Gradually migrate from Win2000 to Win2003 AD

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have 10 domain controllers to be migrated to Win2003 and little time to
migrate the whole thing.

If I raise the Forest to Win2003 and install two Win2003 (new hardware) DC's
and transfer the roles of PDC emulator and all other FSMO roles to the new
Win2003 servers, do you see any problem reinstalling Win2003 gradually on
each of the remaining DCs's ?(DCs are also GC on remote sites)
I already migrated to Exch2003.

I have SMS2.0SP5
Macintosh clients 7+
Win2000/XP
Win2003 DNS Servers
10 answers Last reply
More about gradually migrate win2000 win2003
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Marlon Brown" <marlon_brown@hotmail.com> wrote in message
    news:e2XBu3C7EHA.2016@TK2MSFTNGP15.phx.gbl...
    > I have 10 domain controllers to be migrated to Win2003 and little time to
    > migrate the whole thing.
    >
    > If I raise the Forest to Win2003 and install two Win2003 (new hardware)
    DC's
    > and transfer the roles of PDC emulator and all other FSMO roles to the new
    > Win2003 servers, do you see any problem reinstalling Win2003 gradually on
    > each of the remaining DCs's ?(DCs are also GC on remote sites)
    > I already migrated to Exch2003.

    You cannot raise a Domain level to "Win2003 Server mode"
    until ALL DCs in domain run Win2003.

    You cannot raise the Forest level to "Win2003 Forest Functional
    Level" until ALL DOMAINS are at "Win2003 Server Mode",
    and thus until all DCs in Forest are running Win2003.

    If by "raise the Forest to Win2003" you mean run Forest
    and Domain prep to allow Win2003 DCs then that is fine
    but it does not change the domain mode or forest functional
    level.

    Usually the term "raise" is reserved to these features.

    > I have SMS2.0SP5
    > Macintosh clients 7+
    > Win2000/XP
    > Win2003 DNS Servers

    This is almost totally a DC issue.

    --
    Herb Martin


    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi,

    > You cannot raise a Domain level to "Win2003 Server mode"
    > until ALL DCs in domain run Win2003.
    >
    > You cannot raise the Forest level to "Win2003 Forest Functional
    > Level" until ALL DOMAINS are at "Win2003 Server Mode",
    > and thus until all DCs in Forest are running Win2003.
    >

    I just returned from a year off on Maternity leave. My replacement
    upgraded both my domains from windows 2000 to windows 2003 in one day
    basically running the install off the CD. Things went really smootly
    and there were no issues. I felt no need to do a completely new
    install of 2003 because of how similar it was to 2000 (unlike with
    NT).

    However, as I have only played with 2003 for a few months I wasn’t
    aware of the Windows 2003 server mode? What is the advantage of this?
    I have all Windows 2003 DC’s now and was running in native mode before
    the upgrade.

    Cheers,

    Lara

    --
    http://www.WindowsForumz.com/ This article was posted by author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740977
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > However, as I have only played with 2003 for a few months I wasn't
    > aware of the Windows 2003 server mode? What is the advantage of this?
    > I have all Windows 2003 DC's now and was running in native mode before
    > the upgrade.

    There were only two modes for Domains (and none
    for Forests) in Win2000.

    Win2003 adds several; there are now 4 modes for
    domains and 3 "functional levals" for forests -- many
    people use the term "functional mode" for both forests
    and domains but I prefer to keep the distinct terms for
    clarity.

    Domain modes:
    1) Mixed mode -- the default (available in Win2000)
    2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
    (available in Win2000
    3) Interrim (new to Win2003) allows BDCs but no Win2000
    4) Win2003 Server mode (Win2003 DCs ONLY)
    (this has also been called Win2003 Native mode at times)

    Forest functional levels:

    1) Windows 2000 FFL (roughly equivalent to Mixed
    mode at the domain level)
    2) Win2003 Interrim FFL (mostly improves replication
    behavior since no Win2000 DCs are/can be involved.
    3) Windows 2003 -- enables things like Forest level trusts
    and domain rename (since the entire forest is now Win2003
    DC and will not be confused by such changes.)
    Also "Defunting" (yes, it's a verb) of Schema object additions

    There are various improvements but the simplest way
    to understand the difference between Native and Mixed
    (available even in Win2000) is that anything that would
    confuse an NT-BDC is not allowed.

    Note that Native mode is pratically a DC issue and has
    NO direct effect on legacy clients. Some improvements
    include (not a full list): Group nesting and Universal
    groups, improved support for migrating users INTO the
    domain, dropping of the SAM (and any practically limits
    on domain size) by the PDC-emulator (which is STILL
    needed), improvements to RRAS for users (Policy grant
    and deny of access, IP assignment etc.), most group type
    conversions,

    The main improvements for Win2003 Server DOMAIN mode
    are Domain controller rename, InetOrgPerson password
    (can be used in place of User account object), and the
    updating of the last logon time -- really though for most
    people, the real reason for Win2003 mode at the domain
    is that all domains must be here to reach Win2003 FFL
    on the Forest.


