S
swadling
I am planning an in-place upgrade of our single NT4 domain to Server
2003 AD in the near future. Most client computers are 2000 Pro with a
sprinkling of NT Workstation and XP Pro. After the upgrade weekend we
will still have a number of BDCs alive on the network, but there will
be AD domain controllers at pretty much every site - more than enough
to handle the authentication workload. I am debating whether to start
out with the "NT4Emulator" registry setting enabled.
Here is my reasoning:
Against enabling NT4Emulator:
- Very unlikely that the 2003 DCs would be overloaded
- I would like to wrap this up all at once rather than have a second
potentially disruptive change when the N4Emulator setting is removed
In favour of enabling NT4Emulator:
- If we had to revert back to NT4 domain there would be no issue with
the 2000 and XP computers having locked onto a 2003 secure channel
Am I missing anything here? Any recommendations?
I have one other related question:
Is it possible to flip NT4Emulator mode on and off at will (with at
most a reboot of the DCs)? My thinking here is that if, after
upgrading, we find something unexpected that does not work in our AD
environment (for example some old Unix client that could not be
upgraded, or perhaps an application incompatibility), I might be able
to turn on the NT4Emulator setting on all DCs and have everything
behave like an NT4 domain. This would be easier than reverting back to
the NT4 domain and it would also be easier to re-enable "real" AD when
the issue was resolved.
Appreciate any ideas and experiences with this.
Jim
2003 AD in the near future. Most client computers are 2000 Pro with a
sprinkling of NT Workstation and XP Pro. After the upgrade weekend we
will still have a number of BDCs alive on the network, but there will
be AD domain controllers at pretty much every site - more than enough
to handle the authentication workload. I am debating whether to start
out with the "NT4Emulator" registry setting enabled.
Here is my reasoning:
Against enabling NT4Emulator:
- Very unlikely that the 2003 DCs would be overloaded
- I would like to wrap this up all at once rather than have a second
potentially disruptive change when the N4Emulator setting is removed
In favour of enabling NT4Emulator:
- If we had to revert back to NT4 domain there would be no issue with
the 2000 and XP computers having locked onto a 2003 secure channel
Am I missing anything here? Any recommendations?
I have one other related question:
Is it possible to flip NT4Emulator mode on and off at will (with at
most a reboot of the DCs)? My thinking here is that if, after
upgrading, we find something unexpected that does not work in our AD
environment (for example some old Unix client that could not be
upgraded, or perhaps an application incompatibility), I might be able
to turn on the NT4Emulator setting on all DCs and have everything
behave like an NT4 domain. This would be easier than reverting back to
the NT4 domain and it would also be easier to re-enable "real" AD when
the issue was resolved.
Appreciate any ideas and experiences with this.
Jim