Sign in with
Sign up | Sign in
Your question

Gradually migrate from Win2000 to Win2003 AD

Tags:
  • Migrate
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
December 27, 2004 11:07:47 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have 10 domain controllers to be migrated to Win2003 and little time to
migrate the whole thing.

If I raise the Forest to Win2003 and install two Win2003 (new hardware) DC's
and transfer the roles of PDC emulator and all other FSMO roles to the new
Win2003 servers, do you see any problem reinstalling Win2003 gradually on
each of the remaining DCs's ?(DCs are also GC on remote sites)
I already migrated to Exch2003.

I have SMS2.0SP5
Macintosh clients 7+
Win2000/XP
Win2003 DNS Servers

More about : gradually migrate win2000 win2003

Anonymous
December 27, 2004 3:21:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e2XBu3C7EHA.2016@TK2MSFTNGP15.phx.gbl...
> I have 10 domain controllers to be migrated to Win2003 and little time to
> migrate the whole thing.
>
> If I raise the Forest to Win2003 and install two Win2003 (new hardware)
DC's
> and transfer the roles of PDC emulator and all other FSMO roles to the new
> Win2003 servers, do you see any problem reinstalling Win2003 gradually on
> each of the remaining DCs's ?(DCs are also GC on remote sites)
> I already migrated to Exch2003.

You cannot raise a Domain level to "Win2003 Server mode"
until ALL DCs in domain run Win2003.

You cannot raise the Forest level to "Win2003 Forest Functional
Level" until ALL DOMAINS are at "Win2003 Server Mode",
and thus until all DCs in Forest are running Win2003.

If by "raise the Forest to Win2003" you mean run Forest
and Domain prep to allow Win2003 DCs then that is fine
but it does not change the domain mode or forest functional
level.

Usually the term "raise" is reserved to these features.

> I have SMS2.0SP5
> Macintosh clients 7+
> Win2000/XP
> Win2003 DNS Servers

This is almost totally a DC issue.

--
Herb Martin


>
>
Anonymous
December 30, 2004 4:58:43 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> You cannot raise a Domain level to "Win2003 Server mode"
> until ALL DCs in domain run Win2003.
>
> You cannot raise the Forest level to "Win2003 Forest Functional
> Level" until ALL DOMAINS are at "Win2003 Server Mode",
> and thus until all DCs in Forest are running Win2003.
>

I just returned from a year off on Maternity leave. My replacement
upgraded both my domains from windows 2000 to windows 2003 in one day
basically running the install off the CD. Things went really smootly
and there were no issues. I felt no need to do a completely new
install of 2003 because of how similar it was to 2000 (unlike with
NT).

However, as I have only played with 2003 for a few months I wasn’t
aware of the Windows 2003 server mode? What is the advantage of this?
I have all Windows 2003 DC’s now and was running in native mode before
the upgrade.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=740977
Related resources
Anonymous
December 30, 2004 5:41:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> However, as I have only played with 2003 for a few months I wasn't
> aware of the Windows 2003 server mode? What is the advantage of this?
> I have all Windows 2003 DC's now and was running in native mode before
> the upgrade.

There were only two modes for Domains (and none
for Forests) in Win2000.

Win2003 adds several; there are now 4 modes for
domains and 3 "functional levals" for forests -- many
people use the term "functional mode" for both forests
and domains but I prefer to keep the distinct terms for
clarity.

Domain modes:
1) Mixed mode -- the default (available in Win2000)
2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
(available in Win2000
3) Interrim (new to Win2003) allows BDCs but no Win2000
4) Win2003 Server mode (Win2003 DCs ONLY)
(this has also been called Win2003 Native mode at times)

Forest functional levels:

1) Windows 2000 FFL (roughly equivalent to Mixed
mode at the domain level)
2) Win2003 Interrim FFL (mostly improves replication
behavior since no Win2000 DCs are/can be involved.
3) Windows 2003 -- enables things like Forest level trusts
and domain rename (since the entire forest is now Win2003
DC and will not be confused by such changes.)
Also "Defunting" (yes, it's a verb) of Schema object additions

There are various improvements but the simplest way
to understand the difference between Native and Mixed
(available even in Win2000) is that anything that would
confuse an NT-BDC is not allowed.

Note that Native mode is pratically a DC issue and has
NO direct effect on legacy clients. Some improvements
include (not a full list): Group nesting and Universal
groups, improved support for migrating users INTO the
domain, dropping of the SAM (and any practically limits
on domain size) by the PDC-emulator (which is STILL
needed), improvements to RRAS for users (Policy grant
and deny of access, IP assignment etc.), most group type
conversions,

The main improvements for Win2003 Server DOMAIN mode
are Domain controller rename, InetOrgPerson password
(can be used in place of User account object), and the
updating of the last logon time -- really though for most
people, the real reason for Win2003 mode at the domain
is that all domains must be here to reach Win2003 FFL
on the Forest.