    <
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_levels.asp >

    --
    Herb Martin


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:41d44fe3$1_1@alt.athenanews.com...
    > Hi,
    >
    > > You cannot raise a Domain level to "Win2003 Server mode"
    > > until ALL DCs in domain run Win2003.
    > >
    > > You cannot raise the Forest level to "Win2003 Forest Functional
    > > Level" until ALL DOMAINS are at "Win2003 Server Mode",
    > > and thus until all DCs in Forest are running Win2003.
    > >
    >
    > I just returned from a year off on Maternity leave. My replacement
    > upgraded both my domains from windows 2000 to windows 2003 in one day
    > basically running the install off the CD. Things went really smootly
    > and there were no issues. I felt no need to do a completely new
    > install of 2003 because of how similar it was to 2000 (unlike with
    > NT).
    >
    > However, as I have only played with 2003 for a few months I wasn't
    > aware of the Windows 2003 server mode? What is the advantage of this?
    > I have all Windows 2003 DC's now and was running in native mode before
    > the upgrade.
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > http://www.WindowsForumz.com/ This article was posted by author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    http://www.WindowsForumz.com/eform.php?p=740977
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Herb Martin" wrote:
    > > However, as I have only played with 2003 for a few months I
    > wasn't
    > > aware of the Windows 2003 server mode? What is the advantage
    > of this?
    > > I have all Windows 2003 DC's now and was running in native
    > mode before
    > > the upgrade.
    >
    > There were only two modes for Domains (and none
    > for Forests) in Win2000.
    >
    > Win2003 adds several; there are now 4 modes for
    > domains and 3 "functional levals" for forests -- many
    > people use the term "functional mode" for both forests
    > and domains but I prefer to keep the distinct terms for
    > clarity.
    >
    > Domain modes:
    > 1) Mixed mode -- the default (available in Win2000)
    > 2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
    > (available in Win2000
    > 3) Interrim (new to Win2003) allows BDCs but no Win2000
    > 4) Win2003 Server mode (Win2003 DCs ONLY)
    > (this has also been called Win2003 Native mode at
    > times)
    >
    > Forest functional levels:
    >
    > 1) Windows 2000 FFL (roughly equivalent to Mixed
    > mode at the domain level)
    > 2) Win2003 Interrim FFL (mostly improves replication
    > behavior since no Win2000 DCs are/can be involved.
    > 3) Windows 2003 -- enables things like Forest level trusts
    > and domain rename (since the entire forest is now
    > Win2003
    > DC and will not be confused by such changes.)
    > Also "Defunting" (yes, it's a verb) of Schema object
    > additions
    >
    > There are various improvements but the simplest way
    > to understand the difference between Native and Mixed
    > (available even in Win2000) is that anything that would
    > confuse an NT-BDC is not allowed.
    >
    > Note that Native mode is pratically a DC issue and has
    > NO direct effect on legacy clients. Some improvements
    > include (not a full list): Group nesting and Universal
    > groups, improved support for migrating users INTO the
    > domain, dropping of the SAM (and any practically limits
    > on domain size) by the PDC-emulator (which is STILL
    > needed), improvements to RRAS for users (Policy grant
    > and deny of access, IP assignment etc.), most group type
    > conversions,
    >
    > The main improvements for Win2003 Server DOMAIN mode
    > are Domain controller rename, InetOrgPerson password
    > (can be used in place of User account object), and the
    > updating of the last logon time -- really though for most
    > people, the real reason for Win2003 mode at the domain
    > is that all domains must be here to reach Win2003 FFL
    > on the Forest.
    >
    >
    > <
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_levels.asp
    > >
    >
    > --
    > Herb Martin
    >
    >
    > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    > news:41d44fe3$1_1@alt.athenanews.com...
    > > Hi,
    > >
    >  > > You cannot raise a Domain level to "Win2003 Server
    > mode"
    >  > > until ALL DCs in domain run Win2003.
    >  > >
    >  > > You cannot raise the Forest level to "Win2003
    > Forest Functional
    >  > > Level" until ALL DOMAINS are at "Win2003 Server
    > Mode",
    >  > > and thus until all DCs in Forest are running
    > Win2003.
    >  > >
    > >
    > > I just returned from a year off on Maternity leave. My
    > replacement
    > > upgraded both my domains from windows 2000 to windows 2003
    > in one day
    > > basically running the install off the CD. Things went really
    > smootly
    > > and there were no issues. I felt no need to do a completely
    > new
    > > install of 2003 because of how similar it was to 2000
    > (unlike with
    > > NT).
    > >
    > > However, as I have only played with 2003 for a few months I
    > wasn't
    > > aware of the Windows 2003 server mode? What is the advantage
    > of this?
    > > I have all Windows 2003 DC's now and was running in native
    > mode before
    > > the upgrade.
    > >
    > > Cheers,
    > >
    > > Lara
    > >
    > > --
    > > http://www.WindowsForumz.com/ This article was posted by author's request
    > > Articles individually checked for conformance to usenet
    > standards
    > > Topic URL:
    > http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    > > Visit Topic URL to contact author (reg. req'd). Report
    > abuse:
    > http://www.WindowsForumz.com/eform.php?p=740977

    Hi,

    Thanks. I understand the different modes in Windows 2000 and the
    benefit of going to native mode in W2k. For me it was the RRAS access
    in Group Policy.

