Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


August 2000

Can Win2K and NT 4.0 Coexist?


From the August 2000 Edition
of Windows IT Pro
Paula Sharick
Feature
InstantDoc #9041
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Interoperability Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Third, clear the Register this connection's addresses in DNS check box on the DNS tab of Advanced TCP/IP Settings. Win2K AS selects the box by default. However, when you're running NT 4.0 DNS, legacy DNS servers don't recognize a dynamic name registration. If you don't clear the box, you'll see several errors in the DNS server's System event log, including

Event ID 7053 DNS Server sendto() function failed.
The data is the error.

and

Event ID 5000 DNS Server is logging numerous run-time events.
This is usually caused by the reception of bad or unexpected
packets, or from problems with or excessive replication traffic...

Configuring a Win2K Domain Controller
You create a Win2K domain controller when you install Win2K AS with the AD component. When you select the option for a new domain, the setup wizard asks you to enter the domain name, which is typically a TCP/IP Fully Qualified Domain Name (FQDN—e.g., win2000mag.com). The NetBIOS field on the same prompt displays the equivalent name for NT 4.0 systems (e.g., win2000mag); Win2K systems register this NetBIOS name in WINS for NT 4.0 compatibility. After you reboot the AD domain controller, you manage most aspects of the Win2K domain from three AD MMC snap-ins: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services. These three applications also appear individually in the Administrative Tools program group.

You run the command-line utility Dcpromo to demote a Win2K domain controller to a standalone server. You can run Dcpromo from the Configure Your Server applet in Administrative Tools, from the Start menu's Run option, or from a command prompt. After running Dcpromo, you must reboot the system to activate its new status as a standalone server. I promoted and demoted Win2K domain controllers during testing with excellent results, never once hanging the system. The demoted server had no problem changing its role from a Win2K domain controller to a Win2K server in my NT 4.0 domain.

When I installed DNS on my Win2K domain controller, I was pleased with the wizard that helped me define the zones, including the reverse-address zone, which you no longer have to create manually. DNS, like most Win2K services I tested, has a restart option which eliminates NT 4.0's stop-and-start steps.

I next wanted to test cross-account access between the Win2K and NT 4.0 domains. You set up an explicit trust between Win2K and NT 4.0 domains the same way you set up trusts in NT 4.0 domains. In Win2K, start the Active Directory Domains and Trusts utility, which displays a list of Win2K domains. Right-click the Win2K domain for which you want to create a trust, select Properties, and choose the Trusts tab. The screen you see is similar to the corresponding screen in NT 4.0. Figure 4, page 72, shows a two-way explicit trust that I configured between my Win2K domain (Wildwooda) and my NT 4.0 domain (Wildwood).

Win2K is much smarter than NT 4.0 about creating trusts. To display the trust's status, select the trusted or trusting domain and click the Edit button. At the resulting tabbed page (which Figure 5 shows), you can click the Verify button to troubleshoot and, if necessary, update the trust relationship. Because I was booting the same system as a standalone server and a Win2K domain controller, I used this feature frequently to confirm that the NT 4.0 trust still existed after the Win2K domain controller had been offline for most of the day.

RRAS and CA
As a longtime VPN fan, I was eager to explore Win2K's new VPN features on both the server and the client side, as well as interoperability between Win2K VPN clients and a legacy server and legacy clients and a Win2K VPN server. Using the default settings, I quickly set up a Win2K RRAS server. For my first RRAS test, I defined 10 PPTP ports and successfully created VPN connections from Win2K and NT 4.0 systems to the Win2K RRAS server. I also successfully connected a Win2K PPTP client to my NT 4.0 RRAS server. For my next Win2K RRAS server test, I defined 10 Layer 2 Tunneling Protocol (L2TP) ports and quickly confirmed that because L2TP relies on IP Security (IPSec) for encryption, a Win2K L2TP client needs a computer certificate to successfully connect to a Win2K RRAS server.

Win2K AS includes a CA service you can install in enterprise or standalone mode. When you install CA in enterprise mode, Group Policy defines how computers and users request certificates and, by default, CA automatically grants or denies requests based on the requestor's credentials.