<
http://www.microsoft.com/resources/documentation/Window... >

--
Herb Martin


"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d44fe3$1_1@alt.athenanews.com...
> Hi,
>
> > You cannot raise a Domain level to "Win2003 Server mode"
> > until ALL DCs in domain run Win2003.
> >
> > You cannot raise the Forest level to "Win2003 Forest Functional
> > Level" until ALL DOMAINS are at "Win2003 Server Mode",
> > and thus until all DCs in Forest are running Win2003.
> >
>
> I just returned from a year off on Maternity leave. My replacement
> upgraded both my domains from windows 2000 to windows 2003 in one day
> basically running the install off the CD. Things went really smootly
> and there were no issues. I felt no need to do a completely new
> install of 2003 because of how similar it was to 2000 (unlike with
> NT).
>
> However, as I have only played with 2003 for a few months I wasn't
> aware of the Windows 2003 server mode? What is the advantage of this?
> I have all Windows 2003 DC's now and was running in native mode before
> the upgrade.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.WindowsForumz.com/Active-Directory-Gradually...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=740977
Anonymous
December 31, 2004 12:39:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Herb Martin" wrote:
> > However, as I have only played with 2003 for a few months I
> wasn't
> > aware of the Windows 2003 server mode? What is the advantage
> of this?
> > I have all Windows 2003 DC's now and was running in native
> mode before
> > the upgrade.
>
> There were only two modes for Domains (and none
> for Forests) in Win2000.
>
> Win2003 adds several; there are now 4 modes for
> domains and 3 "functional levals" for forests -- many
> people use the term "functional mode" for both forests
> and domains but I prefer to keep the distinct terms for
> clarity.
>
> Domain modes:
> 1) Mixed mode -- the default (available in Win2000)
> 2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
> (available in Win2000
> 3) Interrim (new to Win2003) allows BDCs but no Win2000
> 4) Win2003 Server mode (Win2003 DCs ONLY)
> (this has also been called Win2003 Native mode at
> times)
>
> Forest functional levels:
>
> 1) Windows 2000 FFL (roughly equivalent to Mixed
> mode at the domain level)
> 2) Win2003 Interrim FFL (mostly improves replication
> behavior since no Win2000 DCs are/can be involved.
> 3) Windows 2003 -- enables things like Forest level trusts
> and domain rename (since the entire forest is now
> Win2003
> DC and will not be confused by such changes.)
> Also "Defunting" (yes, it's a verb) of Schema object
> additions
>
> There are various improvements but the simplest way
> to understand the difference between Native and Mixed
> (available even in Win2000) is that anything that would
> confuse an NT-BDC is not allowed.
>
> Note that Native mode is pratically a DC issue and has
> NO direct effect on legacy clients. Some improvements
> include (not a full list): Group nesting and Universal
> groups, improved support for migrating users INTO the
> domain, dropping of the SAM (and any practically limits
> on domain size) by the PDC-emulator (which is STILL
> needed), improvements to RRAS for users (Policy grant
> and deny of access, IP assignment etc.), most group type
> conversions,
>
> The main improvements for Win2003 Server DOMAIN mode
> are Domain controller rename, InetOrgPerson password
> (can be used in place of User account object), and the
> updating of the last logon time -- really though for most
> people, the real reason for Win2003 mode at the domain
> is that all domains must be here to reach Win2003 FFL
> on the Forest.
>
>
> <
> http://www.microsoft.com/resources/documentation/Window...
> >
>
> --
> Herb Martin
>
>
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:41d44fe3$1_1@alt.athenanews.com...
> > Hi,
> >
>  > > You cannot raise a Domain level to "Win2003 Server
> mode"
>  > > until ALL DCs in domain run Win2003.
>  > >
>  > > You cannot raise the Forest level to "Win2003
> Forest Functional
>  > > Level" until ALL DOMAINS are at "Win2003 Server
> Mode",
>  > > and thus until all DCs in Forest are running
> Win2003.
>  > >
> >
> > I just returned from a year off on Maternity leave. My
> replacement
> > upgraded both my domains from windows 2000 to windows 2003
> in one day
> > basically running the install off the CD. Things went really
> smootly
> > and there were no issues. I felt no need to do a completely
> new
> > install of 2003 because of how similar it was to 2000
> (unlike with
> > NT).
> >
> > However, as I have only played with 2003 for a few months I
> wasn't
> > aware of the Windows 2003 server mode? What is the advantage
> of this?
> > I have all Windows 2003 DC's now and was running in native
> mode before
> > the upgrade.
> >
> > Cheers,
> >
> > Lara
> >
> > --
> > http://www.WindowsForumz.com/ This article was posted by author's request
> > Articles individually checked for conformance to usenet
> standards
> > Topic URL:
> http://www.WindowsForumz.com/Active-Directory-Gradually...
> > Visit Topic URL to contact author (reg. req'd). Report
> abuse:
> http://www.WindowsForumz.com/eform.php?p=740977

Hi,

Thanks. I understand the different modes in Windows 2000 and the
benefit of going to native mode in W2k. For me it was the RRAS access
in Group Policy.