    I didn’t know you had to be in the Windows 2003 Server mode to rename
    a dc. Also I didn’t know you could rename a domain in 2003. That is
    a definite improvement I have been pushing for. Now if only they would
    allow you to merge to pre-existing Forest/Tree/Domains into one
    Forest. That is the next step. They should have done this with 2003 in
    my opinion. There are too many cases where two companies merge and
    don’t want to have to disolve one domain.

    Cheers,

    Lara
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Thanks. I understand the different modes in Windows 2000 and the
    > benefit of going to native mode in W2k. For me it was the RRAS access
    > in Group Policy.

    Yes. I was pretty sure you knew about Win2000 Server
    mode but it is much easy to discuss the other modes and
    FFL if you start with those changes and build it incrementally.

    Most people make the mistake of trying to understand this
    stuff en masse.

    > I didn't know you had to be in the Windows 2003 Server mode to rename
    > a dc.

    It is greyed out in all Win2000 modes.

    > Also I didn't know you could rename a domain in 2003. That is
    > a definite improvement I have been pushing for.

    There are some limitations so before you depend on it
    you need to investigate more deeply.

    > Now if only they would
    > allow you to merge to pre-existing Forest/Tree/Domains into one
    > Forest. That is the next step. They should have done this with 2003 in
    > my opinion. There are too many cases where two companies merge and
    > don't want to have to disolve one domain.

    This is approximated by Forest level trusts. While
    there is still no true "prune and graft" of domains or
    Forests, the Forest level trust allows for a single
    trust between the two forests to be transitive to all
    domains within those forests (one-way or two-way
    as an option.)

    Although the documentation says that Forest trusts
    are transitive, they are in fact only SEMI-transitive,
    i.e., a single trust creates an effective trust between
    all domains in two forests but if a third forest is
    involved the transitivity does not propagate across
    FORESTS -- to the next forest.

