Raising domain functional level from 2000 mixed to 2000 native

[spyordie007]

We've been considering upgrading our domain function level from 2000 mixed to either 2000 native or (in the near future) to 2003 native function level. Part of the reason we are looking at raising the function level is because we would like to make use of Domain Local Groups which are only available in 2000/2003 native modes; and of course it's been several years since we've had any NT4 domain controllers

I'm just starting to gather information about "what we can expect" if we raise the level. Of course if we raise it we cannot go back so I would like to be certain we cover all our bases and know how it will affect our network services if we do this. I have a number of differant services that I'm doing research on such as our web-server login (integrated CFM/AD login) and our VPN concentrators but I thought I would see if any of you have recommendations for things to focus on when doing my research and/or information about upgrades you have done.

Thanks in advance.

-Erik

 

[bloinkXP]

I have done this a number of times. Moslty, besides domain local groups, you are gaining universal groups. Here is a tip. Look for legacy apps that require a BDC or PDC on the same subnet for authentication. By apps I also mean P.O.S web apps written "back in the day".

Good Luck,
D

 

[stash]

Going to 2000 native will get you universal groups, group nesting, group conversion, and SID history.

Going to 2003 native will add domain rename (not a operation to take lightly), and a couple of other small changes. The big changes come when you raise the forest to 2003.

The ability to defunct schema objects, forest trusts, linked-value replication, better replication, improved KCC and ISTG algorithms...yum.

 

[Smilin]

The only disadvantages are simply that you won't be able to run the older domain controllers in your domain.

If you have no NT4 domain controllers move to 2000 mixed now. Once you get to all 2003, move to 2003 native.

Although it's a one way process (ooo Scary!) the only loss is the ability to run the older DCs. Any other security differences from NT up to 2003 can be altered via security policy (ntlm, encrypted secure channel etc.). Short of not being able to use NT DC's there's nothing else truly 'unreversable' about it.

As to 'what to expect'...expect it to take a couple minutes to replicate. there.

 

[spyordie007]

No I understand the process of raising the level just fine, the cause for concern is all the applications that may break when they realize that the PDC no longer exists.

For example, I know my web-based CFM login relies upon our PDC emulator that will need to be changed before we can go to 2000 native or we will have a BIG problem on our hands.

The reason for the post is to get ideas for other things to look at, we have a lot of legacy applications and services that are still in use and if we miss something and it doesnt work we will have a lot of unhappy people to deal with.

 

[Smilin]

Your PDC emulator will not cease to exist. FSMO roles won't disappear due to a function level change.

Don't confuse not having NT DCs for not being allowed to have NT members.

 

[spyordie007]

although the operation masters will still exists I was under the impression that their roles would be depreciated in a native function level, is this not correct?

 

[Smilin]

Not sure I know what you mean by depreciated.

 

[spyordie007]

As in the roles no longer carry as much importance/signifigants and the possibility exists that legacy devices wont be able to access the domain anymore (ie win 9x logging in to your PDC emulator).

If the operation master roles are still supposed to function in 2000+ native the same way they did in mixed mode than that will make me happy.

I'm just being cautious because I want to make absolutly sure I dont break any of our legacy stuff (which we have a lot of).

 

[stash]

Yeah, what do you mean by depricated? Four of the FSMO roles work exactly the same no matter what mode. The only real difference is that the PDCe wont emulate an NT4 PDC role. But there will still be a PDCe, and it will still be important, just for other reasons.

 

[spyordie007]

PDCe wont emulate an NT4 PDC role

Than what is it emulating? How will this effect clients?

 

[stash]

Ah I was slow with the post there.

There are issues with 9x clients accessing a 2003 domain, but it has nothing to do with the PDCe. It mostly has to do with SMB signing. You will find a lot of misinformation about SMB signing, and most people will tell you to disable it on the domain. Not recommended or necessary.

95 clients will need the dsclient. Period. 98 clients do not, but it is a good idea for other reasons, including site awareness. NT clients running SP6a also do not need the dsclient, but again it is a good idea.

Also if you hear someone tell you that 95 clients are not supported on a 2003 domain run away....fast.

 

[stash]

Sorry, my emulation statement wasnt the best. I meant that BDCs will no longer be able to communicate with it. This is because of the changes to the directory, such as group nesting and universal groups, that NT does not understand. The PDCe will still function as a authenticating server for downlevel clients

 

[spyordie007]

great, this is the kind of info I was looking for. Any other caveats to keep in mind?

 

[spyordie007]

The PDCe will still function as a authenticating server for downlevel clients

Awesome, this is an area I was unclear about.

 

[stash]

One other thing that you should be aware of when going to native mode. When you are in mixed mode, a global catalog is not a requirement for logon. When the domain is in native mode, it is a requirement. This is because the authenticating domain controller must contact a GC to enumerate group membership, most importantly universal groups.

If the authenticating DC cannot contact the GC and enumerate group membership, it cannot consider your account secure and will deny the logon attempt.

So the moral of the story is, make sure you have GC available everywhere they need to be. Also make sure your DNS is working correctly, and that everyone can resolve names. And finally, if you have a multiple domain forest, remember one thing: GC records (along with some other critical SRV records) for ALL domains in a forest are registered in the root domain. So if users, DCs, etc in child domains cannot communicate with the root DCs running DNS, you will have problems.