RE: permissions compatible with pre-Win2000 servers

Hi John,

Based on your reply, the NT machine which running SQL 7 is not a PDC, BDC,
then it should be a workstation. It seems there is no NT DC in the future,
you then can raise it to win2k native mode, if win2k will never be used,
you can raise to win2k3 native mode.

With regards to the anonymouse connection to SQL, you 'd better consult the
database adminsitrator to make sure there is no risk on anonymouse
connections, you then can choose not select this option. My expereince is
that SQL should not allow anoymouse connection and you dont need to choose
the option.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: permissions compatible with pre-Win2000 servers
>thread-index: AcWBZEGUGNeIHgV8THGQEMCgw63LWQ==
>X-WBNR-Posting-Host: 209.43.24.45
>From: =?Utf-8?B?Sm9obiBNYXR0ZXJu?= <JohnMattern@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <81E395D5-F7D3-4273-B34A-D4189CB0981B@xxxxxxxxxxxxx>
<kvUcOkGgFHA.1336@xxxxxxxxxxxxxxxxxxxxx>
>Subject: RE: permissions compatible with pre-Win2000 servers
>Date: Tue, 5 Jul 2005 06:20:04 -0700
>Lines: 160
>Message-ID: <3915BCF7-7F74-4996-B7DB-16BE2EAA8710@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.migration:11081
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Rebecca,
>
>Thanks for your replying to my post.
>
>The NT machine is a simple NT4 server, not a PDC, BDC or workstation.
When
>we upgraded, we chose to take all BDCs permanently offline (very old
>hardware), and upgraded our single PDC to a DC running 2003 AD Interim,
>adding 2 additional DCs for redundancy.
>
>Our concern is for our NT4 servers that are dedicated to running SQL7
(they
>run nothing else) and the message
>
> "Permissions compatible with pre-Windows2000 servers".
> "Select this option if you run server programs on pre-
> Windows2000 servers or on Windows2000 Servers that are
> members of pre-Windows2000 domains."
>
>I am not aware that we use anonymous connections to access SQL since all
DB
>access is either via local SQL account (with name & password) and
>NT-integrated.
>
>My problem is that the above warning is quite general (SQL is literally a
>"server program running on a pre-Windows2000 Server") and therefore
ominous
>and doesn't say anything about a reason such as anonymous connections. I
>will happily read the articles you referenced and hopefully this is all
there
>is to it.
>
>Thanks very much.
>
>John
>
>""Rebecca Chen [MSFT]"" wrote:
>
>> Hi John,
>>
>> I am not quite caught your meaning and would like to confirm my
>> understanding with you:
>> Do you worry about the option "Permissions compatible with
pre-Windows2000
>> servers"?
>> Is the NT machine the BDC, PDC or a workstation? Do you refer "member
>> server" to "workstation NT"?
>>
>> Technically speaking, I recommend you choose "Permissions compatible
with
>> pre-Windows2000 servers" since there is NT server with SQL 7.0 is
running
>> in the network. Your understanding is correct that this option allow
>> Anonymous users can read information on this domain as described in the
>> article below. However, if you don't use Anonymous in SQL server or for
>> other application, you don't need to choose this option.
>> Description of Dcpromo Permissions Choices
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;257988
>>
>> With regards to the function level , you can choose "interim mode" if
the
>> NT machine is a domain controller. If the NT is not the domain control,
PDC
>> or BDC, you can go ahead to raise the domain function level to win2k3
>> native mode is there is no win2k DC in the network and you don't intend
to
>> add any win2k DC as well as in the remote site. Otherwise, you can
switch
>> to win2k Native mode so that you can replicate between win2k3 and win2k
DCs.
>>
>> The following article has addressed Domain functional level:
>> How to raise domain and forest functional levels in Windows Server 2003
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
>>
>> Any update, let's get in touch!
>>
>> Best regards,
>>
>> Rebecca Chen
>>
>> MCSE2000 MCDBA CCNA
>>
>>
>> Microsoft Online Partner Support
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>> --------------------
>> >Thread-Topic: permissions compatible with pre-Win2000 servers
>> >thread-index: AcV+c/l7sCid1T5tT+eauSpPIc6AwQ==
>> >X-WBNR-Posting-Host: 209.43.24.60
>> >From: =?Utf-8?B?Sm9obiBNYXR0ZXJu?=
<JohnMattern@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >Subject: permissions compatible with pre-Win2000 servers
>> >Date: Fri, 1 Jul 2005 12:35:02 -0700
>> >Lines: 40
>> >Message-ID: <81E395D5-F7D3-4273-B34A-D4189CB0981B@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.migration
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:11045
>> >X-Tomcat-NG: microsoft.public.windows.server.migration
>> >
>> >We just migrated an NT4 domain (15 servers/200 clients) to Win2003 AD.
It
>> >went smoothly except for one dialogue box that spooked us into choosing
>> >
>> > "Permissions compatible with pre-Windows2000 servers".
>> > "Select this option if you run server programs on pre-
>> > Windows2000 servers or on Windows2000 Servers that are
>> > members of pre-Windows2000 domains."
>> >
>> >Our SQL7 servers (e.g. "server programs") run on NT4 member servers; as
a
>> >result, with SQL being critical to our business, we chickened out and
kept
>> >the pre-Win2000 perms and also decided to avoid raising the Windows
domain
>> >functional level to native mode.
>> >
>> >I realize that pre-Win2000 compatible perms refers to allowing the
>> Everyone
>> >group into the Pre-Windows 2000 Compatible Access group; I always
thought
>> >this mattered mainly for NT RAS servers but taking this dialogue
>> literally, I
>> >don't want something with SQL7 running on NT member servers to break
and
>> then
>> >have only myself to blame for not having heeded this message. In case
>> anyone
>> >suggests that only DCs are involved with going native, I would say
"yes, I
>> >think this too" but when Microsoft presents such a message, I'd better
>> have
>> >some valid justification for not taking it very literally.
>> >
>> >We want to strengthen the perms and then go native for a variety of
good
>> >reasons but does Microsoft mean that SQL7 might be broken if we use it
on
>> NT4
>> >member servers in an AD domain? It is literally an "application"
running
>> on
>> >NT4 which is a "pre-Windows2000 server". This MS statement seems to
>> suggest
>> >I should first upgrade the OS on which SQL7 runs from NT to 2000/2003
>> before
>> >proceeding with any more domain work; we intend to upgrade SQL to 2000
or
>> >2005 (we already purchased the licensing for this) but this will have
to
>> be
>> >an implementation for another time.
>> >
>> >Is there any danger in going with the post WinNT perms and then
shifting
>> the
>> >domain to native mode or are we being overly cautious? I am sure we
are
>> >being too cautious but would someone please tell me why? We would also
>> >appreciate hearing of anyone who runs SQL7/NT4 servers under a Win2000
or
>> >Win2003 AD without the compatibility permissions and possibly in a
native
>> >mode domain.
>> >
>> >Please forgive the length of my post and I thank you in advance.
>> >
>> >
>>
>>
>

.