    --
    Herb Martin
    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:41d4bbf7$1_3@alt.athenanews.com...
    > "Herb Martin" wrote:
    > > > However, as I have only played with 2003 for a few months I
    > > wasn't
    > > > aware of the Windows 2003 server mode? What is the advantage
    > > of this?
    > > > I have all Windows 2003 DC's now and was running in native
    > > mode before
    > > > the upgrade.
    > >
    > > There were only two modes for Domains (and none
    > > for Forests) in Win2000.
    > >
    > > Win2003 adds several; there are now 4 modes for
    > > domains and 3 "functional levals" for forests -- many
    > > people use the term "functional mode" for both forests
    > > and domains but I prefer to keep the distinct terms for
    > > clarity.
    > >
    > > Domain modes:
    > > 1) Mixed mode -- the default (available in Win2000)
    > > 2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
    > > (available in Win2000
    > > 3) Interrim (new to Win2003) allows BDCs but no Win2000
    > > 4) Win2003 Server mode (Win2003 DCs ONLY)
    > > (this has also been called Win2003 Native mode at
    > > times)
    > >
    > > Forest functional levels:
    > >
    > > 1) Windows 2000 FFL (roughly equivalent to Mixed
    > > mode at the domain level)
    > > 2) Win2003 Interrim FFL (mostly improves replication
    > > behavior since no Win2000 DCs are/can be involved.
    > > 3) Windows 2003 -- enables things like Forest level trusts
    > > and domain rename (since the entire forest is now
    > > Win2003
    > > DC and will not be confused by such changes.)
    > > Also "Defunting" (yes, it's a verb) of Schema object
    > > additions
    > >
    > > There are various improvements but the simplest way
    > > to understand the difference between Native and Mixed
    > > (available even in Win2000) is that anything that would
    > > confuse an NT-BDC is not allowed.
    > >
    > > Note that Native mode is pratically a DC issue and has
    > > NO direct effect on legacy clients. Some improvements
    > > include (not a full list): Group nesting and Universal
    > > groups, improved support for migrating users INTO the
    > > domain, dropping of the SAM (and any practically limits
    > > on domain size) by the PDC-emulator (which is STILL
    > > needed), improvements to RRAS for users (Policy grant
    > > and deny of access, IP assignment etc.), most group type
    > > conversions,
    > >
    > > The main improvements for Win2003 Server DOMAIN mode
    > > are Domain controller rename, InetOrgPerson password
    > > (can be used in place of User account object), and the
    > > updating of the last logon time -- really though for most
    > > people, the real reason for Win2003 mode at the domain
    > > is that all domains must be here to reach Win2003 FFL
    > > on the Forest.
    > >
    > >
    > > <
    > >
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_levels.asp
    > > >
    > >
    > > --
    > > Herb Martin
    > >
    > >
    > > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    > > news:41d44fe3$1_1@alt.athenanews.com...
    > > > Hi,
    > > >
    > >  > > You cannot raise a Domain level to "Win2003 Server
    > > mode"
    > >  > > until ALL DCs in domain run Win2003.
    > >  > >
    > >  > > You cannot raise the Forest level to "Win2003
    > > Forest Functional
    > >  > > Level" until ALL DOMAINS are at "Win2003 Server
    > > Mode",
    > >  > > and thus until all DCs in Forest are running
    > > Win2003.
    > >  > >
    > > >
    > > > I just returned from a year off on Maternity leave. My
    > > replacement
    > > > upgraded both my domains from windows 2000 to windows 2003
    > > in one day
    > > > basically running the install off the CD. Things went really
    > > smootly
    > > > and there were no issues. I felt no need to do a completely
    > > new
    > > > install of 2003 because of how similar it was to 2000
    > > (unlike with
    > > > NT).
    > > >
    > > > However, as I have only played with 2003 for a few months I
    > > wasn't
    > > > aware of the Windows 2003 server mode? What is the advantage
    > > of this?
    > > > I have all Windows 2003 DC's now and was running in native
    > > mode before
    > > > the upgrade.
    > > >
    > > > Cheers,
    > > >
    > > > Lara
    > > >
    > > > --
    > > > http://www.WindowsForumz.com/ This article was posted by author's
    request
    > > > Articles individually checked for conformance to usenet
    > > standards
    > > > Topic URL:
    > >
    http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    > > > Visit Topic URL to contact author (reg. req'd). Report
    > > abuse:
    > > http://www.WindowsForumz.com/eform.php?p=740977
    >
    > Hi,
    >
    > Thanks. I understand the different modes in Windows 2000 and the
    > benefit of going to native mode in W2k. For me it was the RRAS access
    > in Group Policy.
    >
    > I didn't know you had to be in the Windows 2003 Server mode to rename
    > a dc. Also I didn't know you could rename a domain in 2003. That is
    > a definite improvement I have been pushing for. Now if only they would
    > allow you to merge to pre-existing Forest/Tree/Domains into one
    > Forest. That is the next step. They should have done this with 2003 in
    > my opinion. There are too many cases where two companies merge and
    > don't want to have to disolve one domain.
    >
    > Cheers,
    >
    > Lara
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Herb Martin" wrote:
    > > Thanks. I understand the different modes in Windows 2000 and
    > the
    > > benefit of going to native mode in W2k. For me it was the
    > RRAS access
    > > in Group Policy.
    >
    > Yes. I was pretty sure you knew about Win2000 Server
    > mode but it is much easy to discuss the other modes and
    > FFL if you start with those changes and build it
    > incrementally.
    >
    > Most people make the mistake of trying to understand this
    > stuff en masse.
    >
    > > I didn't know you had to be in the Windows 2003 Server mode
    > to rename
    > > a dc.
    >
    > It is greyed out in all Win2000 modes.
    >
    > > Also I didn't know you could rename a domain in 2003. That
    > is
    > > a definite improvement I have been pushing for.
    >
    > There are some limitations so before you depend on it
    > you need to investigate more deeply.
    >
    > > Now if only they would
    > > allow you to merge to pre-existing Forest/Tree/Domains into
    > one
    > > Forest. That is the next step. They should have done this
    > with 2003 in
    > > my opinion. There are too many cases where two companies
    > merge and
    > > don't want to have to disolve one domain.
    >
    > This is approximated by Forest level trusts. While
