Determining When to Move to Native Mode

  • Article

It is easy to switch the domain from mixed to native mode, but the switch cannot be undone. To determine when to make the switch, you need to consider all the factors in this section. You cannot switch the domain to native mode if the domain currently contains or will contain any Windows NT domain controllers.

Reasons for Continuing in Mixed Mode

The primary reasons for keeping your domain in mixed mode are as follows:

Cannot Upgrade Application Servers

You have application servers that cannot be upgraded or demoted to member servers. For example, to achieve high throughput some applications need to be installed on BDCs to avoid pass-through authentication. BDCs that host such applications are called application servers .

Inadequate Physical Security of BDCs

Security is an important consideration in domain planning. A fundamental aspect of security is the physical security of the computer itself; any computer that is physically easy to access is vulnerable to attack. A consideration here could be the difference between single-master updating of the SAM by the PDC alone, and Active Directory multiple-master updating of the account database by all domain controllers.

Because of the single-master nature of Windows NT directory updates, you might be comfortable with comparatively relaxed security on your BDCs. If this is the case, you need to reconsider this when upgrading them to Windows 2000 domain controllers. If you cannot upgrade security of your BDC appropriately, you might consider demoting the BDC to a member server during upgrade, adding a new Windows 2000 domain controller in a different location, or possibly reconsidering your proposed domain structure.

Complete Fallback to Windows NT Remains Necessary

One of the benefits of mixed mode is the degree of backward compatibility. Mixed mode allows new BDCs to be added to the domain if a problem arises. After the new BDC has joined the domain, you can resynchronize the account database. As long as there are no other Windows 2000 domains, you are able to promote the BDC to a PDC.

You need to plan for fallback or recovery, but at some point you will want to switch over to the new environment completely to take full advantage of Windows 2000 features.

One good reason to move to native mode is to be able to use all Windows 2000 groups, including nested groups. At this point, you need to consider which groups you might want to promote to universal groups.

Reasons for Moving to Native Mode

Though you can benefit greatly from upgrading your PDC and BDCs and by keeping your domain in mixed mode, it is recommended that you make the switch to native mode as soon as possible. Native mode can help you increase the overall functionality of your network as follows:

  • New Windows 2000 group types are available.

  • Native mode domains can use universal groups and group nesting.

As discussed, the switch to native mode is not performed automatically; you must initiate the change through the Active Directory Domains and Trusts snap-in from the Microsoft Management Console (MMC). For details on how to use this snap-in, see the Windows 2000 Server Help files.