Re: Native Mode possible problems...help!

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Brad (brad_at_redbeards.net)
Date: 11/05/04 

Date: 4 Nov 2004 16:08:29 -0800

Great, thanks a lot for your help.

Brad

"Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message news:<OskZOYiwEHA.1564@TK2MSFTNGP09.phx.gbl>...
> Yes, technically, going to native mode doesn't change the fact that those
> BDC servers are still domain controllers.
>
> Now, to figure out what domain controller authenticated you, open up a CMD
> prompt and type in the following and then press ENTER:
>
> echo %logonserver%
>
> --
> Todd J Heron, MCSE
> Windows 2003/2000/NT
>
> "Brad" <brad@redbeards.net> wrote in message
> news:3cb49ab6.0411031815.2055d183@posting.google.com...
> > "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
> > news:<eQ6LrIJwEHA.200@TK2MSFTNGP11.phx.gbl>...
> >> Let me clarify a bit - I hit the Send button too fast. Anyone who
> >> changes
> >> their password will still be able to logon to an NT 4.0 - but using their
> >> old password. The Windows 2000 DC will only accept the new password, for
> >> obvious reasons. And the users will not know (unless they are
> >> technically-savvy), which DC authenticated them. Now ask yourself, would
> >> you want to have this happening in your network, just for the sake of
> >> leaving old NT 4.0 BDC's around?
> >>
> >> Secondly, NT 4.0 workstations will slowly begin to reset their computer
> >> password with the PDCE (the default for NT 4.0 is 7 days), but when they
> >> later try to authenticate against one of the NT 4.0 BDCs, their secure
> >> channel will fail and the user will not be able to logon to the domain at
> >> all, with either the old or new password.
> >>
> >> --
> >> Todd J Heron, MCSE
> >> Windows 2003/2000/NT
> >>
> >> "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
> >> news:OJBueEJwEHA.1564@TK2MSFTNGP09.phx.gbl...
> >> > They NT 4.0 domain controllers will still be able to authenticate
> >> > users,
> >> > but they will contain domain information which will slowly start to
> >> > become
> >> > out-of date, as the native-mode domain controllers running Windows 2000
> >> > Server will no longer share information with them, so for example
> >> > anyone
> >> > who changes their password may not be able to access domain resources
> >> > if
> >> > their logon hit an old DC. In fact, they may not be able to logon at
> >> > all
> >> > depending on which DC answers the authentication call first.
> >> > Workstations
> >> > will slowly start to lose their secure channel with the domain. In
> >> > short, odd authentication errors will start occurring.
> >> >
> >> > Why not just upgrade the BDCs to Windows 2000 Server?
> >> >
> >> > --
> >> > Todd J Heron, MCSE
> >> > Windows 2003/2000/NT
> >> >
> >> > "Brad" <brad@redbeards.net> wrote in message
> >> > news:3cb49ab6.0411011711.69040ced@posting.google.com...
> >> >> Hello,
> >> >> I'm hoping someone can shed a little light on this subject. At my
> >> >> work, we are trying to get to a pure native mode environment.
> >> >> Currently, we have two domain controllers running Windows Server 2000.
> >> >> We also have about 7 old NT servers acting as BDC's. Thus, we are
> >> >> running in a mixed-mode environment. My question is if I "flip the
> >> >> switch" to native mode, will those 7 other NT BDC's (which are on the
> >> >> same domain) be able to authenticate...meaning will they be able to
> >> >> see the rest of the domain. I understand users won't be
> >> >> authenticating to them, I just want to make sure the NT servers will
> >> >> still work. For instance, the one is doing file sharing. Will users
> >> >> still be able to get to those files or will these NT BDC's just drop
> >> >> off the domain? Thanks for any help.
> >> >
> >> >
> >
> > Ok, so basically what you're saying is...even if I make the switch to
> > native mode and keep the NT4 BDC's unchanged, there is still the
> > possibility of someone authenticating to those NT4 servers (with old
> > credentials, eventually). So going to native mode doesn't change the
> > fact that those server are still domain controllers, right? Ok, think
> > I got it now. On a side note, you mentioned about how a user might
> > know which domain controller authenticates them if they are tech
> > savvy. How can I verify which domain controller they authenticate
> > with if there are, say, 2 DC's on one subnet?

Quantcast