Connecting to domain controllers running Windows 2000
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Connecting to domain controllers running Windows 2000
When you need to connect to a domain controller running Windows 2000 from a domain controller running Windows Server 2003, a number of Active Directory administrative tools are available, such as Active Directory Domains and Trusts.
The following Windows Server 2003 Active Directory administrative tools will sign and encrypt all LDAP traffic by default:
Active Directory Users and Computers
Active Directory Sites and Services
Active Directory Domains and Trusts
Active Directory Schema
ADSI Edit
Dsrm.exe
Dsmove.exe
Dsadd.exe
Dsmod.exe
Dsget.exe
Dsquery.exe
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. The Active Directory administrative tools in Windows 2000 do not sign and encrypt all LDAP traffic by default. In order to maintain a secure network, it is strongly recommended that you upgrade all domain controllers running Windows 2000 to Service Pack 3 or later.
You can use the corresponding Active Directory administrative tools in Windows 2000 to manage Windows 2000 domain controllers that do not have the Windows 2000 Server Service Pack 3 or later installed. However, traffic is not signed and encrypted by LDAP on domain controllers running Windows 2000.
Although it is not recommended, you can disable encrypted and signed LDAP traffic used with Active Directory administrative tools on a server running Windows Server 2003 or on a computer running Windows XP Professional that has the Windows Server 2003 Administration Tools Pack installed. For more information, see Disable signed or encrypted LDAP traffic.