Learn AD in 15 Minutes a Week: Active Directory Domains and Trusts MMC Page 4

By Jason Zandri (Send Email)
Posted Apr 18, 2003


If users of forums.2000trainers.com need to access resources in zandri.net then another one way external trust would need to be created. If users in 2000trainers.com needed to have access to resources to northamerica.zandri.net (or any other domain in the zandri.net forest) another one way external trust would need to be created.

External trusts can be created between different Windows 2000 forests or to a Windows NT domain (sometimes called a down-level domain) or a Kerberos version 5 realm.

You can combine two one-way trusts to create a two-way trust relationship, where 2000trainers.com trusts zandri.net and zandri.net trusts 2000trainers.com, however, even these are NOT TRANSITIVE, since they are from different Windows 2000 Active Directory forests.

[NOTES FROM THE FIELD] - This subject matter is HEAVILY tested upon in both the 70-217 AND the 70-219 exams.

The Active Directory Domains and Trusts Microsoft Management Console is also used to change the mode of the domain from mixed to native mode by right-clicking the domain that you want to convert to Native mode and choosing Properties and selecting Change Mode on the General tab.

After you choose "Yes" to the "Are you sure you want to change this domain to native mode" dialog box, your domain will begin the process of moving to native mode and this change will need to be replicated to all of the domain controllers in the forest.

[NOTES FROM THE FIELD] - Best practices are that you should reboot the domain controller where the mode change has taken place and, once the other domain controllers begin to show native mode rather than mixed mode when you view the properties information these too should be rebooted.

I make mention that this change "could" be performed from any Windows workstation with the appropriate Adminpak tools installed on it but I would not recommend doing it this way. Unforeseen network issues could have unpredictable results. It is always better to be working from a local login on a domain controller.

You can make your change from mixed mode to native mode only once, this action cannot be reversed.

[NOTES FROM THE FIELD] - In our example of the zandri.net forest, we could change the mode of the zandri.net domain from mixed mode to native mode and leave all of the domains in the gunderville.com tree and all of the child domains in the zandri.net tree in mixed mode.

If we decided to run the entire forest in native mode we would have to go to a domain controller (or connect to a domain controller) in each domain to effect the change.

Once you change your domain from mixed mode to native mode there are a number of infrastructure changes that occur.

The domain controller that holds the role of PDC operations master can not synchronize data with any Windows NT BDCs that may still be active on the network. This means that any legacy clients that might still hit those systems to authenticate will be doing so with out of date information, in theory.

[NOTES FROM THE FIELD] - It is a best practice to NOT update a domain to native mode until all NT4 BDCs have either been upgraded to Windows 2000 Server or retired.

Running Windows NT4 member servers is fine from a domain mode perspective.

The PDC Emulator Domain Controller acts as a Windows NT Primary Domain Controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs. It processes all of the NT4 password changes from clients and replicates domain updates to the down-level BDCs. Once the domain is in Native Mode the existing domain controllers no longer support NTLM replication nor can any new Windows NT4 BDCs be added to the environment.

The PDC emulator still performs certain singular duties that no other DCs in the domain handle. The PDC Emulator receives preferential replication of password changes performed by other domain controllers in the domain. When passwords are changed, that change takes time to replicate to every domain controller in the domain and that synchronization delay might cause an authentication failure at a domain controller that hadn't yet received the change. Before that domain controller denies access to whatever is trying to perform the access, it will forward the authentication request to the PDC Emulator before rejecting the logon attempt, as the PDC Emulator may have different information (e.g. a new password. Think of it like a domain controller double check. Making sure it's proper to deny access before actually doing it.)

Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note. I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,

"For common sense to be truly common one would expect to see it more often."

Page 4 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.