Whew. You have a job ahead of you and that's the truth. Forget the technical challenges. You're entering a minefield of fanatical operational beliefs. Even Salman Rushdie would not envy your position.
Okay, first things first. You can't use Windows 2000 group policies to control anything other than Windows 2000 machines. Policies rely on client-side extensions that are not present on downlevel Windows clients and certainly not on Linux clients.
Picking a DNS server is a matter of your own background and comfort level. If you are familiar with BIND and you are running a version that supports Service Locator Records (SRV) and (optional but preferable) dynamic updates, then by all means use a Linux or Unix server for DNS. If you are more familiar with NT DNS, then you should install a Windows 2000 server and put the primary DNS zones on that server. There are some advantages to using Windows 2000 DNS because you can integrate the zones into Active Directory. This gives you multiple master DNS (contrasted with a single primary master in BIND) and a rudimentary form of secure updates. But neither of these is sufficiently interesting to move away from BIND if that's what you're currently using.
Network authentication is also fairly straightforward. I'm assuming that you're already running SAMBA if you're in a mixed environment. A SAMBA client can authenticate in a Windows 2000 domain using NTLM Challenge-Response, just like a downlevel Windows client. If you want to take advantage of Kerberos authentication, you can configure your Linux/UNIX clients for Kerberos and point them at a Windows 2000 domain controller as a Key Distribution Center (KDC). Unfortunately, this will not give your Linux/UNIX clients full Windows 2000 authorization because only Windows 2000 clients know how to extract the Privilege Access Certificate (PAC) from a Kerberos ticket issued by a Windows 2000 KDC. So when the SAMBA client touches a Windows 2000 member server, it will fall back on NTLM authentication to get a local access token. Take a look in www.dejanews.com at any discussion thread ranting about the PAC and you?ll get a flavor for the problem.
As for other network infrastructure components you use, most of them will be just as happy in a Windows 2000 domain as an NT4 domain. If you?re running NT4 RAS servers, you should upgrade them to Windows 2000 to avoid putting the Everyone group in the Pre-Windows 2000 Compatible Access group to support null logons. Thoroughly test all your applications (especially client/server applications that rely on the underlying Windows authentication infrastructure) to make sure they work fine on Windows 2000. This is especially true of any NFS servers you are running on your NT servers.
This was first published in February 2001