    > there is still no true "prune and graft" of domains or
    > Forests, the Forest level trust allows for a single
    > trust between the two forests to be transitive to all
    > domains within those forests (one-way or two-way
    > as an option.)
    >
    > Although the documentation says that Forest trusts
    > are transitive, they are in fact only SEMI-transitive,
    > i.e., a single trust creates an effective trust between
    > all domains in two forests but if a third forest is
    > involved the transitivity does not propagate across
    > FORESTS -- to the next forest.
    >
    > --
    > Herb Martin
    > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    > news:41d4bbf7$1_3@alt.athenanews.com...
    > > "Herb Martin" wrote:
    >   > > > However, as I have only played with 2003
    > for a few months I
    >  > > wasn't
    >   > > > aware of the Windows 2003 server mode? What
    > is the advantage
    >  > > of this?
    >   > > > I have all Windows 2003 DC's now and was
    > running in native
    >  > > mode before
    >   > > > the upgrade.
    >  > >
    >  > > There were only two modes for Domains (and none
    >  > > for Forests) in Win2000.
    >  > >
    >  > > Win2003 adds several; there are now 4 modes for
    >  > > domains and 3 "functional levals" for forests --
    > many
    >  > > people use the term "functional mode" for both
    > forests
    >  > > and domains but I prefer to keep the distinct terms
    > for
    >  > > clarity.
    >  > >
    >  > > Domain modes:
    >  > > 1) Mixed mode -- the default (available in
    > Win2000)
    >  > > 2) Native mode -requires all Win2000+ DCs,
    > i.e., no BDCs
    >  > > (available in Win2000
    >  > > 3) Interrim (new to Win2003) allows BDCs but no
    > Win2000
    >  > > 4) Win2003 Server mode (Win2003 DCs ONLY)
    >  > > (this has also been called Win2003
    > Native mode at
    >  > > times)
    >  > >
    >  > > Forest functional levels:
    >  > >
    >  > > 1) Windows 2000 FFL (roughly equivalent to
    > Mixed
    >  > > mode at the domain level)
    >  > > 2) Win2003 Interrim FFL (mostly improves
    > replication
    >  > > behavior since no Win2000 DCs are/can
    > be involved.
    >  > > 3) Windows 2003 -- enables things like Forest
    > level trusts
    >  > > and domain rename (since the entire forest
    > is now
    >  > > Win2003
    >  > > DC and will not be confused by such
    > changes.)
    >  > > Also "Defunting" (yes, it's a verb) of
    > Schema object
    >  > > additions
    >  > >
    >  > > There are various improvements but the simplest way
    >  > > to understand the difference between Native and
    > Mixed
    >  > > (available even in Win2000) is that anything that
    > would
    >  > > confuse an NT-BDC is not allowed.
    >  > >
    >  > > Note that Native mode is pratically a DC issue and
    > has
    >  > > NO direct effect on legacy clients. Some
    > improvements
    >  > > include (not a full list): Group nesting and
    > Universal
    >  > > groups, improved support for migrating users INTO
    > the
    >  > > domain, dropping of the SAM (and any practically
    > limits
    >  > > on domain size) by the PDC-emulator (which is STILL
    >  > > needed), improvements to RRAS for users (Policy
    > grant
    >  > > and deny of access, IP assignment etc.), most group
    > type
    >  > > conversions,
    >  > >
    >  > > The main improvements for Win2003 Server DOMAIN
    > mode
    >  > > are Domain controller rename, InetOrgPerson
    > password
    >  > > (can be used in place of User account object), and
    > the
    >  > > updating of the last logon time -- really though
    > for most
    >  > > people, the real reason for Win2003 mode at the
    > domain
    >  > > is that all domains must be here to reach Win2003
    > FFL
    >  > > on the Forest.
    >  > >
    >  > >
    >  > > <
    >  > >
    > http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_levels.asp
    >   > > >
    >  > >
    >  > > --
    >  > > Herb Martin
    >  > >
    >  > >
    >  > > "lforbes" <UseLinkToEmail@WindowsForumz.com>
    > wrote in message
    >  > > news:41d44fe3$1_1@alt.athenanews.com...
    >   > > > Hi,
    >   > > >
    >  > >  > > You cannot raise a Domain level to
    > "Win2003 Server
    >  > > mode"
    >  > >  > > until ALL DCs in domain run
    > Win2003.
    >  > >  > >
    >  > >  > > You cannot raise the Forest level
    > to "Win2003
    >  > > Forest Functional
    >  > >  > > Level" until ALL DOMAINS are at
    > "Win2003 Server
    >  > > Mode",
    >  > >  > > and thus until all DCs in Forest
    > are running
    >  > > Win2003.
    >  > >  > >
    >   > > >
    >   > > > I just returned from a year off on
    > Maternity leave. My
    >  > > replacement
    >   > > > upgraded both my domains from windows 2000
    > to windows 2003
    >  > > in one day
    >   > > > basically running the install off the CD.
    > Things went really
    >  > > smootly
    >   > > > and there were no issues. I felt no need to
    > do a completely
    >  > > new
    >   > > > install of 2003 because of how similar it
    > was to 2000
    >  > > (unlike with
    >   > > > NT).
    >   > > >
    >   > > > However, as I have only played with 2003
    > for a few months I
    >  > > wasn't
    >   > > > aware of the Windows 2003 server mode? What
    > is the advantage
    >  > > of this?
    >   > > > I have all Windows 2003 DC's now and was
    > running in native
    >  > > mode before
    >   > > > the upgrade.
    >   > > >
    >   > > > Cheers,
    >   > > >
    >   > > > Lara
    >   > > >
    >   > > > --
    >   > > > http://www.WindowsForumz.com/ This article
    > was posted by author's
    > request
    >   > > > Articles individually checked for
    > conformance to usenet
    >  > > standards
    >   > > > Topic URL:
    >  > >
    > http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    >   > > > Visit Topic URL to contact author (reg.
    > req'd). Report
    >  > > abuse:
    >  > > http://www.WindowsForumz.com/eform.php?p=740977
    > >
    > > Hi,
    > >
    > > Thanks. I understand the different modes in Windows 2000 and
    > the
    > > benefit of going to native mode in W2k. For me it was the
    > RRAS access
    > > in Group Policy.
    > >
    > > I didn't know you had to be in the Windows 2003 Server mode
    > to rename
    > > a dc. Also I didn't know you could rename a domain in 2003.
    > That is
    > > a definite improvement I have been pushing for. Now if only
    > they would
    > > allow you to merge to pre-existing Forest/Tree/Domains into
    > one
    > > Forest. That is the next step. They should have done this
    > with 2003 in
    > > my opinion. There are too many cases where two companies
    > merge and
    > > don't want to have to disolve one domain.
    > >
    > > Cheers,
    > >
    > > Lara