When you install CA in standalone mode, you must use Microsoft Internet Explorer (IE) or another browser to manually request a certificate from CA. Standalone CA defines a \\server\CertSrv share that users can access to request certificates by filling out the displayed form. Unlike the enterprise version, the standalone version requires a Win2K domain administrator (or an account with sufficient permission to manage CA) to manually approve each user's certificate request. After installing standalone CA, I requested and received a computer certificate for my Win2K workstation, which successfully used L2TP/IPSec to connect to the Win2K RRAS server with no noticeable delay.

The animated network icons that appear in the lower-right corner of the Win2K screen are helpful for troubleshooting LAN, WAN, and VPN connections. At one point, my Win2K Pro system had an ISP connection, a LAN connection, and PPTP and L2TP/IPSec connections to the Win2K RRAS server. Each connection had an icon that showed exactly what was happening at both ends of the link. The icon feedback is a real confidence builder and a great first step for troubleshooting connectivity problems. And, as one Windows 2000 Magazine reader has pointed out, the transmit and receive indicators help you monitor the sometimes lengthy network delays you experience while a Win2K system is searching, possibly in vain, for a network resource.

As I booted different configurations on my Dell test system, some with and some without Win2K RRAS, I was pleased that RRAS successfully reestablished its connection to the Internet through my WAN link. I experience constant headaches with NT 4.0 RRAS, but the basic RRAS features I tested in Win2K operated correctly all the time.

Remote Administration with the MMC
Before you go too far testing Win2K, download the quick tutorial "Step-by-Step Guide to the Microsoft Management Console" from http://www.microsoft.com/windows2000/library/planning/ to learn how to customize the MMC. Organizing MMC snap-in windows to suit your personal preferences can save you time. I have one window for all AD services, another for CA and certificates, and another that presents all the information I need to monitor and manage my local system.

Many MMC snap-ins have a check box that lets you point the snap-in at remote systems. I recommend you select this check box because this feature lets you manage NT 4.0 systems remotely from a Win2K server or domain controller.

Figure 6 shows the expanded view of the MMC Computer Management snap-in monitoring three systems: a Win2K server (Local), an NT 4.0 domain controller (BDC), and an NT 4.0 server (ASPEN). To create this multisystem view, I selected the Allow the selected computer to be changed when launching from the command line check box when I loaded the snap-in so that I could direct the tools to remote systems. Although many Computer Management features (e.g., disk quotas, disk defragmentation, device manager) are specific to Win2K, you can examine shares and connections and stop and restart services on remote NT 4.0 systems from this interface. When you expand a function that NT doesn't support, the snap-in returns the message The connection to computername could not be established.

A Favorable Impression
In my small lab environment, I was pleasantly surprised by how well the new and legacy Windows technologies worked together. The ease with which I could promote and demote Win2K domain controllers and the cooperation between Win2K and legacy domains impressed me. The IBM ThinkPad easily booted Win2K Pro or Win2K AS, and the notebook power-management features were all operational. Win2K and NT 4.0 clients changed their domain membership between Win2K and NT 4.0 upon demand. During weeks of testing, I never experienced a blue screen or system hang. I enjoyed watching Win2K and NT 4.0 clients connect to the Win2K RRAS server concurrently and loved the feedback from the network icon status screen.

Win2K installation wizards facilitated the installation of new components, and I found the default settings for most components adequate for getting started. Go with the defaults the first time you install a new component or feature, and change them only if you don't get the results you want or expect. To facilitate testing, enable auditing for logon and logoff failures and privilege use on domain controllers or servers in both Win2K and NT 4.0 domains. When you get unexpected results, check the event logs on all affected systems for troubleshooting information.

I do have a few complaints about Win2K. The network timeouts are still too long, loading the vendor list of print drivers takes forever, and although Microsoft significantly reduced the number of required reboots, many situations still require a system restart. However, overall, I think you'll be pleased with how easy it is to integrate Win2K into your existing NT 4.0 network.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I am running 5 Win2K workstations against a Win NT 4.0 PDC and Win NT 4.0 Server both with SP# 6. I use 'Per Server" licensing. As I upgraded my NT 4.0 workstations to Win2K, I began to have license problems on my NT 4.0 Server. Event ID 201 "No license was available for user ___ using product SMB Server 4.0." When I do a 'NET SESSIONS" I see an average for 4 connections per workstation: 21950, 21953, etc. On the client side, I see "No more connections can be made to this remote computer at this time because there are only already as many connections as the computer can accept." I use NET SESSIONS to kill connections and start over. To get around the problem, I have up the number of allowed concurrent connections. Yes, Win2K and NT 4.0 can coexist but this problem is needs to be better understood.


