After you upgrade the PDC of a Windows NT 4 domain to Windows 2000, the Active Directory domain and the forest in which it was seeded operate in mixed mode. While a domain is in mixed mode, Windows NT 4 BDCs and Windows 2000 domain controllers can coexist on the network.
Most companies will find themselves remaining in mixed mode for some time to ensure compatibility with existing Windows NT 4 BDCs or other servers such as Samba that need access to a "real" NT 4 BDC. However, there are advantages to using the Windows 2000 Server native mode, as described in Table 7-4.
Microsoft recommends a speedy switch to Windows 2000 native mode; however we recommend a more cautious approach. Running in mixed mode also allows nervous network administrators a chance to start using Active Directory in a limited manner without losing their Windows NT 4 safety net. Wait until it's completely clear there is no need for NT 4 BDCs before making the domain mode upgrade, because once you've upgraded the domain mode, there is no going back.
Windows NT 4 member servers work in a Windows 2000 native-mode domain, as do Windows NT 4-based and Windows 95/98-based clients (however Windows 95/98 clients should install the directory services client from the Windows 2000 CD, and Windows NT 4 clients from http://www.microsoft.com/ntserver/nts/downloads/other/adsi25/x86.asp). Native mode refers only to the domain controllers, not to all machines in the domain.
Table 7-4. The differences among Windows NT 4 domains, Windows 2000 mixed-mode domains, and Windows 2000 native-mode domains
Feature | Windows NT 4 | Windows 2000 Mixed Mode | Windows 2000 Native Mode |
---|---|---|---|
Supported domain controllers | Windows NT 4, 3.51 BDCs | Windows 2000, Windows NT 4 BDCs | Windows 2000 |
Objects per domain | Fewer than 40,000 (20,000 user accounts) recommended | Fewer than 40,000 (20,000 user accounts) recommended | Up to 1 million |
Multimaster replication | No | Yes | Yes |
Group types | Global, Local | Global, Local | Universal, Domain Global, Domain Local, Local |
Nested groups | No | No | Yes |
Cross-domain administration | Limited | Limited | Full |
Password filters | Installed manually on each PDC and BDC | Installed manually on each domain controller | Installed automatically on all domain controllers |
Queries using Desktop Change/Configuration Management | No | Only on Windows 2000 domain controllers | Yes |
Authentication protocols | NTLM | NTLM, Kerberos | Kerberos |
Group membership replication | Entire group membership list | Entire group membership list | Entire group membership list |
Real World
Existing Clients Still Work in Native Mode
It's important to understand that not all systems in the domain have to be running Windows 2000 or Windows XP to operate a native-mode domain. Native mode affects only the operation of the domain controllers. The issue of having legacy (Windows NT, Windows 95/98/Me, or DOS/Windows 3.x) systems in the domain is important, however, when it comes to planning WINS server deployment. As long as you have legacy clients and servers in the domain, you need WINS servers for NetBIOS name resolution (unless you have a small, nonrouted network that can handle NetBIOS name resolution using broadcast). In addition, you shouldn't turn off NetBIOS over TCP/IP, even if your network consists entirely of Windows 2000 and Windows XP systems, because legacy applications (which are many) still rely on NetBIOS calls for network communication.
When you've verified that no legacy domain controllers are needed (or will ever be needed) on the network, you can raise the domain functionality (upgrade the domain mode). To make the switch, log on to a domain controller using an administrator account and follow these steps:
Before eliminating or upgrading the last Windows NT 4 BDC or Windows 2000 domain controller and switching domain modes, we recommend taking it offline for a while, if possible. This allows you to test whether there are any remaining legacy applications or servers that need access to an older domain controller, before it's too late to go back.
Figure 7-6. The Change Mode button.
Switching to native mode is an irreversible procedure. After switching to native mode, you cannot use Windows NT 4 domain controllers in the domain.
You can only upgrade the functionality of a forest once all domains within the forest are functioning in the desired native mode. After a forest is upgraded, you can only add domains operating in the same mode or higher. To add a domain with a lower functionality level, you'd have to create a whole new forest.