Re: Native Mode possible problems...help!

From: Todd J Heron (todd_heron_no_spam_at_hotmail.com)
Date: 11/05/04 

Date: Thu, 4 Nov 2004 19:12:58 -0500

You're welcome. 

-- 
Todd J Heron, MCSE
Windows 2003/2000/NT
"Brad" <brad@redbeards.net> wrote in message 
news:3cb49ab6.0411041608.29833dd2@posting.google.com...
> Great, thanks a lot for your help.
>
> Brad
>
> "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message 
> news:<OskZOYiwEHA.1564@TK2MSFTNGP09.phx.gbl>...
>> Yes, technically, going to native mode doesn't change the fact that those
>> BDC servers are still domain controllers.
>>
>> Now, to figure out what domain controller authenticated you, open up a 
>> CMD
>> prompt and type in the following and then press ENTER:
>>
>> echo %logonserver%
>>
>> -- 
>> Todd J Heron, MCSE
>> Windows 2003/2000/NT
>>
>> "Brad" <brad@redbeards.net> wrote in message
>> news:3cb49ab6.0411031815.2055d183@posting.google.com...
>> > "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
>> > news:<eQ6LrIJwEHA.200@TK2MSFTNGP11.phx.gbl>...
>> >> Let me clarify a bit - I hit the Send button too fast.  Anyone who
>> >> changes
>> >> their password will still be able to logon to an NT 4.0 - but using 
>> >> their
>> >> old password.  The Windows 2000 DC will only accept the new password, 
>> >> for
>> >> obvious reasons.  And the users will not know (unless they are
>> >> technically-savvy), which DC authenticated them.  Now ask yourself, 
>> >> would
>> >> you want to have this happening in your network, just for the sake of
>> >> leaving old NT 4.0 BDC's around?
>> >>
>> >> Secondly, NT 4.0 workstations will slowly begin to reset their 
>> >> computer
>> >> password with the PDCE (the default for NT 4.0 is 7 days), but when 
>> >> they
>> >> later try to authenticate against one of the NT 4.0 BDCs, their secure
>> >> channel will fail and the user will not be able to logon to the domain 
>> >> at
>> >> all, with either the old or new password.
>> >>
>> >> -- 
>> >> Todd J Heron, MCSE
>> >> Windows 2003/2000/NT
>> >>
>> >> "Todd J Heron" <todd_heron_no_spam@hotmail.com> wrote in message
>> >> news:OJBueEJwEHA.1564@TK2MSFTNGP09.phx.gbl...
>> >> > They NT 4.0 domain controllers will still be able to authenticate
>> >> > users,
>> >> > but they will contain domain information which will slowly start to
>> >> > become
>> >> > out-of date, as the native-mode domain controllers running Windows 
>> >> > 2000
>> >> > Server will no longer share information with them, so for example
>> >> > anyone
>> >> > who changes their password may not be able to access domain 
>> >> > resources
>> >> > if
>> >> > their logon hit an old DC.  In fact, they may not be able to logon 
>> >> > at
>> >> > all
>> >> > depending on which DC answers the authentication call first.
>> >> > Workstations
>> >> > will slowly start to lose their secure channel with the domain.   In
>> >> > short, odd authentication errors will start occurring.
>> >> >
>> >> > Why not just upgrade the BDCs to Windows 2000 Server?
>> >> >
>> >> > -- 
>> >> > Todd J Heron, MCSE
>> >> > Windows 2003/2000/NT
>> >> >
>> >> > "Brad" <brad@redbeards.net> wrote in message
>> >> > news:3cb49ab6.0411011711.69040ced@posting.google.com...
>> >> >> Hello,
>> >> >> I'm hoping someone can shed a little light on this subject.  At my
>> >> >> work, we are trying to get to a pure native mode environment.
>> >> >> Currently, we have two domain controllers running Windows Server 
>> >> >> 2000.
>> >> >> We also have about 7 old NT servers acting as BDC's.  Thus, we are
>> >> >> running in a mixed-mode environment.  My question is if I "flip the
>> >> >> switch" to native mode, will those 7 other NT BDC's (which are on 
>> >> >> the
>> >> >> same domain) be able to authenticate...meaning will they be able to
>> >> >> see the rest of the domain.  I understand users won't be
>> >> >> authenticating to them, I just want to make sure the NT servers 
>> >> >> will
>> >> >> still work.  For instance, the one is doing file sharing.  Will 
>> >> >> users
>> >> >> still be able to get to those files or will these NT BDC's just 
>> >> >> drop
>> >> >> off the domain?  Thanks for any help.
>> >> >
>> >> >
>> >
>> > Ok, so basically what you're saying is...even if I make the switch to
>> > native mode and keep the NT4 BDC's unchanged, there is still the
>> > possibility of someone authenticating to those NT4 servers (with old
>> > credentials, eventually).  So going to native mode doesn't change the
>> > fact that those server are still domain controllers, right?  Ok, think
>> > I got it now.  On a side note, you mentioned about how a user might
>> > know which domain controller authenticates them if they are tech
>> > savvy.  How can I verify which domain controller they authenticate
>> > with if there are, say, 2 DC's on one subnet?