Wednesday, November 02, 2005

AD Mixed or Native mode

By default, Windows 2000 (Win2K) networks operate in a mixed mode, which lets both Win2K and Windows NT domain controllers coexist. During migration to Win2K, the mixed mode provides the functionality that lets NT domain controllers offer domain services. After you upgrade all NT domain controllers to Win2K, switch from mixed mode to native mode, which doesn’t support NT domain controllers. However, before you switch to native mode, you need to understand the differences between the two modes. Depending on your organization, when you convert to native mode can be a critical decision with major implications. It’s a one-way conversion—there’s no going back.

Mixed Mode
In mixed mode, a Win2K domain assigns a domain controller to act as a PDC for NT BDCs. By default, the first domain controller in a Win2K domain acts as a PDC emulator. There can be only one PDC emulator in a domain, and you can assign the role to any domain controller in a domain. The PDC emulator performs several important tasks in mixed mode, including:

Emulating as a PDC and replicating account information to BDCs.

Handling account modifications, including password changes.

Acting as a master browser for NT clients.

Providing NT LAN Manager (NTLM) authentication services.

Supporting Active Directory (AD) replication to Win2K domain controllers and NTLM replication to BDCs.
If a Win2K site in mixed mode contains Win2K clients, make sure there’s at least one Win2K domain controller in that site because the Win2K clients first attempt to locate Win2K domain controllers using DNS. If a client doesn’t find a Win2K domain controller, it’ll try to use NTLM to log on to an NT domain controller. Obviously, NT doesn’t support group policies so your Win2K client users won’t be able to take advantage of either the group policies or the logon scripts.

In mixed mode, NT client users won’t be able to change their passwords if a PDC emulator, an operations master, isn’t available. In fact, a PDC emulator plays a role even in native mode, where it’s responsible for handling password changes and account lockouts.

Another operations master you must make available in mixed mode is the RID Operations Master, required to provide security descriptors to the NT clients. Also, you’ll have to address some issues in mixed mode relating to NT’s LAN Manager Replication (LMRepl) versus Win2K’s File Replication Service.

Native Mode
As I mentioned earlier, native mode doesn’t support NT domain controllers; you can only have Win2K domain controllers. However, you can have NT workstations and member servers in native mode.

Major advantages of native mode include support for universal groups, nested groups, and transitive trust relationships. One of the biggest drawbacks of mixed mode is that AD’s scalability is limited to 40MB because the PDC emulator replicates changes to NT domain controllers that inherit limited scalability by design. By default, Win2K domain controllers establish an automatic two-way Kerberos trust relationship with all other domain controllers in a domain. Because NT domain controllers don’t understand Kerberos transitive trusts, you have to establish explicit (manual) one-way trusts between domains to authenticate users from other domains.

Win2K clients process group policies, and there’s a Group Policy option that lets you enable NT-style system policies for Win2K clients—but that’s an option I’d caution against. NT clients support only system policies and don’t understand group policies. Even in a Win2K network, NT clients can take advantage of NT system policies. However, you might run into problems if you have both the group and system policies enabled on your Win2K network. System policies will overwrite the Win2K group policies. One solution is to ensure that your group policies and system policies match, which might be easier said than done. By switching to native mode, you only have to deal with Win2K’s group policies.

You should now have a better picture of the issues you’ll face in native mode. Most organizations will want to switch to native mode sooner rather than later. If you’re not switching to native mode because you suspect that you’ll have to add NT BDCs to your domain, don’t worry. You can always add a new domain to your Win2K network, which installs in mixed mode by default. Then you can add NT BDCs to that domain.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?