upgrading domain/forest function level question

[google]

I have a single domain forest with a four Windows 2003 domain
controllers and one NT4 domain controller. I would like to upgrade the
domain and forest to 2003 function level, but at this time I can
neither upgrade nor retire the NT domain controller. Am I stuck in
mixed mode or can I still upgrade the function level anyway?

I read somewhere that I can upgrade the domain/forest and if I did the
domain would simply cease to replicate with the NT DC. If that is true,
is there any chance that client machines would still attempt to
authenticate through the NT DC?

Finally, does the domain/forest function level have any bearing on
whether or not I can run Exchane in native mode? Currently, I have
three Exchange servers (all 2003) running in mixed mode. Is it possible
and/or safe to switch Exchange to native mode?

Any insight would be greatly appreciated.

thank you

 

[Danny Sanders]

I read somewhere that I can upgrade the domain/forest and if I did the

domain would simply cease to replicate with the NT DC. If that is true,
is there any chance that client machines would still attempt to
authenticate through the NT DC?

Your problem would *really* come into play when adding new users to domain.
If you add them to the AD DC that new user's account will not be replicated
to the NT 4.0 BDC.

If they need access to the NT 4.0 BDC, there is *really* no way to give them
access. A NT 4.0 BDC only hold a writeable copy of the SAM. You will not be
able to manually add this user account to the NT 4.0 BDC. Any new users
would not have access to the NT BDC.

hth
DDS W 2k MVP MCSE

 

[Jorge de Almeida Pinto [MVP]]

If they need access to the NT 4.0 BDC, there is *really* no way to give

them access. A NT 4.0 BDC only hold a writeable copy of the SAM. You will
not be able to manually add this user account to the NT 4.0 BDC. Any new
users would not have access to the NT BDC.

actually I think you mean a read only copy when talking about BDCs.
However, when you having w2k clients/servers and higher AND kerberos
authentication is used the NT4 BDC would not be used for authentication.
Authentication would be done by de AD DCs including adding groups to the
access token. If data on the NT4 BDC is secured by groups there would no
issue, assuming those groups are already in the NT4 BDC before increasing
the DFL (!!!I guess!!!). If you would need to add new created group that
would NEVER replicate to the NT4 BDC and you would not be able to use it.
I don't recommend this scenario as you never know what else might go wrong!

A better way, although not supported by MS, would be to use UPromote and
demote the NT4 BDC to a NT4 member server.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Danny Sanders]

actually I think you mean a read only copy when talking about BDCs.


Thanks for catching that. I meant the BDC holds a read only copy of the SAM.

DDS
"Jorge de Almeida Pinto [MVP]"