    Hi,

    Thanks for the info. Windows 2003 is quite new to me so I will have to
    explore it further.

    You wouldn’t happend to know the registry key to change to make all
    new shares Everyone=Full Control instead of Everyone=Read would you?
    It is the One most annoying thing about Windows 2003 that I haven’t
    figured out how to change.

    Who uses Share permissions in W2003, I don’t know. Why bother when
    NTFS is far more effective and adding share permissions only
    complicates things. I have never had non-NT clients so I have never
    seen the need to use share permissions.

    Cheers,

    Lara

    --
    http://www.WindowsForumz.com/ This article was posted by author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=743379
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > Thanks for the info. Windows 2003 is quite new to me so I will have to
    > explore it further.
    >
    > You wouldn't happend to know the registry key to change to make all
    > new shares Everyone=Full Control instead of Everyone=Read would you?
    > It is the One most annoying thing about Windows 2003 that I haven't
    > figured out how to change.

    No, I don't but were I to know that I might not tell <grin>
    since it is such a bad idea.

    Really, I try to get people to REMOVE all of the Everyone
    references and substitute (at worst) Authenticated Users, or
    better the specific groups who should have access.

    > Who uses Share permissions in W2003, I don't know. Why bother when
    > NTFS is far more effective and adding share permissions only
    > complicates things.

    They both have their value. For one, if you know that
    a group will never need more than read, you set the
    share to READ for that group so that you cannot accidentally
    grant to much through NTFS.

    Defense in depth.

    You can also use CHANGE on the share to prevent
    people from changing permissions on their own files
    or to secure files on FAT, FAT32, etc.

    > I have never had non-NT clients so I have never
    > seen the need to use share permissions.

    You may not need them in your situation, but those
    that make blanket statements to never use them are
    not thinking it through.

