory Server Ive logged on?
    ... "Marwan Kandeel" wrote: ... server is the user's exchange home server. ... Users from a certain domain can authenticate against every ... location then a user is authenticated by a domain controller covering ...
    (microsoft.public.win2000.active_directory)
  • Re: Sites and Services
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... The workstation should always prefer to authenticate to a DC in its site first. ... In your situation they should also be DNS servers and the local clients should have the local DC/GC/DNS server set as the preferred DNS server via DHCP. ... I have a power domain controller onsite. ...
    (microsoft.public.windows.server.active_directory)
  • RE: hosts not using alternate DCs
    ... These enable a client to locate a domain controller that is running the ... Windows Server 2003–based domain controllers that are running the KDC service ... > could not authenticate with the shopcart server causing our website to go ... i have since gone in and configured replication to auto discover ...
    (microsoft.public.windows.server.active_directory)