Windows 2000 Server introduced two Active Directory modes, mixed and native, to support different deployment scenarios. Mixed mode provides backwards compatibility for Windows NT domains, while native mode provides expanded Windows 2000 functionality. Windows Server 2003 adds two additional modes, Windows Server 2003 interim and Windows Server 2003, giving you four modes from which to choose when deploying Windows Server 2003 Active Directory.
What are these modes and what implications and uses does each have?
Windows 2000 Server modes
As I mentioned above, Windows 2000 Server provides two Active Directory modes. The first, mixed mode, provides for compatibility with Windows NT domains. In effect, mixed mode dumbs down Active Directory to enable Windows NT domains to communicate with Active Directory. Mixed mode makes Active Directory function like a Windows NT primary domain controller (PDC), which enables cross-communication and interoperability with Windows NT domains and directly supports Windows clients from Windows 3.x through Windows ME.
Because Windows 2000 Server Mixed Mode allows a domain controller to emulate a PDC, mixed mode enables you to deploy a Windows Server 2003 Active Directory domain controller in a Windows NT domain or in a new domain that will support cross-communication with the NT domain. For example, you might upgrade your existing Windows NT DCs to Windows Server 2003 over an extended period of time and, when all DCs have been upgraded, switch to one of the other three modes to provide greater functionality. Because each upgraded DC will continue to interoperate with the others, you can take your time with the upgrade and not be concerned with an immediate domain restructuring.
Using Windows 2000 Server in mixed mode takes away a lot of the flexibility you would otherwise have in structuring your Windows Server 2003 domains. Some of the Windows Server 2003 features mixed mode does not support include:
- Nested security groups (although nested distribution groups are supported)
- Universal security groups
- SID history>
- The domain controller rename tool
Because of its limited functionality, Windows 2000 Server mixed mode is useful only when Windows Server 2003 must be introduced into an existing Windows NT domain or when cross-domain functionality is needed for one or more existing Windows NT domains. Where no Windows NT domains are present, you should consider one of the other three modes, starting with Windows 2000 Server native mode.
Windows 2000 Sever native mode eliminates the restrictions imposed by Windows NT compatibility. Unlike mixed mode, native mode supports universal groups, nested groups, conversion between security and distribution groups, and SID history (to allow migration of security principals from one domain to another). Moving to native mode disables NT domain controller emulation, however, removing the capability for replication with Windows NT domain controllers. In addition, Windows clients earlier than Windows 2000 must use the add-on Active Directory client software to enable interaction with the Active Directory.
Moving up to native mode also provides for greater security because you can switch to Kerberos for authentication of Windows 2000 or later clients. Earlier clients can continue to use NTLM for authentication, although NTLM results in decreased security. Finally, Windows 2000 Server native mode improves domain replication by moving away from the PDC/BDC topology imposed by Windows NT to the multimaster replication topology offered by Windows 2000 and Windows 2003.
Windows 2000 Server native mode is the choice to make when your Windows Server 2003 domain controllers must function within an existing Windows 2000 domain or when Windows 2000 DCs will be introduced into the Windows 2003 domain, if only temporarily. Using native mode ensures that the Windows 2000 DCs can interoperate with the Windows Server 2003 DCs in the domain.
Windows Server 2003 modes
Windows Server 2003 introduces two additional Active Directory modes, the first of which is Windows Server 2003 interim mode. This mode is intended to support migration from Windows NT domains to Windows Server 2003. Interim mode is available only when upgrading the first Windows NT domain to a new forest and supports Windows NT and Windows 2003 domain controllers. Interim mode does not support Windows 2000 DCs.
Interim mode provides much the same capability as Windows 2000 mixed mode, with a few improvements for replication. Interim mode is intended solely as a stop-gap to provide compatibility with NT domains until they can be upgraded to Windows 2000 or Windows 2003.
Play video
There are currently no comments for this post.