I didn’t know you had to be in the Windows 2003 Server mode to rename
a dc. Also I didn’t know you could rename a domain in 2003. That is
a definite improvement I have been pushing for. Now if only they would
allow you to merge to pre-existing Forest/Tree/Domains into one
Forest. That is the next step. They should have done this with 2003 in
my opinion. There are too many cases where two companies merge and
don’t want to have to disolve one domain.

Cheers,

Lara
Anonymous
December 31, 2004 12:39:52 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Thanks. I understand the different modes in Windows 2000 and the
> benefit of going to native mode in W2k. For me it was the RRAS access
> in Group Policy.

Yes. I was pretty sure you knew about Win2000 Server
mode but it is much easy to discuss the other modes and
FFL if you start with those changes and build it incrementally.

Most people make the mistake of trying to understand this
stuff en masse.

> I didn't know you had to be in the Windows 2003 Server mode to rename
> a dc.

It is greyed out in all Win2000 modes.

> Also I didn't know you could rename a domain in 2003. That is
> a definite improvement I have been pushing for.

There are some limitations so before you depend on it
you need to investigate more deeply.

> Now if only they would
> allow you to merge to pre-existing Forest/Tree/Domains into one
> Forest. That is the next step. They should have done this with 2003 in
> my opinion. There are too many cases where two companies merge and
> don't want to have to disolve one domain.

This is approximated by Forest level trusts. While
there is still no true "prune and graft" of domains or
Forests, the Forest level trust allows for a single
trust between the two forests to be transitive to all
domains within those forests (one-way or two-way
as an option.)

Although the documentation says that Forest trusts
are transitive, they are in fact only SEMI-transitive,
i.e., a single trust creates an effective trust between
all domains in two forests but if a third forest is
involved the transitivity does not propagate across
FORESTS -- to the next forest.

