Raising domain functional level from 2000 mixed to 2000 native

Discussion in 'Active Directory' started by Erik Szewczyk, Feb 18, 2004.

  1. We've been considering upgrading our domain function level from 2000 mixed
    to either 2000 native or (in the near future) to 2003 native function level.
    Part of the reason we are looking at raising the function level is because
    we would like to make use of Domain Local Groups which are only available in
    2000/2003 native modes; and of course it's been several years since we've
    had any NT4 domain controllers :)

    I'm just starting to gather information about "what we can expect" if we
    raise the level. Of course if we raise it we cannot go back so I would like
    to be certain we cover all our bases and know how it will affect our network
    services if we do this. I have a number of differant services that I'm
    doing research on such as our web-server login (integrated CFM/AD login) and
    our VPN concentrators but I thought I would see if any of you have
    recommendations for things to focus on when doing my research and/or
    information about upgrades you have done.

    Thanks in advance.

    Erik Szewczyk, Feb 18, 2004
    1. Advertisements

  2. Yep. You are on the right track. Take a good look at all servers that are
    members of the domain and authenticate users from the outside, such as
    Remote Access, OWA, etc. Changing to higher functionality can generally
    interfere with NTLM authentication. This can really create a challenge when
    the server being accessed is in a DMZ. You may have to plan for Kerberos
    authentication through the firewall. Study up on IPSec. If you *must*
    authenticate through a firewall (I don't suggest it) use certificate based
    IPSec. (Spell that, PKI) Do NOT use shared secrets.

    Dave Shaw [MVP], Feb 19, 2004
    1. Advertisements

  3. Are you suggesting that I will have a problem with OWA access?

    Erik Szewczyk, Feb 27, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.