| Author | Messages | |
LarryWahlers
Posts:20
 | | 05/02/2008 11:15 AM |
| Hello, colleagues,
I inherited the AD job from a fellow who is no longer with us, and the
push is on to raise our forest to Windows 2003. All domain controllers
in the forest are Windows 2003 and 2 of the 3 domains are Windows 2003.
One of the domains is Windows 2000 mixed. I think this domain is that
way because there are several NT4 servers in that domain, and I seem to
remember the thought was they would break if the domain functional level
was raised. Since the fellow who architected this whole design has left,
I have to wonder if that is true? This KB seems to say it should be OK:
http://support.microsoft.com/kb/322692
"Note Network clients can authenticate or access resources in the domain
or forest without being affected by the Windows Server 2003 domain or
forest functional levels. These levels only affect the way that domain
controllers interact with each other."
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
MailTo:Larry.Wahlers@concordiatech.org
Business Phone: (314) 996-1876
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| laurahcomputing
Posts:43
| | 05/02/2008 11:30 AM |
| NT server != NT BDC. If your only remaining NT servers are member
servers only (we'll put a pin in the "why on Earth are you still
running NT4 member servers?" conversation and come back to it
laterΏ]), NT member servers won't give a toss about the switch in
DFL/FFL.
(Insert usual caveat: Changes to DFL/FFL are one-way operations and
should be tested thoroughly before implementing in production to
ensure that nuclear winter does not result, blah blah blah.)
Ώ] ...especially because even -I- have about a dozen that I haven't
yet wresled out of the hands of the relevant application owners yet,
so I feel your pain.
On Fri, May 2, 2008 at 11:12 AM, Larry Wahlers
<Larry.Wahlers@concordiatech.org> wrote:
> Hello, colleagues,
>
> I inherited the AD job from a fellow who is no longer with us, and the
> push is on to raise our forest to Windows 2003. All domain controllers
> in the forest are Windows 2003 and 2 of the 3 domains are Windows 2003.
> One of the domains is Windows 2000 mixed. I think this domain is that
> way because there are several NT4 servers in that domain, and I seem to
> remember the thought was they would break if the domain functional level
> was raised. Since the fellow who architected this whole design has left,
> I have to wonder if that is true? This KB seems to say it should be OK:
>
> http://support.microsoft.com/kb/322692
>
> "Note Network clients can authenticate or access resources in the domain
> or forest without being affected by the Windows Server 2003 domain or
> forest functional levels. These levels only affect the way that domain
> controllers interact with each other."
>
>
>
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> MailTo:Larry.Wahlers@concordiatech.org
> Business Phone: (314) 996-1876
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server System - Directory Services
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| LarryWahlers
Posts:20
| | 05/02/2008 11:45 AM |
| Thanks, Laura. You wrote:
> (we'll put a pin in the "why on Earth are
> you still running NT4 member servers?" conversation and come
> back to it laterΏ])
...
> Ώ] ...especially because even -I- have about a dozen that I
> haven't yet wresled out of the hands of the relevant
> application owners yet, so I feel your pain.
Bingo! One of these servers is so decrepit that they have to reboot it a
couple of times a day just to get the application un-hosed. And, of
course, they have even less money that we do, and we're poor!
Thanks again for your reply. Problem is, we really don't have a way to
test this, because we don't have a test area that's anything like our
forest. So, it's one of those gambles we'll have to decide if we're
willing to take. Do the benefits outweigh the risks, etc.
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
MailTo:Larry.Wahlers@concordiatech.org
Business Phone: (314) 996-1876
, NT member servers won't give a toss
> about the switch in DFL/FFL.
>
> (Insert usual caveat: Changes to DFL/FFL are one-way
> operations and should be tested thoroughly before
> implementing in production to ensure that nuclear winter does
> not result, blah blah blah.)
>
>
> On Fri, May 2, 2008 at 11:12 AM, Larry Wahlers
> <Larry.Wahlers@concordiatech.org> wrote:
> > Hello, colleagues,
> >
> > I inherited the AD job from a fellow who is no longer with
> us, and the
> > push is on to raise our forest to Windows 2003. All domain
> controllers
> > in the forest are Windows 2003 and 2 of the 3 domains are
> Windows 2003.
> > One of the domains is Windows 2000 mixed. I think this
> domain is that
> > way because there are several NT4 servers in that domain,
> and I seem
> > to remember the thought was they would break if the domain
> functional
> > level was raised. Since the fellow who architected this
> whole design
> > has left, I have to wonder if that is true? This KB seems
> to say it should be OK:
> >
> > http://support.microsoft.com/kb/322692
> >
> > "Note Network clients can authenticate or access resources in the
> > domain or forest without being affected by the Windows Server 2003
> > domain or forest functional levels. These levels only
> affect the way
> > that domain controllers interact with each other."