    --
    Herb Martin


    "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:41d5d1b8$1_4@alt.athenanews.com...
    > "Herb Martin" wrote:
    > > > Thanks. I understand the different modes in Windows 2000 and
    > > the
    > > > benefit of going to native mode in W2k. For me it was the
    > > RRAS access
    > > > in Group Policy.
    > >
    > > Yes. I was pretty sure you knew about Win2000 Server
    > > mode but it is much easy to discuss the other modes and
    > > FFL if you start with those changes and build it
    > > incrementally.
    > >
    > > Most people make the mistake of trying to understand this
    > > stuff en masse.
    > >
    > > > I didn't know you had to be in the Windows 2003 Server mode
    > > to rename
    > > > a dc.
    > >
    > > It is greyed out in all Win2000 modes.
    > >
    > > > Also I didn't know you could rename a domain in 2003. That
    > > is
    > > > a definite improvement I have been pushing for.
    > >
    > > There are some limitations so before you depend on it
    > > you need to investigate more deeply.
    > >
    > > > Now if only they would
    > > > allow you to merge to pre-existing Forest/Tree/Domains into
    > > one
    > > > Forest. That is the next step. They should have done this
    > > with 2003 in
    > > > my opinion. There are too many cases where two companies
    > > merge and
    > > > don't want to have to disolve one domain.
    > >
    > > This is approximated by Forest level trusts. While
    > > there is still no true "prune and graft" of domains or
    > > Forests, the Forest level trust allows for a single
    > > trust between the two forests to be transitive to all
    > > domains within those forests (one-way or two-way
    > > as an option.)
    > >
    > > Although the documentation says that Forest trusts
    > > are transitive, they are in fact only SEMI-transitive,
    > > i.e., a single trust creates an effective trust between
    > > all domains in two forests but if a third forest is
    > > involved the transitivity does not propagate across
    > > FORESTS -- to the next forest.
    > >
    > > --
    > > Herb Martin
    > > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
    > > news:41d4bbf7$1_3@alt.athenanews.com...
    > > > "Herb Martin" wrote:
    > >   > > > However, as I have only played with 2003
    > > for a few months I
    > >  > > wasn't
    > >   > > > aware of the Windows 2003 server mode? What
    > > is the advantage
    > >  > > of this?
    > >   > > > I have all Windows 2003 DC's now and was
    > > running in native
    > >  > > mode before
    > >   > > > the upgrade.
    > >  > >
    > >  > > There were only two modes for Domains (and none
    > >  > > for Forests) in Win2000.
    > >  > >
    > >  > > Win2003 adds several; there are now 4 modes for
    > >  > > domains and 3 "functional levals" for forests --
    > > many
    > >  > > people use the term "functional mode" for both
    > > forests
    > >  > > and domains but I prefer to keep the distinct terms
    > > for
    > >  > > clarity.
    > >  > >
    > >  > > Domain modes:
    > >  > > 1) Mixed mode -- the default (available in
    > > Win2000)
    > >  > > 2) Native mode -requires all Win2000+ DCs,
    > > i.e., no BDCs
    > >  > > (available in Win2000
    > >  > > 3) Interrim (new to Win2003) allows BDCs but no
    > > Win2000
    > >  > > 4) Win2003 Server mode (Win2003 DCs ONLY)
    > >  > > (this has also been called Win2003
    > > Native mode at
    > >  > > times)
    > >  > >
    > >  > > Forest functional levels:
    > >  > >
    > >  > > 1) Windows 2000 FFL (roughly equivalent to
    > > Mixed
    > >  > > mode at the domain level)
    > >  > > 2) Win2003 Interrim FFL (mostly improves
    > > replication
    > >  > > behavior since no Win2000 DCs are/can
    > > be involved.
    > >  > > 3) Windows 2003 -- enables things like Forest
    > > level trusts
    > >  > > and domain rename (since the entire forest
    > > is now
    > >  > > Win2003
    > >  > > DC and will not be confused by such
    > > changes.)
    > >  > > Also "Defunting" (yes, it's a verb) of
    > > Schema object
    > >  > > additions
    > >  > >
    > >  > > There are various improvements but the simplest way
    > >  > > to understand the difference between Native and
    > > Mixed
    > >  > > (available even in Win2000) is that anything that
    > > would
    > >  > > confuse an NT-BDC is not allowed.
    > >  > >
    > >  > > Note that Native mode is pratically a DC issue and
    > > has
    > >  > > NO direct effect on legacy clients. Some
    > > improvements
    > >  > > include (not a full list): Group nesting and
    > > Universal
    > >  > > groups, improved support for migrating users INTO
    > > the
    > >  > > domain, dropping of the SAM (and any practically
    > > limits
    > >  > > on domain size) by the PDC-emulator (which is STILL
    > >  > > needed), improvements to RRAS for users (Policy
    > > grant
    > >  > > and deny of access, IP assignment etc.), most group
    > > type
    > >  > > conversions,
    > >  > >
    > >  > > The main improvements for Win2003 Server DOMAIN
    > > mode
    > >  > > are Domain controller rename, InetOrgPerson
    > > password
    > >  > > (can be used in place of User account object), and
    > > the
    > >  > > updating of the last logon time -- really though
    > > for most
    > >  > > people, the real reason for Win2003 mode at the
    > > domain
    > >  > > is that all domains must be here to reach Win2003
    > > FFL
    > >  > > on the Forest.
    > >  > >
    > >  > >
    > >  > > <
    > >  > >
    > >
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_levels.asp
    > >   > > >
    > >  > >
    > >  > > --
    > >  > > Herb Martin
    > >  > >
    > >  > >
    > >  > > "lforbes" <UseLinkToEmail@WindowsForumz.com>
    > > wrote in message
    > >  > > news:41d44fe3$1_1@alt.athenanews.com...
    > >   > > > Hi,
    > >   > > >
    > >  > >  > > You cannot raise a Domain level to
    > > "Win2003 Server
    > >  > > mode"
    > >  > >  > > until ALL DCs in domain run
    > > Win2003.
    > >  > >  > >
    > >  > >  > > You cannot raise the Forest level
    > > to "Win2003
    > >  > > Forest Functional
    > >  > >  > > Level" until ALL DOMAINS are at
    > > "Win2003 Server
    > >  > > Mode",
    > >  > >  > > and thus until all DCs in Forest
    > > are running
    > >  > > Win2003.
    > >  > >  > >
    > >   > > >
    > >   > > > I just returned from a year off on
    > > Maternity leave. My
    > >  > > replacement
    > >   > > > upgraded both my domains from windows 2000
    > > to windows 2003
    > >  > > in one day
    > >   > > > basically running the install off the CD.
    > > Things went really
    > >  > > smootly
    > >   > > > and there were no issues. I felt no need to
    > > do a completely
    > >  > > new
    > >   > > > install of 2003 because of how similar it
    > > was to 2000
    > >  > > (unlike with
    > >   > > > NT).
    > >   > > >
    > >   > > > However, as I have only played with 2003
    > > for a few months I
    > >  > > wasn't
    > >   > > > aware of the Windows 2003 server mode? What
    > > is the advantage
    > >  > > of this?
    > >   > > > I have all Windows 2003 DC's now and was
    > > running in native
    > >  > > mode before
    > >   > > > the upgrade.
    > >   > > >
    > >   > > > Cheers,
    > >   > > >
    > >   > > > Lara
    > >   > > >
    > >   > > > --
    > >   > > > http://www.WindowsForumz.com/ This article
    > > was posted by author's
    > > request
    > >   > > > Articles individually checked for
    > > conformance to usenet
    > >  > > standards
    > >   > > > Topic URL:
    > >  > >
    > >
    http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    > >   > > > Visit Topic URL to contact author (reg.
    > > req'd). Report
    > >  > > abuse:
    > >  > > http://www.WindowsForumz.com/eform.php?p=740977
    > > >
    > > > Hi,
    > > >
    > > > Thanks. I understand the different modes in Windows 2000 and
    > > the
    > > > benefit of going to native mode in W2k. For me it was the
    > > RRAS access
    > > > in Group Policy.
    > > >
    > > > I didn't know you had to be in the Windows 2003 Server mode
    > > to rename
    > > > a dc. Also I didn't know you could rename a domain in 2003.
    > > That is
    > > > a definite improvement I have been pushing for. Now if only
    > > they would
    > > > allow you to merge to pre-existing Forest/Tree/Domains into
    > > one
    > > > Forest. That is the next step. They should have done this
    > > with 2003 in
    > > > my opinion. There are too many cases where two companies
    > > merge and
    > > > don't want to have to disolve one domain.
    > > >
    > > > Cheers,
    > > >
    > > > Lara
    >
    > Hi,
    >
    > Thanks for the info. Windows 2003 is quite new to me so I will have to
    > explore it further.
    >
    > You wouldn't happend to know the registry key to change to make all
    > new shares Everyone=Full Control instead of Everyone=Read would you?
    > It is the One most annoying thing about Windows 2003 that I haven't
    > figured out how to change.
    >
    > Who uses Share permissions in W2003, I don't know. Why bother when
    > NTFS is far more effective and adding share permissions only
    > complicates things. I have never had non-NT clients so I have never
    > seen the need to use share permissions.
    >
    > Cheers,
    >
    > Lara
    >
    > --
    > http://www.WindowsForumz.com/ This article was posted by author's request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    http://www.WindowsForumz.com/eform.php?p=743379
  8. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi,

