Solved

Native Mode

Posted on 2004-08-23
9
434 Views
Last Modified: 2012-06-27
I only have 1 NT 4.0 member server and everything else is Win 2000 Server except for the DC which is Win 2003 running AD.  I have another DC, but that is Win 2000.  I have Exchange 5.5 running on a win 2000 server.  Are there any problems with me switching to Native mode?  Do I have to have all WIn 2K3 DC's before switching to Native Mode or is that not a factor since it is win2k vs win2k3 and not win nt 4.0?

Thanks.
0
Comment
Question by:ohmadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 9

Accepted Solution

by:
jdeclue earned 250 total points
ID: 11874491
The answer is, all of your DC's must be 2003 to raise the functional level to Windows 2003. See the following article.

http://www.2000trainers.com/article.aspx?articleID=271&page=1

J
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11874712
What service pack is your NT server running?
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11880896
Hi

Depends which native mode you want to switch to. As JDeclue has already correctly said you do need to have all domain controllers at os windows 2003 level before you can raise the domain functional level to windows 2003, however it's  useful to note that windows 2003 supports four different domain functional levels-

Windows 2000 Mixed Mode - Compatibility with NT4, Windows 2000 and Windows 2003 Family Domain Controllers
Windows 2000 Native Mode - Compatibility with  Windows 2000, windows 2003 Family Domain Controllers
Windows 2003 Interim Mode  - Windows 2003 Interim - NT4 and Windows 2003 Family Domain Controllers
Windows 2003 Native - Windows 2003 Family Domain Controllers only

All client pc's must be running an os later than Windows 95 or Windows NT4 SP3 in order to logon/access the 2003 server. In your situation, so long as you have at least NT4 sp4 on your member server and any NT4 clients, no NT4 domain controllers, and no windows 95 workstations, you should be able to raise the functional domain level to Windows 2000 native mode (if it isn't already there), but not to windows 2003 - if you do try, it won't let you do it anyway, but it will let you save it's reasons as to why not to a nice little csv file :))

The following is from Windows 2003 Help:

"Compatibility with previous operating systems
By default, security settings on domain controllers running Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. To successfully negotiate communications with a domain controller running Windows Server 2003, these default security settings require that client computers use both Server Message Block (SMB) signing, and encryption or signing of secure channel traffic.
The following Windows-based operating systems do not have built-in support for SMB signing or secure channel encryption and signing:
·      Windows for Workgroups
·      Windows 95
·      Windows NT 4.0
The following table lists the required actions that you need to perform to enable client computers running any of these operating systems to successfully log on to the domain and access domain resources.
For client computers running      You need to
Windows for Workgroups      Upgrade the operating system.
Windows 95                      Upgrade the operating system (recommended), or install the Active Directory client. For  
                                                more information about the Active Directory client, see Active Directory clients.
Windows NT 4.0      Upgrade the operating system (recommended), or install Service Pack 4 (or later). Service Pack 3 provides support for SMB signing, but it does not support encryption or signing of secure channel traffic.
SMB signing
By default, domain controllers running Windows Server 2003 require that all clients digitally sign SMB-based communications. The SMB protocol provides file sharing, printer sharing, various remote administration functions, and logon authentication for some clients running older operating system versions.
Client computers running Windows for Workgroups, Windows 95 without the Active Directory client, and Windows NT 4.0 Service Pack 2 (or earlier) do not support SMB signing, and, therefore, they cannot connect to domain controllers running Windows Server 2003 by default.
Although it is not recommended, you can prevent SMB signing from being required on all domain controllers running Windows Server 2003 in a domain. For more information, see To prevent domain controllers from requiring SMB signing.
Secure channel encryption or signing
Domain controllers running Windows Server 2003 require that all secure channel communications be either encrypted or signed. Windows NT-based computers use secure channels for communications between clients and domain controllers, and between domain controllers that have a trust relationship.
Client computers running Windows NT 4.0 Service Pack 3 (or earlier) do not support signing or encrypting secure channel communications, and, therefore, they cannot connect to domain controllers running Windows Server 2003 by default.
Also, any trusts established between domains with domain controllers running Windows NT 4.0 Service Pack 3 (or earlier) and domains with domain controllers running Windows Server 2003 might fail. If one domain contains a domain controller running Windows NT Service Pack 3 (or earlier) and the other domain contains a domain controller running Windows Server 2003, clients might have problems accessing shared resources located in the other domain.
Although it is not recommended, you can disable the secure channel requirement for all domain controllers running Windows Server 2003 in a domain. For more information, see To prevent domain controllers from requiring secure channel signing or encryption.
 Note
If you install Windows Server 2003 domain controllers in your domain (one or more), they will not affect the security settings on domain controllers running Windows 2000 Server. "

Hope that's helpful,

Deb :))

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:ohmadmin
ID: 11881868
thanks for the info.  I had to give the points to the first poster with the correct answer.  Debsy, I appreciate the detailed info.
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11881946
In the future, feel free to split the points, you should see the option next to the names, I believe. Glad we could help.

J
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 11881988

In my experience, one of the biggest features in moving out of a mixed-mode network into a 2000 native(or 2003 native) is the authentication process.  Your network will no longer accept NTLM.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11882014
Hi
The point of my post was because at the time of posting I was not in my own (hopefully) native and relatively competent mode, I was instead in "donkey" mode  - I fluffed opening jdeclue's link and mistook it for another one that I had opened instead (which was slightly but only partly relevant - hence my surprise and my posting because in my experience, JD is always extremely relevant and thorough)

Had I not done this I wouldn't have bothered posting because you already had all the info you needed in jd's link. - I have only just discovered this on finally revisiting the question and links,

Your points were justly awarded, other wise we'd have been asking for a mods intervention,

Best wishes,

Deb :))
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11882125
Geesh, Deb, I am getting red cheeks over here! Thanks ;)

J
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11882232
True though bud - you ARE a thorough little thing ;-))
Somewhat embarrassing for me though as experts get very and justifiably annoyed when their responses are effectively duplicated, so sorry about that - fortunately ohmadmin spotted it and acted correctly - I consider myself lucky not to have been told off there, but I am only human after all!

Deb :))

0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question