> >
> >
> >
> > --
> > Larry Wahlers
> > Concordia Technologies
> > The Lutheran Church - Missouri Synod
> > MailTo:Larry.Wahlers@concordiatech.org
> > Business Phone: (314) 996-1876
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
>
>
>
> --
> -----------------------
> Laura E. Hunter
> Microsoft MVP - Windows Server System - Directory Services
> https://mvp.support.microsoft.com/profile/laura
> Author: _Active Directory Consultant's Field Guide_
> (http://tinyurl.com/7f8ll)
> Author: _Active Directory Cookbook, Second Edition_
> (http://tinyurl.com/z7svl)
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| adwulf
Posts:37
| | 05/02/2008 12:11 PM |
| 2008/5/2 Larry Wahlers <Larry.Wahlers@concordiatech.org>:
> One of the domains is Windows 2000 mixed. I think this domain is that
> way because there are several NT4 servers in that domain, and I seem to
> remember the thought was they would break if the domain functional level
> was raised. Since the fellow who architected this whole design has left,
> I have to wonder if that is true? This KB seems to say it should be OK:
>
> http://support.microsoft.com/kb/322692
>
The NT4 BDC will still run, and you'll still be able to access file
shares and services on it - with the exception of those related to
being a domain controller.
The server will still believe itself to be a DC, and will get
incredibly confused as to why it gets so many errors in its logs.
I know this because a couple of years ago, I decomm'd the last NT4 BDC
prior to switching up to 2K native - only to have somebody turn it
back on and reconnect it a couple of months later.
--
AdamT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| LarryWahlers
Posts:20
| | 05/02/2008 1:22 PM |
| Thanks, Adam. We don't have any more real NT4 BDC's or PDC's anymore. In
fact, the machines don't even exist anywhere. So, there isn't a decomm'd
NT4 BDC lurking around just waiting for some clueless admin to plug in
and turn on! (Pretty sure, anyway, unless somebody took it home with
them.)
So, I'm thinking, from comments I've read and folks I've talked to over
the last few hours, I should be good to go.
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
MailTo:Larry.Wahlers@concordiatech.org
Business Phone: (314) 996-1876
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
> Sent: Friday, May 02, 2008 11:09 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Raise forest functional level
>
> 2008/5/2 Larry Wahlers <Larry.Wahlers@concordiatech.org>:
>
> > One of the domains is Windows 2000 mixed. I think this
> domain is that
> > way because there are several NT4 servers in that domain,
> and I seem
> > to remember the thought was they would break if the domain
> functional
> > level was raised. Since the fellow who architected this
> whole design
> > has left, I have to wonder if that is true? This KB seems
> to say it should be OK:
> >
> > http://support.microsoft.com/kb/322692
> >
>
> The NT4 BDC will still run, and you'll still be able to
> access file shares and services on it - with the exception of
> those related to being a domain controller.
> The server will still believe itself to be a DC, and will get
> incredibly confused as to why it gets so many errors in its logs.
>
> I know this because a couple of years ago, I decomm'd the
> last NT4 BDC prior to switching up to 2K native - only to
> have somebody turn it back on and reconnect it a couple of
> months later.
>
> --
> AdamT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| laurahcomputing
Posts:43
| | 05/02/2008 1:22 PM |
| >From personal experience I can tell you that I've made the switch
numerous times and my NT member servers didn't even blink. From pure
change control management standpoint I'd call it worthy of vetting in
a test lab, but if that mechanism simply isn't available to you I'd
assign it relatively low risk.
On Fri, May 2, 2008 at 1:19 PM, Larry Wahlers
<Larry.Wahlers@concordiatech.org> wrote:
> Thanks, Adam. We don't have any more real NT4 BDC's or PDC's anymore. In
> fact, the machines don't even exist anywhere. So, there isn't a decomm'd
> NT4 BDC lurking around just waiting for some clueless admin to plug in
> and turn on! (Pretty sure, anyway, unless somebody took it home with
> them.)
>
> So, I'm thinking, from comments I've read and folks I've talked to over
> the last few hours, I should be good to go.
>
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> MailTo:Larry.Wahlers@concordiatech.org
> Business Phone: (314) 996-1876
>
>
>
>
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Adam Thompson
> > Sent: Friday, May 02, 2008 11:09 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Raise forest functional level
> >
> > 2008/5/2 Larry Wahlers <Larry.Wahlers@concordiatech.org>:
> >
> > > One of the domains is Windows 2000 mixed. I think this
> > domain is that
> > > way because there are several NT4 servers in that domain,
> > and I seem
> > > to remember the thought was they would break if the domain
> > functional
> > > level was raised. Since the fellow who architected this
> > whole design
> > > has left, I have to wonder if that is true? This KB seems
> > to say it should be OK:
> > >
> > > http://support.microsoft.com/kb/322692
> > >
> >
> > The NT4 BDC will still run, and you'll still be able to
> > access file shares and services on it - with the exception of
> > those related to being a domain controller.
> > The server will still believe itself to be a DC, and will get
> > incredibly confused as to why it gets so many errors in its logs.
> >
> > I know this because a couple of years ago, I decomm'd the
> > last NT4 BDC prior to switching up to 2K native - only to
> > have somebody turn it back on and reconnect it a couple of
> > months later.
> >
> > --
> > AdamT
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server System - Directory Services
https://mvp.support.microsoft.com/profile/laura
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|