After you upgrade the PDC to Windows 2000, the domain operates in mixed mode, meaning that both Windows 2000 and Windows NT controllers can be present. This is the default setting for Windows 2000 Servers. In mixed mode, trusts operate as they do between Windows NT 4 domains.
To operate in native mode, a Windows 2000 domain must be running only Windows 2000 domain controllers and it must be explicitly switched to native mode operation. Since this is a one-way migration, it must be done manually. As soon as you upgrade to native mode, Windows NT 4 controllers can no longer function in the domain. Thus, you shouldn't switch to native mode unless you're sure that you've upgraded all Windows NT BDCs or taken them offline, and that you won't want to use Windows NT domain controllers in the future.
PLANNING
Windows NT 4 member servers work without issues in a Windows 2000 native-mode domain, as do Windows NT 4-based and Windows 95/98-based clients. Native mode refers only to the domain controllers, not to all machines in the domain.
Windows 2000 native-mode domains offer a number of advantages over Windows NT 4 domains, as well as over Windows 2000 mixed-mode domains. Table 7-4 summarizes these advantages. In addition to the advantages listed in the table, switching to native mode allows legacy clients to benefit from the transitive trusts between domains in Active Directory and, once authenticated, to access resources anywhere in the domain tree, provided they have the proper permissions.
Table 7-4. The differences among Windows NT 4 domains, Windows 2000 mixed-mode domains, and Windows 2000 native-mode domains
Windows 2000 Feature | Windows 2000 Windows NT 4 | Mixed Mode | Native Mode |
---|---|---|---|
Objects per domain | Fewer than 40,000 (20,000 user accounts) recommended | Fewer than 40,000 (20,000 user accounts) recommended | Up to 1 million |
Multimaster replication | No | Yes | Yes |
Group types | Global, Local | Global, Local | Universal, Domain Global, Domain Local, Local |
Nested groups | No | No | Yes |
Cross-domain administration | Limited | Limited | Full |
Password filters | Installed manually on each PDC and BDC | Installed manually on each DC | Installed automatically on all DCs |
Queries using Desktop Change/ Configuration Management | No | Only on Windows 2000 DCs | Yes |
Authentication protocols | NTLM | NTLM, Kerberos | Kerberos |
It's important to understand that not all systems in the domain have to be running Windows 2000 in order to operate a native-mode domain. Native mode affects only the operation of the domain controllers. The issue of having non-Windows 2000 systems in the domain is important, however, when it comes to planning WINS server deployment. As long as you have legacy (non-Windows 2000) clients and servers in the domain, you need WINS servers for NetBIOS name resolution (unless you have a small, nonrouted network that can handle NetBIOS name resolution via broadcast). In addition, you shouldn't turn off NetBIOS over TCP/IP for Windows 2000 machines until the network consists entirely of Windows 2000 machines because legacy systems will be unable to communicate with the Windows 2000 systems. (Legacy systems rely on NetBIOS calls for network communication.)
When all of the Windows NT 4 BDCs have been either upgraded to Windows 2000 or taken offline, you can switch the network to Windows 2000 native mode. To make the switch, log on to a domain controller using an administrator account and follow these steps:
Figure 7-5. The Change Mode button.
CAUTION
Switching to native mode is an irreversible procedure. After switching to native mode, you cannot use Windows NT 4 domain controllers in the domain.