    > You may not need them in your situation, but those that make blanket
    > statements to never use them are not thinking it through.

    I do troubleshooting for a variety of different networks as well as
    maintaining my own. Since Windows 2003 was released 90% of the
    problems have been caused from this annoying "new" feature. That and
    that new "Internet Explorer Security annoyance" I know in my case
    it has caused me hours and hours of work that I really don’t have time
    for.

    I am of the opinion that Microsoft should not try to save people from
    themselves. If you are a good admin you won’t ever need to use share
    permissions as NTFS are far more powerful and far more useful. I have
    1200 users per network in two different networks. No one has
    write-access to anything that I don’t specifically allow them access
    to. I have never "accidentally" set incorrect NTFS permissions.

    The only one time when I had an issue was with the Default permissions
    on an XP Pro drive. They "appear" to be Users=Read with no hint of
    anything else. However when you click "advanced" you see users have
    the right to create sub-folders and then full-control of those
    subfolders and files. Took me awhile to figure that one out and
    unfortunately it was after I install 300 new XP machines. Luckily the
    scripted XCacls saved the day and I could set the correct permissions
    via a startup script from the DC.

    >You can also use CHANGE on the share to prevent people from changing
    permissions on their own files or to secure files on FAT, FAT32, etc.

    Windows 2003 won’t install FAT/Fat32 =).

    I do understand that Share permissions are there if I need them.
    However, I just don’t want them pre-set.

    Cheers,

    Lara
  9. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > I do understand that Share permissions are there if I need them.
    > However, I just don't want them pre-set.

    Why ever would you transfer the discussion to "pre-set".

    The question under discussion is do they have a use for
    some people some of the time -- the answer is clearly yes,
    as even you have convinced yourself and written once
    you thought it through.

    Are share permissions sometimes irrelevant? Of course.

    And you know they are there when (and if) you ever need
    them.
  10. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi,

    > Why ever would you transfer the discussion to "pre-set". The
    question
    > under discussion is do they have a use for some people some of the
    > time -- the answer is clearly yes, as even you have convinced
    yourself
    > and written once you thought it through.

    I am not saying Microsoft should do away with having Share
    Permissions. I agree, they are useful for others maybe more than
    myself. However, I am just saying they caused a lot less trouble when
    they weren’t defaulted to "read only" for everyone. When they were
    "everyone = full control" then they didn’t mess with access of
    administrators, users to their home folders etc.

    For example, I have 2500 Users. I create hundreds of shares for users
    home directories, applications that need shared directories, group
    shared directories . Now everytime I create a share, I have to
    manually remember to go in and change the share permissions back to
    Full Control. As my NTFS permissions are inherited they are created
    automatically when the folder is created. If I forget the share
    permissions, then the application doesn’t work, etc and I have to come
    in on my day off to reset the share permissions.

    Microsoft made such a big deal about "secure out of the box" with
    Windows 2003. I think that was a great idea, but in this one case they
    went a little overboard.

    Security is a good thing but not letting users access their own home
    directories or their profiles by default is just a little over the
    top.

    Cheers,

    Lara

    --
    http://www.WindowsForumz.com/ This article was posted by author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually-migrate-Win2000-Win2003-AD-ftopict242271.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=745087
Ask a new question

Read More

Migrate Active Directory Windows