RE: permissions compatible with pre-Win2000 servers

Rebecca,

Thanks for your replying to my post.

The NT machine is a simple NT4 server, not a PDC, BDC or workstation. When
we upgraded, we chose to take all BDCs permanently offline (very old
hardware), and upgraded our single PDC to a DC running 2003 AD Interim,
adding 2 additional DCs for redundancy.

Our concern is for our NT4 servers that are dedicated to running SQL7 (they
run nothing else) and the message

"Permissions compatible with pre-Windows2000 servers".
"Select this option if you run server programs on pre-
Windows2000 servers or on Windows2000 Servers that are
members of pre-Windows2000 domains."

I am not aware that we use anonymous connections to access SQL since all DB
access is either via local SQL account (with name & password) and
NT-integrated.

My problem is that the above warning is quite general (SQL is literally a
"server program running on a pre-Windows2000 Server") and therefore ominous
and doesn't say anything about a reason such as anonymous connections. I
will happily read the articles you referenced and hopefully this is all there
is to it.

Thanks very much.

John

""Rebecca Chen [MSFT]"" wrote:

> Hi John,
>
> I am not quite caught your meaning and would like to confirm my
> understanding with you:
> Do you worry about the option "Permissions compatible with pre-Windows2000
> servers"?
> Is the NT machine the BDC, PDC or a workstation? Do you refer "member
> server" to "workstation NT"?
>
> Technically speaking, I recommend you choose "Permissions compatible with
> pre-Windows2000 servers" since there is NT server with SQL 7.0 is running
> in the network. Your understanding is correct that this option allow
> Anonymous users can read information on this domain as described in the
> article below. However, if you don't use Anonymous in SQL server or for
> other application, you don't need to choose this option.
> Description of Dcpromo Permissions Choices
> http://support.microsoft.com/default.aspx?scid=kb;en-us;257988
>
> With regards to the function level , you can choose "interim mode" if the
> NT machine is a domain controller. If the NT is not the domain control, PDC
> or BDC, you can go ahead to raise the domain function level to win2k3
> native mode is there is no win2k DC in the network and you don't intend to
> add any win2k DC as well as in the remote site. Otherwise, you can switch
> to win2k Native mode so that you can replicate between win2k3 and win2k DCs.
>
> The following article has addressed Domain functional level:
> How to raise domain and forest functional levels in Windows Server 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
>
> Any update, let's get in touch!
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: permissions compatible with pre-Win2000 servers
> >thread-index: AcV+c/l7sCid1T5tT+eauSpPIc6AwQ==
> >X-WBNR-Posting-Host: 209.43.24.60
> >From: =?Utf-8?B?Sm9obiBNYXR0ZXJu?= <JohnMattern@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >Subject: permissions compatible with pre-Win2000 servers
> >Date: Fri, 1 Jul 2005 12:35:02 -0700
> >Lines: 40
> >Message-ID: <81E395D5-F7D3-4273-B34A-D4189CB0981B@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.migration
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.migration:11045
> >X-Tomcat-NG: microsoft.public.windows.server.migration
> >
> >We just migrated an NT4 domain (15 servers/200 clients) to Win2003 AD. It
> >went smoothly except for one dialogue box that spooked us into choosing
> >
> > "Permissions compatible with pre-Windows2000 servers".
> > "Select this option if you run server programs on pre-
> > Windows2000 servers or on Windows2000 Servers that are
> > members of pre-Windows2000 domains."
> >
> >Our SQL7 servers (e.g. "server programs") run on NT4 member servers; as a
> >result, with SQL being critical to our business, we chickened out and kept
> >the pre-Win2000 perms and also decided to avoid raising the Windows domain
> >functional level to native mode.
> >
> >I realize that pre-Win2000 compatible perms refers to allowing the
> Everyone
> >group into the Pre-Windows 2000 Compatible Access group; I always thought
> >this mattered mainly for NT RAS servers but taking this dialogue
> literally, I
> >don't want something with SQL7 running on NT member servers to break and
> then
> >have only myself to blame for not having heeded this message. In case
> anyone
> >suggests that only DCs are involved with going native, I would say "yes, I
> >think this too" but when Microsoft presents such a message, I'd better
> have
> >some valid justification for not taking it very literally.
> >
> >We want to strengthen the perms and then go native for a variety of good
> >reasons but does Microsoft mean that SQL7 might be broken if we use it on
> NT4
> >member servers in an AD domain? It is literally an "application" running
> on
> >NT4 which is a "pre-Windows2000 server". This MS statement seems to
> suggest
> >I should first upgrade the OS on which SQL7 runs from NT to 2000/2003
> before
> >proceeding with any more domain work; we intend to upgrade SQL to 2000 or
> >2005 (we already purchased the licensing for this) but this will have to
> be
> >an implementation for another time.
> >
> >Is there any danger in going with the post WinNT perms and then shifting
> the
> >domain to native mode or are we being overly cautious? I am sure we are
> >being too cautious but would someone please tell me why? We would also
> >appreciate hearing of anyone who runs SQL7/NT4 servers under a Win2000 or
> >Win2003 AD without the compatibility permissions and possibly in a native
> >mode domain.
> >
> >Please forgive the length of my post and I thank you in advance.
> >
> >
>
>
.

Relevant Pages

  • Re: Second Trust
    ... Will the Trust be there when I change my current PDC and make my new ... server a PDC? ... you'll have AD with the NT4 server as a BDC" Why would it be a BDC and ...
    (microsoft.public.win2000.active_directory)
  • Re: NT 4.0 to windows 2003 AD in place upgrade.
    ... PDC that I make a BDC is the one I will take offline before I do the ... Exchange server the PDC, allow to SYNC. ...
    (microsoft.public.windows.server.migration)
  • Re: PDC/BDC problem
    ... Did your BDC got all the FSMO rules after takeover? ... Seems that it is missing one of the roles after you take out the broken server and cleanup your metadata. ... The PDC arrived last Monday. ... everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
  • Re: PDC/BDC problem
    ... Even com away from PDC and BDC. ... So which server from you has which role in the moment? ... I tried everything to reestablish the trust. ...
    (microsoft.public.win2000.networking)