RE: Coexistance of Windows 2000 and Windows 2003
From: John Coke (jcoke_at_anodynetech.com)
Date: 10/27/03
- Previous message: alexandre: "Re: Terminal Services Auditing?"
- Maybe in reply to: Frank Heyne: "Coexistance of Windows 2000 and Windows 2003"
- Next in thread: lwolrab_at_deltanet.net: "RE: Coexistance of Windows 2000 and Windows 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Oct 2003 15:09:02 -0600 To: <fh@rcs.urz.tu-dresden.de>, <focus-ms@securityfocus.com>
I'm not sure what your consultant means when he says "master." I will
say that the permissions structure in AD is meant to isolate the
directory from domain changes in one of the children. That is to say
that you cannot make forest-wide changes w/o being an Enterprise Admin.
If he's talking about a forest-wide FSMO role owner, you cannot change
those w/o being an Ent. Admin.
Now you will have to make schema changes (requires Ent. Admin.) before
you promote that first WS 2003 DC as well as make domain-level changes
(requires Domain Admin.). The MS WS 2003 deployment guides document
this at length. For that matter you should forward a copy of it to your
consultant. 2003 was designed to interoperate with 2000 for large scale
migrations.
Regards,
-John
-----Original Message-----
From: Frank Heyne [mailto:fh@rcs.urz.tu-dresden.de]
Sent: Monday, October 27, 2003 8:54 AM
To: focus-ms@securityfocus.com
Subject: Coexistance of Windows 2000 and Windows 2003
Hello,
this is Security related as far as crashing an AD is a security problem,
therefore I hope the moderator will let it slip through.
Answers sent to me personally are welcome, I can post a summary to the
list.
Question:
There is a Windows 2000 AD tree.
One domain down the tree wants to upgrade the DCs to Windows 2003. A
consultant claims this would cause havoc,because there would be no way
to forbid the new 2003 DCs to become the master for the entire AD,
because they have a newer version of Windows.
I dont believe this to be true, and wonder whether someone has already
managed it to put a Windows 2003 DC somewhere in a AD tree, without
changing anything in the tree hierarchy?
Frank Heyne
------------------------------------------------------------------------
--- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: alexandre: "Re: Terminal Services Auditing?"
- Maybe in reply to: Frank Heyne: "Coexistance of Windows 2000 and Windows 2003"
- Next in thread: lwolrab_at_deltanet.net: "RE: Coexistance of Windows 2000 and Windows 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
