Q

What DC services disappear when AD native mode is activated?

What DC services disappear when AD native mode is activated? We are currently running in AD mixed mode. We want to move to AD native mode. But we have a concern that some DC services will no longer function when mixed mode is deactivated. We have been unable to find any documentation that details what disappears when we switch to AD native mode. Our concern is some applications will fail because a DC service is no longer available. We don't know what to search for so we can make the necessary changes. Can you help?
When you convert to native mode, you are generally losing support for NT 4.0 BDCs in the domain. In return you are gaining more of the Windows 2000/AD features.

Here is what you lose:

  • Pre-Windows 2000 replication of account information (both computer and user) is removed. Thus, if you have NT 4.0 BDCs in your environment, their SAM database will quickly be out of synch and will have no way to synch up. Thus, the BDC will need to be upgraded or rebuilt as a Windows 2000 Server.

  • You can't add pre-Windows 2000 domain controllers to the domain any more. Any new DC will need to be installed from the get-go as a Windows 2000 server.

  • NT 4.0 DLL support for applications running locally on the DC.

Some of what you will gain:

  • Prior to the move to Windows 2000 native mode, the upgraded PDC was responsible for all changes (even if other Windows 2000 DCs exist). Once you move to native mode the DCs are essentially all peers, and thus the AD database on all DCs can be modified. This is referred to as multimaster replication.

  • Prior to moving to native mode the Universal groups and domain local groups are not available.

  • You will be able to nest Global and Domain Local Groups, something you cannot do in Windows NT 4.0.

There are some reasons to consider staying in mixed mode (at least until you can work out a solution):

  • You might have some applications that require to run on a NT 4.0 BDC. Usually this is to avoid pass-through authentication. Since the SAM is local to the BDC the application does authentication of verification of users locally. In such a case you will have to work with the vendor to get an update of the software that works properly with a Windows 2000 Server. Systems runnnig on non-domain controllers will not have a problem. You can still have NT 4.0 member servers in an Active Directory AND run in native mode without issue.

  • If you cannot provide physical security for your BDCs you may want to consider staying in mixed mode. In mixed mode, the only system that can perform updates is the PDC-emulator (in NT 4.0 only the PDC can perform updates). Even if you log on to a BDC, the BDC communicates and performs the updates on the remote PDC. If you are in native mode, ANY DC will be updated locally and then replicate the changes throughout the AD infrastructure. Thus, prevent DCs from being compromised locally is a big deal.

  • Once you have gone to native mode, you cannot go back to mixed mode AND you cannot roll back to an NT 4.0 domain. Prior to upgrading you PDC, you should create a BDC (or take one you don?t need) and synchronize it with the PDC. Then power it off. If you have to quickly revert back to your pre-Windows 2000 domain, you just turn off the Win2k PDC and power on the NT 4.0 BDC. Then, promote the BDC to be the PDC. WHAM! You are back in NT 4.0. Once you have upgraded to native modeth, is will not work without performing a lot of extra work and rebuilding Windows 2000 DCs as NT 4.0 DCs. In fact, you should be VERY cautious about the amount of time you spend in mixed mode. As more and more changes occur to the domain (even in mixed mode), reverting back using that spare NT 4.0 BDC can be more and more painful.
This was first published in July 2002

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close