Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


August 30, 1999

Mixed Mode vs. Native Mode


A Web Exclusive from Windows IT Pro
Zubair Alexander
Windows 2000 Ready
InstantDoc #7156
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Migration Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

By default, Windows 2000 (Win2K) networks operate in a mixed mode, which lets both Win2K and Windows NT domain controllers coexist. During migration to Win2K, the mixed mode provides the functionality that lets NT domain controllers offer domain services. After you upgrade all NT domain controllers to Win2K, switch from mixed mode to native mode, which doesn’t support NT domain controllers. However, before you switch to native mode, you need to understand the differences between the two modes. Depending on your organization, when you convert to native mode can be a critical decision with major implications. It’s a one-way conversion—there’s no going back.

Mixed Mode
In mixed mode, a Win2K domain assigns a domain controller to act as a PDC for NT BDCs. By default, the first domain controller in a Win2K domain acts as a PDC emulator. There can be only one PDC emulator in a domain, and you can assign the role to any domain controller in a domain. The PDC emulator performs several important tasks in mixed mode, including:

  • Emulating as a PDC and replicating account information to BDCs.

  • Handling account modifications, including password changes.

  • Acting as a master browser for NT clients.

  • Providing NT LAN Manager (NTLM) authentication services.

  • Supporting Active Directory (AD) replication to Win2K domain controllers and NTLM replication to BDCs.

If a Win2K site in mixed mode contains Win2K clients, make sure there’s at least one Win2K domain controller in that site because the Win2K clients first attempt to locate Win2K domain controllers using DNS. If a client doesn’t find a Win2K domain controller, it’ll try to use NTLM to log on to an NT domain controller. Obviously, NT doesn’t support group policies so your Win2K client users won’t be able to take advantage of either the group policies or the logon scripts.

In mixed mode, NT client users won’t be able to change their passwords if a PDC emulator, an operations master, isn’t available. In fact, a PDC emulator plays a role even in native mode, where it’s responsible for handling password changes and account lockouts.

Another operations master you must make available in mixed mode is the RID Operations Master, required to provide security descriptors to the NT clients. Also, you’ll have to address some issues in mixed mode relating to NT’s LAN Manager Replication (LMRepl) versus Win2K’s File Replication Service.

Native Mode
As I mentioned earlier, native mode doesn’t support NT domain controllers; you can only have Win2K domain controllers. However, you can have NT workstations and member servers in native mode.

Major advantages of native mode include support for universal groups, nested groups, and transitive trust relationships. One of the biggest drawbacks of mixed mode is that AD’s scalability is limited to 40MB because the PDC emulator replicates changes to NT domain controllers that inherit limited scalability by design. By default, Win2K domain controllers establish an automatic two-way Kerberos trust relationship with all other domain controllers in a domain. Because NT domain controllers don’t understand Kerberos transitive trusts, you have to establish explicit (manual) one-way trusts between domains to authenticate users from other domains.

Win2K clients process group policies, and there’s a Group Policy option that lets you enable NT-style system policies for Win2K clients—but that’s an option I’d caution against. NT clients support only system policies and don’t understand group policies. Even in a Win2K network, NT clients can take advantage of NT system policies. However, you might run into problems if you have both the group and system policies enabled on your Win2K network. System policies will overwrite the Win2K group policies. One solution is to ensure that your group policies and system policies match, which might be easier said than done. By switching to native mode, you only have to deal with Win2K’s group policies.

You should now have a better picture of the issues you’ll face in native mode. Most organizations will want to switch to native mode sooner rather than later. If you’re not switching to native mode because you suspect that you’ll have to add NT BDCs to your domain, don’t worry. You can always add a new domain to your Win2K network, which installs in mixed mode by default. Then you can add NT BDCs to that domain.

End of Article

Reader Comments
Does this mean that Mixed mode does not support Kerberos and only supports NTLM? IF i switched to NAtive mode would i be able to use Kerberos authenication?

samuel June 19, 2002

I have 2 Winnt 4 and a w2K server, I'm trying to take out the Winnt 4 BDC but users can then not log on, (not authenticated)even though the PDC is still active? I have tried stopping the Netlogon service on this BDC but again users are unable to logon and see the W2K server, How do I make the W2K server a BDC without installing Active Directory?? ( Co. Policy not to install AD yet)

Eamonn Rafferty April 18, 2003

good way to slowly migrate to 2kserver as domain controller from ntserver domain controller.

vinay September 29, 2003

It's clear and written to easily be understood.

Thnx & greetz from Holland

Walter Rhee January 13, 2004

We are prepping for native mode but still have a few windows 98 pc's that log onto the domain. No policies are pushed down to them, so that's not a problem. Any issues with windows 98 logging onto the Native domain?

Kerry Fretz May 14, 2004

I have 2 domains, one with a 2000 domain controller and 5 nt bdc's -- second domain only windows 2000. They have a two-way trust but I can only see the PDC and not the bdc's.

rainier June 04, 2004

good topic..Keep it up !

Anonymous User November 30, 2004

Arin 4tw :) !!!!!!

Anonymous User September 09, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...

Microsoft Warns of Windows Version Expirations

Microsoft warned that this year will see three out-of-date Windows versions slip into retirement. ...

Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...
Windows OSs Whitepapers Protecting Microsoft SharePoint
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Windows, Unix, Linux Interoperability

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement