RE: Active Directory Security Migration Questions:

From: Phydeaux (hbcsc502@csun.edu)
Date: 05/15/02 

Date: Wed, 15 May 2002 13:09:26 -0700 (PDT)
From: Phydeaux <hbcsc502@csun.edu>
To: "Dozal, Tim" <tdozal@cisco.com>

You can have Windows 95 and NT 4 machines running on a Mixed Mode or
Native Mode AD. The Authentication protocols of NTLM and Kerberos 5 are
configurable in Group Policies. So if/when your network goes to all 2k/XP
machines, you can then move over the authentication protocol to Kerberos
if you want to. Just for kicks, look at group policy and search for NTLM.
(Sorry I do not have Admin rights where I am to verify the location). The
default Authentication protocol should be NTLM for a domain brought up for
the first time in Mixed or Native modes. I have not tested the Native
mode fresh install without going through Mixed mode to verify.

~B

On Tue, 14 May 2002, Dozal, Tim wrote:

> I am no AD expert but my experience is that in Mixed mode you will use NTLM (i.e NT 4) authentication (plain test transmission)) when connecting between hosts on the network. If your infrastructure has any non-windows 2000/XP machines then you must use mixed mode. If you are building a whole new environment and have no need to connect to legacy OS's then you can run in native mode and take advantage of the higher level security of the Kerberos authentication model (I think MD5 crypto on the transmissions). Most migrations will not be able to do this because they are not replacing every host with a windows 2000 or newer OS.
>
> I welcome people to expand on this for my own knowledge also.
>
> -Tim
>
>
> -----Original Message-----
> From: leon [mailto:leon.inyc@verizon.net]
> Sent: Monday, May 13, 2002 5:50 PM
> To: security-basics@securityfocus.com
> Subject: Active Directory Security Migration Questions:
>
>
> Hi
>
> I had a coworker ask me the following questions and I was unsure of the answers to most so I thought I might ask for some help.
>
>
> 1)  What does native mode bring in terms of granular user rights and group policy that mixed mode does not?
> 2)  Are there specific security advantages to using native mode over mixed mode? If so what are they?
>
>
> I really appreciate the help and thanks again.
>
> Cheers,
>
> Leon
>
>

Relevant Pages

  • Re: a system in a native mode, support NTLM?
    ... "Sergio Sánchez" wrote in message ... > we want to migrate a system that is in a mixed mode to native mode. ... > users with NTLM protocol. ...
    (microsoft.public.windows.server.active_directory)
  • Re: a system in a native mode, support NTLM?
    ... >> we want to migrate a system that is in a mixed mode to native mode. ... >> users with NTLM protocol. ... >> Could a system in native mode, support NTLM or NTML don´t exist in native ...
    (microsoft.public.windows.server.active_directory)
  • Re: a system in a native mode, support NTLM?
    ... Sergio Sánchez wrote: ... > we want to migrate a system that is in a mixed mode to native mode. ... > users with NTLM protocol. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2003 native mode with NT4 DCs
    ... You can't move to Windows 2003 native mode with NT4 BDC's still in the mix. ... > I am faced with a scenario where I want to move a mixed mode 2003/NT4 ...
    (microsoft.public.win2000.active_directory)
  • Re: Nt4 Auth w/2000 Native mode?
    ... So, the problem is that you can authenticate with the mixed mode domain, and not with the native mode domain. ... I would check that backup software is in fact *finding* the native mode domain. ... If you can confirm that the backup software is connecting to its agent on the server in the native mode Domain, say by looking and the Event logs, then that would seem to show some sort of a problem in the remote software, presumably the agent running on the server in the native mode Domain. ...
    (microsoft.public.win2000.active_directory)