How to Determine the Mode of a Windows 2000 Domain (224386)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q224386

SUMMARY

This article describes how to determine if a Windows 2000 domain is running in mixed mode or native mode.

MORE INFORMATION

Windows 2000 domains operate in two modes, mixed mode and native mode. Mixed mode allows compatibility with downlevel domain controllers in the same domain; native mode enables advanced features on Windows 2000 domain controllers including support for universal groups, nested groups, and security ID (SID) history so that users and groups that are cloned from Microsoft Windows NT domains can access file and print resources permissioned with security descriptors from other domains. Native mode requires that all domain controllers in the domain run Windows 2000 or later. Microsoft network clients are fully functional in mixed or native mode domains.

You can use the following methods to identify what mode a Windows 2000 domain is running in:
  • Native-mode operation is defined by the NTMixedDomain attribute in the root of the domain naming context for each domain in the forest. Nonzero values indicate the mode is mixed, and zero indicates native mode. To determine if the domain mode change has propagated, check the value of this attribute across a set of domain controllers in the domain. The domain mode change is propagated through normal replication.

    Use Ldp.exe or another Active Directory viewing tool display the value of the NTMixedDomain attribute in the domain naming context for the domain of interest. Examine multiple domain controllers to determine if Active Directory replication has replicated the change to all domain controllers in the domain.

    The NTMixedDomain attribute of 1 from the LDP output for a domain controller in the A.COM domain indicates mixed-mode operation.
    Expanding base 'DC=a,DC=com'...
Result <0>: (null)
Matched DNs: 
Getting 1 entries:
>> Dn: DC=a,DC=com
	1> dc: a; 
	1> fSMORoleOwner: CN=NTDS Settings,CN=<servername>,CN=Servers,CN=<sitename>,CN=Sites,CN=Configuration,DC=a,DC=com; 
	1> isCriticalSystemObject: TRUE; 
	1> nTMixedDomain: 1; 
	1> distinguishedName: DC=a,DC=com; 
	1> objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=a,DC=com; 
	3> objectClass: top; domain; domainDNS; 
	1> name: a; 
	1> rIDManagerReference: CN=RID Manager$,CN=System,DC=a,DC=com; 
	1> whenChanged: MM/DD/YYYY HH:MM:SS <TIMEZONE>; 
	1> whenCreated: MM/DD/YYYY HH:MM:SS <TIMEZONE>;
    For additional information about how to find objects in Active Directory, click the article number below to view the article in the Microsoft Knowledge Base:

    224543 Using Ldp.exe to Find Data in the Active Directory

  • Start the Active Directory Users and Computers snap-in, right-click the domain name (A.COM), and then click Properties. The domain mode is displayed as either mixed or native mode.
  • The Enterprise Admins group scope is converted from a Global group in mixed mode to a Universal group when the domain is transitioned to native mode.
  • The Schema Admins group scope is converted from a Global group in mixed mode to a Universal group when the domain is transitioned to native mode.
  • The Universal group scope option is available when you create new groups in the Active Directory Users and Computers snap-in.
Modification Type:MinorLast Reviewed:1/20/2006
Keywords:kbenv kbinfo KB224386
©2004 Microsoft Corporation. All rights reserved.