Permissions compatible with pre-Windows2000 servers

Archived from groups: microsoft.public.win2000.setup_upgrade (More info?)

We just migrated an NT4 domain (15 servers/200 clients) to Win2003 AD. It
went smoothly except for one dialogue box that spooked us into choosing

"Permissions compatible with pre-Windows2000 servers".
"Select this option if you run server programs on pre-
Windows2000 servers or on Windows2000 Servers that are
members of pre-Windows2000 domains."

Our SQL7 servers (e.g. "server programs") run on NT4 member servers; as a
result, with SQL being critical to our business, we chickened out and kept
the pre-Win2000 perms and also decided to avoid raising the Windows domain
functional level to native mode.

I realize that pre-Win2000 compatible perms refers to allowing the Everyone
group into the Pre-Windows 2000 Compatible Access group; I always thought
this mattered mainly for NT RAS servers but taking this dialogue literally, I
don't want something with SQL7 running on NT member servers to break and then
have only myself to blame for not having heeded this message. In case anyone
suggests that only DCs are involved with going native, I would say "yes, I
think this too" but when Microsoft presents such a message, I'd better have
some valid justification for not taking it very literally.

We want to strengthen the perms and then go native for a variety of good
reasons but does Microsoft mean that SQL7 might be broken if we use it on NT4
member servers in an AD domain? It is literally an "application" running on
NT4 which is a "pre-Windows2000 server". This MS statement seems to suggest
I should first upgrade the OS on which SQL7 runs from NT to 2000/2003 before
proceeding with any more domain work; we intend to upgrade SQL to 2000 or
2005 (we already purchased the licensing for this) but this will have to be
an implementation for another time.

Is there any danger in going with the post WinNT perms and then shifting the
domain to native mode or are we being overly cautious? I am sure we are
being too cautious but would someone please tell me why? We would also
appreciate hearing of anyone who runs SQL7/NT4 servers under a Win2000 or
Win2003 AD without the compatibility permissions and possibly in a native
mode domain.

Please forgive the length of my post and I thank you in advance.
1 answer Last reply
More about permissions compatible windows2000 servers
  1. Archived from groups: microsoft.public.win2000.setup_upgrade (More info?)

    "" wrote:
    > We just migrated an NT4 domain (15 servers/200 clients) to
    > Win2003 AD. It
    > went smoothly except for one dialogue box that spooked us into
    > choosing
    >
    > "Permissions compatible with pre-Windows2000 servers".
    > "Select this option if you run server programs on pre-
    > Windows2000 servers or on Windows2000 Servers that are
    > members of pre-Windows2000 domains."
    >
    > Our SQL7 servers (e.g. "server programs") run on NT4 member
    > servers; as a
    > result, with SQL being critical to our business, we chickened
    > out and kept
    > the pre-Win2000 perms and also decided to avoid raising the
    > Windows domain
    > functional level to native mode.
    >
    > I realize that pre-Win2000 compatible perms refers to allowing
    > the Everyone
    > group into the Pre-Windows 2000 Compatible Access group; I
    > always thought
    > this mattered mainly for NT RAS servers but taking this
    > dialogue literally, I
    > don't want something with SQL7 running on NT member servers to
    > break and then
    > have only myself to blame for not having heeded this message.
    > In case anyone
    > suggests that only DCs are involved with going native, I would
    > say "yes, I
    > think this too" but when Microsoft presents such a message,
    > I'd better have
    > some valid justification for not taking it very literally.
    >
    > We want to strengthen the perms and then go native for a
    > variety of good
    > reasons but does Microsoft mean that SQL7 might be broken if
    > we use it on NT4
    > member servers in an AD domain? It is literally an
    > "application" running on
    > NT4 which is a "pre-Windows2000 server". This MS statement
    > seems to suggest
    > I should first upgrade the OS on which SQL7 runs from NT to
    > 2000/2003 before
    > proceeding with any more domain work; we intend to upgrade SQL
    > to 2000 or
    > 2005 (we already purchased the licensing for this) but this
    > will have to be
    > an implementation for another time.
    >
    > Is there any danger in going with the post WinNT perms and
    > then shifting the
    > domain to native mode or are we being overly cautious? I am
    > sure we are
    > being too cautious but would someone please tell me why? We
    > would also
    > appreciate hearing of anyone who runs SQL7/NT4 servers under a
    > Win2000 or
    > Win2003 AD without the compatibility permissions and possibly
    > in a native
    > mode domain.
    >
    > Please forgive the length of my post and I thank you in
    > advance.

    In my opinion increasing the Domain Functional level and the Forest
    Functional level will not harm your NT4 member server with SQL on it.
    Changing the functional levels only impacts the type of DCs (NT4, W2K,
    W2K3) in the domain.
    See:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/5084a49d-20bd-43f0-815d-88052c9e2d46.mspx
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/83347346-54d4-4963-8a4a-370a127fb375.mspx

    Concerning the "Pre-Windows 2000 Compatible Access" Group....
    Several old apps and/or services need anonymous access (NULL sessions)
    to the domain.

    The membership of the "Pre-Windows 2000 Compatible Access" Group can
    be changed any time you want through the GUI of the CLI
    http://support.microsoft.com/?id=257988
    http://support.microsoft.com/?id=325363

    Everyone and anonymous is needed in the "Pre-Windows 2000 Compatible
    Access" Group if:
    * apps/services on a NT4 server in a w2k3 AD domain are configured
    with the LocalSystem account
    * apps/services on a NT4 server or W2K server or W2K3 server in
    another AD domein/forest that has an external trust with the W2K3
    domain
    * apps/services on a W2K3 server in another AD domein/forest that has
    an external trust with the W2K3 domain that is set to domain
    functional level Windows 2000 mixed

    Examples of applications that need anonymous access are SQL 6, NT4
    RRAS. For this see:
    * http://support.microsoft.com/?id=240855
    * http://support.microsoft.com/?id=257942
    * http://support.microsoft.com/?id=322981

    Consequences of adding everyone and anonymous to the "Pre-Windows
    2000 Compatible Access" Group is:
    * members of hidden distribution lists are still visable
    (http://support.microsoft.com/?id=812841)
    * Anonymous access to the domain is available

    You can also configure auditing to see if an app/service uses
    anonymous access:
    * Open ADSI Editor (from CLI: ADSIEDIT.MSC)
    * Connect to the domain NC
    * Browse to DN: CN=SERVER,CN=SYSTEM,DC=<DOMAIN>,DC=<TLD>
    * Security principal: Anonymous Logon
    * Audit "Success" on "Read All Properties" and "Enumerate entire
    SAM Domain"

    In the Default Domain Controllers GPO the Audit policy must be
    configured for "Audit Directory Service Access" to success (default
    in w2k3)

    In the event viewer check for event id 565 for user anonymous logon.
    If you have more than 1 DC use MS EVENTCOMB

    If you still need more information see "Best Practice Guide for
    Securing Windows Server Active Directory 2003 Installations" (chapter
    3, page 48 and 49)

    Cheers,

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Setup---Deploy---Upgrade-Permissions-compatible-pre-Windows2000-servers-ftopict552098.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1751729
Ask a new question

Read More

Windows 2000 Servers Compatibility Permissions Windows