--
Herb Martin
"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d4bbf7$1_3@alt.athenanews.com...
> "Herb Martin" wrote:
> > > However, as I have only played with 2003 for a few months I
> > wasn't
> > > aware of the Windows 2003 server mode? What is the advantage
> > of this?
> > > I have all Windows 2003 DC's now and was running in native
> > mode before
> > > the upgrade.
> >
> > There were only two modes for Domains (and none
> > for Forests) in Win2000.
> >
> > Win2003 adds several; there are now 4 modes for
> > domains and 3 "functional levals" for forests -- many
> > people use the term "functional mode" for both forests
> > and domains but I prefer to keep the distinct terms for
> > clarity.
> >
> > Domain modes:
> > 1) Mixed mode -- the default (available in Win2000)
> > 2) Native mode -requires all Win2000+ DCs, i.e., no BDCs
> > (available in Win2000
> > 3) Interrim (new to Win2003) allows BDCs but no Win2000
> > 4) Win2003 Server mode (Win2003 DCs ONLY)
> > (this has also been called Win2003 Native mode at
> > times)
> >
> > Forest functional levels:
> >
> > 1) Windows 2000 FFL (roughly equivalent to Mixed
> > mode at the domain level)
> > 2) Win2003 Interrim FFL (mostly improves replication
> > behavior since no Win2000 DCs are/can be involved.
> > 3) Windows 2003 -- enables things like Forest level trusts
> > and domain rename (since the entire forest is now
> > Win2003
> > DC and will not be confused by such changes.)
> > Also "Defunting" (yes, it's a verb) of Schema object
> > additions
> >
> > There are various improvements but the simplest way
> > to understand the difference between Native and Mixed
> > (available even in Win2000) is that anything that would
> > confuse an NT-BDC is not allowed.
> >
> > Note that Native mode is pratically a DC issue and has
> > NO direct effect on legacy clients. Some improvements
> > include (not a full list): Group nesting and Universal
> > groups, improved support for migrating users INTO the
> > domain, dropping of the SAM (and any practically limits
> > on domain size) by the PDC-emulator (which is STILL
> > needed), improvements to RRAS for users (Policy grant
> > and deny of access, IP assignment etc.), most group type
> > conversions,
> >
> > The main improvements for Win2003 Server DOMAIN mode
> > are Domain controller rename, InetOrgPerson password
> > (can be used in place of User account object), and the
> > updating of the last logon time -- really though for most
> > people, the real reason for Win2003 mode at the domain
> > is that all domains must be here to reach Win2003 FFL
> > on the Forest.
> >
> >
> > <
> >
http://www.microsoft.com/resources/documentation/Window...
> > >
> >
> > --
> > Herb Martin
> >
> >
> > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> > news:41d44fe3$1_1@alt.athenanews.com...
> > > Hi,
> > >
> >  > > You cannot raise a Domain level to "Win2003 Server
> > mode"
> >  > > until ALL DCs in domain run Win2003.
> >  > >
> >  > > You cannot raise the Forest level to "Win2003
> > Forest Functional
> >  > > Level" until ALL DOMAINS are at "Win2003 Server
> > Mode",
> >  > > and thus until all DCs in Forest are running
> > Win2003.
> >  > >
> > >
> > > I just returned from a year off on Maternity leave. My
> > replacement
> > > upgraded both my domains from windows 2000 to windows 2003
> > in one day
> > > basically running the install off the CD. Things went really
> > smootly
> > > and there were no issues. I felt no need to do a completely
> > new
> > > install of 2003 because of how similar it was to 2000
> > (unlike with
> > > NT).
> > >
> > > However, as I have only played with 2003 for a few months I
> > wasn't
> > > aware of the Windows 2003 server mode? What is the advantage
> > of this?
> > > I have all Windows 2003 DC's now and was running in native
> > mode before
> > > the upgrade.
> > >
> > > Cheers,
> > >
> > > Lara
> > >
> > > --
> > > http://www.WindowsForumz.com/ This article was posted by author's
request
> > > Articles individually checked for conformance to usenet
> > standards
> > > Topic URL:
> >
http://www.WindowsForumz.com/Active-Directory-Gradually...
> > > Visit Topic URL to contact author (reg. req'd). Report
> > abuse:
> > http://www.WindowsForumz.com/eform.php?p=740977
>
> Hi,
>
> Thanks. I understand the different modes in Windows 2000 and the
> benefit of going to native mode in W2k. For me it was the RRAS access
> in Group Policy.
>
> I didn't know you had to be in the Windows 2003 Server mode to rename
> a dc. Also I didn't know you could rename a domain in 2003. That is
> a definite improvement I have been pushing for. Now if only they would
> allow you to merge to pre-existing Forest/Tree/Domains into one
> Forest. That is the next step. They should have done this with 2003 in
> my opinion. There are too many cases where two companies merge and
> don't want to have to disolve one domain.
>
> Cheers,
>
> Lara
Anonymous
December 31, 2004 8:24:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Herb Martin" wrote:
> > Thanks. I understand the different modes in Windows 2000 and
> the
> > benefit of going to native mode in W2k. For me it was the
> RRAS access
> > in Group Policy.
>
> Yes. I was pretty sure you knew about Win2000 Server
> mode but it is much easy to discuss the other modes and
> FFL if you start with those changes and build it
> incrementally.
>
> Most people make the mistake of trying to understand this
> stuff en masse.
>
> > I didn't know you had to be in the Windows 2003 Server mode
> to rename
> > a dc.
>
> It is greyed out in all Win2000 modes.
>
> > Also I didn't know you could rename a domain in 2003. That
> is
> > a definite improvement I have been pushing for.
>
> There are some limitations so before you depend on it
> you need to investigate more deeply.
>
> > Now if only they would
> > allow you to merge to pre-existing Forest/Tree/Domains into
> one
> > Forest. That is the next step. They should have done this
> with 2003 in
> > my opinion. There are too many cases where two companies
> merge and
> > don't want to have to disolve one domain.
>
> This is approximated by Forest level trusts. While
> there is still no true "prune and graft" of domains or
> Forests, the Forest level trust allows for a single
> trust between the two forests to be transitive to all
> domains within those forests (one-way or two-way
> as an option.)
>
> Although the documentation says that Forest trusts
> are transitive, they are in fact only SEMI-transitive,
> i.e., a single trust creates an effective trust between
> all domains in two forests but if a third forest is
> involved the transitivity does not propagate across
> FORESTS -- to the next forest.
>
> --
> Herb Martin
> "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> news:41d4bbf7$1_3@alt.athenanews.com...
> > "Herb Martin" wrote:
>   > > > However, as I have only played with 2003
> for a few months I
>  > > wasn't
>   > > > aware of the Windows 2003 server mode? What
> is the advantage
>  > > of this?
>   > > > I have all Windows 2003 DC's now and was
> running in native
>  > > mode before
>   > > > the upgrade.
>  > >
>  > > There were only two modes for Domains (and none
>  > > for Forests) in Win2000.
>  > >
>  > > Win2003 adds several; there are now 4 modes for
>  > > domains and 3 "functional levals" for forests --
> many
>  > > people use the term "functional mode" for both
> forests
>  > > and domains but I prefer to keep the distinct terms
> for
>  > > clarity.
>  > >
>  > > Domain modes:
>  > > 1) Mixed mode -- the default (available in
> Win2000)
>  > > 2) Native mode -requires all Win2000+ DCs,
> i.e., no BDCs
>  > > (available in Win2000
>  > > 3) Interrim (new to Win2003) allows BDCs but no
> Win2000
>  > > 4) Win2003 Server mode (Win2003 DCs ONLY)
>  > > (this has also been called Win2003
> Native mode at
>  > > times)
>  > >
>  > > Forest functional levels:
>  > >
>  > > 1) Windows 2000 FFL (roughly equivalent to
> Mixed
>  > > mode at the domain level)
>  > > 2) Win2003 Interrim FFL (mostly improves
> replication
>  > > behavior since no Win2000 DCs are/can
> be involved.
>  > > 3) Windows 2003 -- enables things like Forest
> level trusts
>  > > and domain rename (since the entire forest
> is now
>  > > Win2003
>  > > DC and will not be confused by such
> changes.)
>  > > Also "Defunting" (yes, it's a verb) of
> Schema object
>  > > additions
>  > >
>  > > There are various improvements but the simplest way
>  > > to understand the difference between Native and
> Mixed
>  > > (available even in Win2000) is that anything that
> would
>  > > confuse an NT-BDC is not allowed.
>  > >
>  > > Note that Native mode is pratically a DC issue and
> has
>  > > NO direct effect on legacy clients. Some
> improvements
>  > > include (not a full list): Group nesting and
> Universal
>  > > groups, improved support for migrating users INTO
> the
>  > > domain, dropping of the SAM (and any practically
> limits
>  > > on domain size) by the PDC-emulator (which is STILL
>  > > needed), improvements to RRAS for users (Policy
> grant
>  > > and deny of access, IP assignment etc.), most group
> type
>  > > conversions,
>  > >
>  > > The main improvements for Win2003 Server DOMAIN
> mode
>  > > are Domain controller rename, InetOrgPerson
> password
>  > > (can be used in place of User account object), and
> the
>  > > updating of the last logon time -- really though
> for most
>  > > people, the real reason for Win2003 mode at the
> domain
>  > > is that all domains must be here to reach Win2003
> FFL
>  > > on the Forest.
>  > >
>  > >
>  > > <
>  > >
> http://www.microsoft.com/resources/documentation/Window...
>   > > >
>  > >
>  > > --
>  > > Herb Martin
>  > >
>  > >
>  > > "lforbes" <UseLinkToEmail@WindowsForumz.com>
> wrote in message
>  > > news:41d44fe3$1_1@alt.athenanews.com...
>   > > > Hi,
>   > > >
>  > >  > > You cannot raise a Domain level to
> "Win2003 Server
>  > > mode"
>  > >  > > until ALL DCs in domain run
> Win2003.
>  > >  > >
>  > >  > > You cannot raise the Forest level
> to "Win2003
>  > > Forest Functional
>  > >  > > Level" until ALL DOMAINS are at
> "Win2003 Server
>  > > Mode",
>  > >  > > and thus until all DCs in Forest
> are running
>  > > Win2003.
>  > >  > >
>   > > >
>   > > > I just returned from a year off on
> Maternity leave. My
>  > > replacement
>   > > > upgraded both my domains from windows 2000
> to windows 2003
>  > > in one day
>   > > > basically running the install off the CD.
> Things went really
>  > > smootly
>   > > > and there were no issues. I felt no need to
> do a completely
>  > > new
>   > > > install of 2003 because of how similar it
> was to 2000
>  > > (unlike with
>   > > > NT).
>   > > >
>   > > > However, as I have only played with 2003
> for a few months I
>  > > wasn't
>   > > > aware of the Windows 2003 server mode? What
> is the advantage
>  > > of this?
>   > > > I have all Windows 2003 DC's now and was
> running in native
>  > > mode before
>   > > > the upgrade.
>   > > >
>   > > > Cheers,
>   > > >
>   > > > Lara
>   > > >
>   > > > --
>   > > > http://www.WindowsForumz.com/ This article
> was posted by author's
> request
>   > > > Articles individually checked for
> conformance to usenet
>  > > standards
>   > > > Topic URL:
>  > >
> http://www.WindowsForumz.com/Active-Directory-Gradually...
>   > > > Visit Topic URL to contact author (reg.
> req'd). Report
>  > > abuse:
>  > > http://www.WindowsForumz.com/eform.php?p=740977
> >
> > Hi,
> >
> > Thanks. I understand the different modes in Windows 2000 and
> the
> > benefit of going to native mode in W2k. For me it was the
> RRAS access
> > in Group Policy.
> >
> > I didn't know you had to be in the Windows 2003 Server mode
> to rename
> > a dc. Also I didn't know you could rename a domain in 2003.
> That is
> > a definite improvement I have been pushing for. Now if only
> they would
> > allow you to merge to pre-existing Forest/Tree/Domains into
> one
> > Forest. That is the next step. They should have done this
> with 2003 in
> > my opinion. There are too many cases where two companies
> merge and
> > don't want to have to disolve one domain.
> >
> > Cheers,
> >
> > Lara

Hi,

Thanks for the info. Windows 2003 is quite new to me so I will have to
explore it further.

You wouldn’t happend to know the registry key to change to make all
new shares Everyone=Full Control instead of Everyone=Read would you?
It is the One most annoying thing about Windows 2003 that I haven’t
figured out how to change.

Who uses Share permissions in W2003, I don’t know. Why bother when
NTFS is far more effective and adding share permissions only
complicates things. I have never had non-NT clients so I have never
seen the need to use share permissions.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=743379
Anonymous
December 31, 2004 10:01:11 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Thanks for the info. Windows 2003 is quite new to me so I will have to
> explore it further.
>
> You wouldn't happend to know the registry key to change to make all
> new shares Everyone=Full Control instead of Everyone=Read would you?
> It is the One most annoying thing about Windows 2003 that I haven't
> figured out how to change.

No, I don't but were I to know that I might not tell <grin>
since it is such a bad idea.

Really, I try to get people to REMOVE all of the Everyone
references and substitute (at worst) Authenticated Users, or
better the specific groups who should have access.

> Who uses Share permissions in W2003, I don't know. Why bother when
> NTFS is far more effective and adding share permissions only
> complicates things.

They both have their value. For one, if you know that
a group will never need more than read, you set the
share to READ for that group so that you cannot accidentally
grant to much through NTFS.

Defense in depth.

You can also use CHANGE on the share to prevent
people from changing permissions on their own files
or to secure files on FAT, FAT32, etc.

> I have never had non-NT clients so I have never
> seen the need to use share permissions.

You may not need them in your situation, but those
that make blanket statements to never use them are
not thinking it through.

--
Herb Martin


"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:41d5d1b8$1_4@alt.athenanews.com...
> "Herb Martin" wrote:
> > > Thanks. I understand the different modes in Windows 2000 and
> > the
> > > benefit of going to native mode in W2k. For me it was the
> > RRAS access
> > > in Group Policy.
> >
> > Yes. I was pretty sure you knew about Win2000 Server
> > mode but it is much easy to discuss the other modes and
> > FFL if you start with those changes and build it
> > incrementally.
> >
> > Most people make the mistake of trying to understand this
> > stuff en masse.
> >
> > > I didn't know you had to be in the Windows 2003 Server mode
> > to rename
> > > a dc.
> >
> > It is greyed out in all Win2000 modes.
> >
> > > Also I didn't know you could rename a domain in 2003. That
> > is
> > > a definite improvement I have been pushing for.
> >
> > There are some limitations so before you depend on it
> > you need to investigate more deeply.
> >
> > > Now if only they would
> > > allow you to merge to pre-existing Forest/Tree/Domains into
> > one
> > > Forest. That is the next step. They should have done this
> > with 2003 in
> > > my opinion. There are too many cases where two companies
> > merge and
> > > don't want to have to disolve one domain.
> >
> > This is approximated by Forest level trusts. While
> > there is still no true "prune and graft" of domains or
> > Forests, the Forest level trust allows for a single
> > trust between the two forests to be transitive to all
> > domains within those forests (one-way or two-way
> > as an option.)
> >
> > Although the documentation says that Forest trusts
> > are transitive, they are in fact only SEMI-transitive,
> > i.e., a single trust creates an effective trust between
> > all domains in two forests but if a third forest is
> > involved the transitivity does not propagate across
> > FORESTS -- to the next forest.
> >
> > --
> > Herb Martin
> > "lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message
> > news:41d4bbf7$1_3@alt.athenanews.com...
> > > "Herb Martin" wrote:
> >   > > > However, as I have only played with 2003
> > for a few months I
> >  > > wasn't
> >   > > > aware of the Windows 2003 server mode? What
> > is the advantage
> >  > > of this?
> >   > > > I have all Windows 2003 DC's now and was
> > running in native
> >  > > mode before
> >   > > > the upgrade.
> >  > >
> >  > > There were only two modes for Domains (and none
> >  > > for Forests) in Win2000.
> >  > >
> >  > > Win2003 adds several; there are now 4 modes for
> >  > > domains and 3 "functional levals" for forests --
> > many
> >  > > people use the term "functional mode" for both
> > forests
> >  > > and domains but I prefer to keep the distinct terms
> > for
> >  > > clarity.
> >  > >
> >  > > Domain modes:
> >  > > 1) Mixed mode -- the default (available in
> > Win2000)
> >  > > 2) Native mode -requires all Win2000+ DCs,
> > i.e., no BDCs
> >  > > (available in Win2000
> >  > > 3) Interrim (new to Win2003) allows BDCs but no
> > Win2000
> >  > > 4) Win2003 Server mode (Win2003 DCs ONLY)
> >  > > (this has also been called Win2003
> > Native mode at
> >  > > times)
> >  > >
> >  > > Forest functional levels:
> >  > >
> >  > > 1) Windows 2000 FFL (roughly equivalent to
> > Mixed
> >  > > mode at the domain level)
> >  > > 2) Win2003 Interrim FFL (mostly improves
> > replication
> >  > > behavior since no Win2000 DCs are/can
> > be involved.
> >  > > 3) Windows 2003 -- enables things like Forest
> > level trusts
> >  > > and domain rename (since the entire forest
> > is now
> >  > > Win2003
> >  > > DC and will not be confused by such
> > changes.)
> >  > > Also "Defunting" (yes, it's a verb) of
> > Schema object
> >  > > additions
> >  > >
> >  > > There are various improvements but the simplest way
> >  > > to understand the difference between Native and
> > Mixed
> >  > > (available even in Win2000) is that anything that
> > would
> >  > > confuse an NT-BDC is not allowed.
> >  > >
> >  > > Note that Native mode is pratically a DC issue and
> > has
> >  > > NO direct effect on legacy clients. Some
> > improvements
> >  > > include (not a full list): Group nesting and
> > Universal
> >  > > groups, improved support for migrating users INTO
> > the
> >  > > domain, dropping of the SAM (and any practically
> > limits
> >  > > on domain size) by the PDC-emulator (which is STILL
> >  > > needed), improvements to RRAS for users (Policy
> > grant
> >  > > and deny of access, IP assignment etc.), most group
> > type
> >  > > conversions,
> >  > >
> >  > > The main improvements for Win2003 Server DOMAIN
> > mode
> >  > > are Domain controller rename, InetOrgPerson
> > password
> >  > > (can be used in place of User account object), and
> > the
> >  > > updating of the last logon time -- really though
> > for most
> >  > > people, the real reason for Win2003 mode at the
> > domain
> >  > > is that all domains must be here to reach Win2003
> > FFL
> >  > > on the Forest.
> >  > >
> >  > >
> >  > > <
> >  > >
> >
http://www.microsoft.com/resources/documentation/Window...
> >   > > >
> >  > >
> >  > > --
> >  > > Herb Martin
> >  > >
> >  > >
> >  > > "lforbes" <UseLinkToEmail@WindowsForumz.com>
> > wrote in message
> >  > > news:41d44fe3$1_1@alt.athenanews.com...
> >   > > > Hi,
> >   > > >
> >  > >  > > You cannot raise a Domain level to
> > "Win2003 Server
> >  > > mode"
> >  > >  > > until ALL DCs in domain run
> > Win2003.
> >  > >  > >
> >  > >  > > You cannot raise the Forest level
> > to "Win2003
> >  > > Forest Functional
> >  > >  > > Level" until ALL DOMAINS are at
> > "Win2003 Server
> >  > > Mode",
> >  > >  > > and thus until all DCs in Forest
> > are running
> >  > > Win2003.
> >  > >  > >
> >   > > >
> >   > > > I just returned from a year off on
> > Maternity leave. My
> >  > > replacement
> >   > > > upgraded both my domains from windows 2000
> > to windows 2003
> >  > > in one day
> >   > > > basically running the install off the CD.
> > Things went really
> >  > > smootly
> >   > > > and there were no issues. I felt no need to
> > do a completely
> >  > > new
> >   > > > install of 2003 because of how similar it
> > was to 2000
> >  > > (unlike with
> >   > > > NT).
> >   > > >
> >   > > > However, as I have only played with 2003
> > for a few months I
> >  > > wasn't
> >   > > > aware of the Windows 2003 server mode? What
> > is the advantage
> >  > > of this?
> >   > > > I have all Windows 2003 DC's now and was
> > running in native
> >  > > mode before
> >   > > > the upgrade.
> >   > > >
> >   > > > Cheers,
> >   > > >
> >   > > > Lara
> >   > > >
> >   > > > --
> >   > > > http://www.WindowsForumz.com/ This article
> > was posted by author's
> > request
> >   > > > Articles individually checked for
> > conformance to usenet
> >  > > standards
> >   > > > Topic URL:
> >  > >
> >
http://www.WindowsForumz.com/Active-Directory-Gradually...
> >   > > > Visit Topic URL to contact author (reg.
> > req'd). Report
> >  > > abuse:
> >  > > http://www.WindowsForumz.com/eform.php?p=740977
> > >
> > > Hi,
> > >
> > > Thanks. I understand the different modes in Windows 2000 and
> > the
> > > benefit of going to native mode in W2k. For me it was the
> > RRAS access
> > > in Group Policy.
> > >
> > > I didn't know you had to be in the Windows 2003 Server mode
> > to rename
> > > a dc. Also I didn't know you could rename a domain in 2003.
> > That is
> > > a definite improvement I have been pushing for. Now if only
> > they would
> > > allow you to merge to pre-existing Forest/Tree/Domains into
> > one
> > > Forest. That is the next step. They should have done this
> > with 2003 in
> > > my opinion. There are too many cases where two companies
> > merge and
> > > don't want to have to disolve one domain.
> > >
> > > Cheers,
> > >
> > > Lara
>
> Hi,
>
> Thanks for the info. Windows 2003 is quite new to me so I will have to
> explore it further.
>
> You wouldn't happend to know the registry key to change to make all
> new shares Everyone=Full Control instead of Everyone=Read would you?
> It is the One most annoying thing about Windows 2003 that I haven't
> figured out how to change.
>
> Who uses Share permissions in W2003, I don't know. Why bother when
> NTFS is far more effective and adding share permissions only
> complicates things. I have never had non-NT clients so I have never
> seen the need to use share permissions.
>
> Cheers,
>
> Lara
>
> --
> http://www.WindowsForumz.com/ This article was posted by author's request
> Articles individually checked for conformance to usenet standards
> Topic URL:
http://www.WindowsForumz.com/Active-Directory-Gradually...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.WindowsForumz.com/eform.php?p=743379
Anonymous
January 1, 2005 5:34:11 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> You may not need them in your situation, but those that make blanket
> statements to never use them are not thinking it through.

I do troubleshooting for a variety of different networks as well as
maintaining my own. Since Windows 2003 was released 90% of the
problems have been caused from this annoying "new" feature. That and
that new "Internet Explorer Security annoyance" I know in my case
it has caused me hours and hours of work that I really don’t have time
for.

I am of the opinion that Microsoft should not try to save people from
themselves. If you are a good admin you won’t ever need to use share
permissions as NTFS are far more powerful and far more useful. I have
1200 users per network in two different networks. No one has
write-access to anything that I don’t specifically allow them access
to. I have never "accidentally" set incorrect NTFS permissions.

The only one time when I had an issue was with the Default permissions
on an XP Pro drive. They "appear" to be Users=Read with no hint of
anything else. However when you click "advanced" you see users have
the right to create sub-folders and then full-control of those
subfolders and files. Took me awhile to figure that one out and
unfortunately it was after I install 300 new XP machines. Luckily the
scripted XCacls saved the day and I could set the correct permissions
via a startup script from the DC.

>You can also use CHANGE on the share to prevent people from changing
permissions on their own files or to secure files on FAT, FAT32, etc.

Windows 2003 won’t install FAT/Fat32 =).

I do understand that Share permissions are there if I need them.
However, I just don’t want them pre-set.

Cheers,

Lara
Anonymous
January 1, 2005 5:50:27 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> I do understand that Share permissions are there if I need them.
> However, I just don't want them pre-set.

Why ever would you transfer the discussion to "pre-set".

The question under discussion is do they have a use for
some people some of the time -- the answer is clearly yes,
as even you have convinced yourself and written once
you thought it through.

Are share permissions sometimes irrelevant? Of course.

And you know they are there when (and if) you ever need
them.
Anonymous
January 1, 2005 9:16:37 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

> Why ever would you transfer the discussion to "pre-set". The
question
> under discussion is do they have a use for some people some of the
> time -- the answer is clearly yes, as even you have convinced
yourself
> and written once you thought it through.

I am not saying Microsoft should do away with having Share
Permissions. I agree, they are useful for others maybe more than
myself. However, I am just saying they caused a lot less trouble when
they weren’t defaulted to "read only" for everyone. When they were
"everyone = full control" then they didn’t mess with access of
administrators, users to their home folders etc.

For example, I have 2500 Users. I create hundreds of shares for users
home directories, applications that need shared directories, group
shared directories . Now everytime I create a share, I have to
manually remember to go in and change the share permissions back to
Full Control. As my NTFS permissions are inherited they are created
automatically when the folder is created. If I forget the share
permissions, then the application doesn’t work, etc and I have to come
in on my day off to reset the share permissions.

Microsoft made such a big deal about "secure out of the box" with
Windows 2003. I think that was a great idea, but in this one case they
went a little overboard.

Security is a good thing but not letting users access their own home
directories or their profiles by default is just a little over the
top.

Cheers,

Lara

--
http://www.WindowsForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.WindowsForumz.com/Active-Directory-Gradually...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.WindowsForumz.com/eform.php?p=745087
!