SolutionBase: Understanding mixed and native modes in Windows Server 2003

Windows 2000 introduced the concepts of modes to allow Active Directory to work with NT. Windows Server 2003 offers additional Active Directory modes. Here's what you need to know.

Windows 2000 Server introduced two Active Directory modes, mixed and native, to support different deployment scenarios. Mixed mode provides backwards compatibility for Windows NT domains, while native mode provides expanded Windows 2000 functionality. Windows Server 2003 adds two additional modes, Windows Server 2003 interim and Windows Server 2003, giving you four modes from which to choose when deploying Windows Server 2003 Active Directory. In this Daily Feature, I'll explain each of these modes and the implications and uses for each.

Windows 2000 Server modes
As I mentioned above, Windows 2000 Server provides two Active Directory modes. The first, mixed mode, provides for compatibility with Windows NT domains. In effect, mixed mode dumbs down Active Directory to enable Windows NT domains to communicate with Active Directory. Mixed mode makes Active Directory function like a Windows NT primary domain controller (PDC), which enables cross-communication and interoperability with Windows NT domains and directly supports Windows clients from Windows 3.x through Windows ME.

Because Windows 2000 Server Mixed Mode allows a domain controller to emulate a PDC, mixed mode enables you to deploy a Windows Server 2003 Active Directory domain controller in a Windows NT domain or in a new domain that will support cross-communication with the NT domain. For example, you might upgrade your existing Windows NT DCs to Windows Server 2003 over an extended period of time and, when all DCs have been upgraded, switch to one of the other three modes to provide greater functionality. Because each upgraded DC will continue to interoperate with the others, you can take your time with the upgrade and not be concerned with an immediate domain restructuring.

Using Windows 2000 Server in mixed mode takes away a lot of the flexibility you would otherwise have in structuring your Windows Server 2003 domains. Some of the Windows Server 2003 features mixed mode does not support include:
  • Nested security groups (although nested distribution groups are supported)
  • Universal security groups
  • SID history
  • The domain controller rename tool

Because of its limited functionality, Windows 2000 Server mixed mode is useful only when Windows Server 2003 must be introduced into an existing Windows NT domain or when cross-domain functionality is needed for one or more existing Windows NT domains. Where no Windows NT domains are present, you should consider one of the other three modes, starting with Windows 2000 Server native mode.

Windows 2000 Sever native mode eliminates the restrictions imposed by Windows NT compatibility. Unlike mixed mode, native mode supports universal groups, nested groups, conversion between security and distribution groups, and SID history (to allow migration of security principals from one domain to another). Moving to native mode disables NT domain controller emulation, however, removing the capability for replication with Windows NT domain controllers. In addition, Windows clients earlier than Windows 2000 must use the add-on Active Directory client software to enable interaction with the Active Directory.

Moving up to native mode also provides for greater security because you can switch to Kerberos for authentication of Windows 2000 or later clients. Earlier clients can continue to use NTLM for authentication, although NTLM results in decreased security. Finally, Windows 2000 Server native mode improves domain replication by moving away from the PDC/BDC topology imposed by Windows NT to the multimaster replication topology offered by Windows 2000 and Windows 2003.

Windows 2000 Server native mode is the choice to make when your Windows Server 2003 domain controllers must function within an existing Windows 2000 domain or when Windows 2000 DCs will be introduced into the Windows 2003 domain, if only temporarily. Using native mode ensures that the Windows 2000 DCs can interoperate with the Windows Server 2003 DCs in the domain.

Windows Server 2003 modes
Windows Server 2003 introduces two additional Active Directory modes, the first of which is Windows Server 2003 interim mode. This mode is intended to support migration from Windows NT domains to Windows Server 2003. Interim mode is available only when upgrading the first Windows NT domain to a new forest and supports Windows NT and Windows 2003 domain controllers. Interim mode does not support Windows 2000 DCs.

Interim mode provides much the same capability as Windows 2000 mixed mode, with a few improvements for replication. Interim mode is intended solely as a stop-gap to provide compatibility with NT domains until they can be upgraded to Windows 2000 or Windows 2003.

The fourth Active Directory mode is Windows Server 2003, which you can consider to be Windows Server 2003 native mode (although it isn't called that to avoid confusion with Windows 2000 native mode). Windows Server 2003 mode offers some very useful enhancements, including all of the improvements inherent in Windows 2000 native mode. Windows Server 2003 mode also supports the domain controller rename tool, making it relatively easy to rename domains and domain controllers.

Windows Server 2003 mode adds the lastLogonTimestamp attribute to user accounts, enabling you to better track logon history. The lastLogonTimestamp attribute tracks the last logon time of a user or computer account and is replicated across the domain along with other account attributes.

Windows Server 2003 mode also adds extended support for the InetOrgPerson object class, which is defined by RFC 2798 and used within many directory services to represent users within an organization. Supporting the InetOrgPerson class enables Windows Server Active Directory to more easily support migration from other directory services. InetOrgPerson objects can be used as security principals, just like user class objects. Moving to Windows Server 2003 Active Directory mode enables the domain administrator to set the userPassword attribute on an InetOrgPerson object as the effective password. Administrators can also create new InetOrgPerson objects in the Active Directory as needed.

Windows Server 2003 mode only supports Windows Server 2003 domains, so it's a choice only when you're building a new domain with Windows Server 2003 only, or when all DCs in an existing domain have been upgraded to Windows Server 2003. Because Windows Server 2003 mode only supports Windows Server 2003 domain controllers, you cannot introduce DCs running earlier versions of Windows Server (including 2000) into the domain forest after elevating the forest functional level to Windows Server 2003 mode.

Identifying and choosing modes
During the Windows Server 2003 deployment planning process, you need to determine the modes in use across your domain forests. Windows NT does not offer any modes of its own, so the presence of Windows NT domains and DCs implies the need for either Windows 2000 mixed mode or, if no Windows 2000 domains or DCs are present, Windows Server 2003 interim mode.

You can determine the current mode for existing Windows 2000 domains with the Active Directory Domains And Trusts console. Right-click the domain in the left pane and choose Properties. Check the Domain Operation Mode field on the General tab of the domain's property page. The Domain Operation Mode field displays the current mode in which your server is running. You can also check Windows 2003 Server mode with the Active Directory Domains And Trusts console. Right-click the server in the console, choose Properties, and note the domain functional level in the read-only Domain Functional Level field of the General tab of the server's properties.

If you determine that you need to raise the functional level for a domain prior to or during Windows Server 2003 deployment, you can also accomplish that task with the Active Directory Domains And Trusts console. For Windows 2000, click the Change button and follow the prompts to raise the domain level to native mode. For Windows Server 2003, right-click the server in the console, choose Raise Domain Functional Level, choose a mode from the drop-down list, and click Raise. Before you start changing modes, however, keep in mind that there is no going back. Make sure you understand the process and implications for changing domain functional levels before starting the process.