Bruce Riddle July 18, 2000

I have 2 domains in my organization. One is a w2k domain (mixed mode), and one is an NT 4 Domain. The seem to coexist Ok, except for one problem: There is a one-way trust where the w2k domain trusts the NT 4 domain. I want the NT 4 Domain Admins to be Domain admins on the w2k domain. In the active directory users MMC, I cannot make the NT 4 accounts members of the w2k Domain Admins group. Have I missed something, or can you not do this?

Jeremy Marsch July 27, 2000

A couple of times Paula talks about the "Setup" program doing things when installing a Domain Controller as opposed to a member server or stand-alone server. (The fourth paragraph of the Win2K AS section, for instance.) The setup program only installs stand-alone or member servers. After installation, running DCPROMO.EXE upgrades the server to a Domain Controller (either through a script, by using Configure My Server, or directly.) I don't know what the Microsoft people told her, but Setup certainly could not set a DNS suffix for a Domain Controller.

To Jeremy: Remember, Global Groups can only contain members from their own domain. This has not changed from NT4. You would need to place the Domain Admins into the Administrators group. And, btw, it would work exactly the same whether you Windows 2000 domain was mixed or native mode.

Beth Parkes July 29, 2000

There are some interesting issues noted in this article, even though it is breif and lacks considerable amounts of technical detail. Yes it is true, W2K and NT4 can coexist quite happily, but there was very little focus on the Active Directory component of W2K. This is the major advancement in technology between W2K and NT4 and there is very little mention of it. I am interested in the interaction of legacy technologies with the AD and how the NT4 and Win9x clients cope with the AD?

Glynn Llewellyn November 29, 2000

<br><br><i>You're correct that a steep learning curve exists for Win2K, but the rewards for mastering new knowledge are immense. You can find answers for coexistence problems in the Windows 2000 Magazine forums (http://www.win2000mag.net/
forums). Users post cross-platform problems and solutions in both the Win2K and Windows NT 4.0 forums. <br><br>
­--Paula Sharick </i>

Paula Sharick December 01, 2000

­<br><br>A really nice benefit of Paula Sharick's "Can Win2K and NT 4.0 Coexist" (August 2000) is that the information in the article is helping me "play with the big kids," as well as learn about a topic that is sometimes very overwhelming. I've quoted the article several times in a Delphi forum (http://www.delphi.com), in which I and other Windows 2000 newbies relate our experiences trying to configure Win2K Server. We've made lots of mistakes, but we're doing a good job expressing the problems, frustrations, and joys of installing Win2K Server for the first time. Users who have traveled the ground we're just beginning to cross can relate to our experiences as we stumble and bumble our way through Win2K. <br><br>

­Greg Kotsovilis December 01, 2000

<br><br><i>The NT 4.0 PDC will always stay master browser. The PDC status gives the server higher priority than any workstation­--Win2K or NT 4.0. </i>

­--Paula Sharick December 01, 2000

<br><br>I read Paula Sharick's article about Win2K and NT 4.0 coexistence, and a question came to mind. We're starting to add Win2K workstations to our single domain. Will Win2K Professional take precedence over the NT 4.0 server as master browser?<br><br>

­Ken Avis December 01, 2000

I have read your articles concerning the co-existence of Win2k and NT 4.0 but have not found an answer to my particular problem. I am running NT 4.0 SP5 on the server and rolling out Win2k pro on the workstations in a Student Computer Lab. Restricting user access is VERY important. When I try to create a mandatory profile I cannot assign it to a server group, only a local group. This means that it will only work on the PC it was created on.

Is there a way to create a profile on win2k pro and copy it to the NT 4.0 server, assigning it permissions for a server based group (eg Students)?

Kathleen Johnson January 22, 2001

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement