| Author |
 Topic  |
|
|
aval
Honorable But Hopeless Addict
USA
2089 Posts
Status: offline |
 Posted - 05/19/2006 : 1:08:29 PM
|
I’m running a mixed mode domain with one Windows 2000 DC and one Windows 2003 DC. If I have not yet moved to native mode, it’s because I’m concerned about clients that may still require NTLM authentification rather than Kerberos.
So, my question is simple: will moving to native mode prevent clients from falling back to NTLM authentification if need be?
Aval
|
|
|
aed
Major Contributor
USA
1140 Posts
Status: offline |
Posted - 05/19/2006 : 2:38:21 PM
|
Mark did a presentation upon the Windows Logon process and this was covered. My understanding is that it should try Kerberos first and if it fails, fall back and try NTLM. So moving to native shouldn't prevent the falling back. There is a policy which can be set for it to send NTLMv2 only/refuse LM & NTLM but by default it is set to Send LM & NTLM responses. Hope this makes sense.
Jerrod |
 |
|
|
ptwilliams
Moderator
United Kingdom
4401 Posts
Status: offline |
Posted - 05/19/2006 : 2:47:45 PM
|
Native mode only affects what operating system can be a domain controller.
If you go to native mode (win2000) then you can only have windows 2000 (or above) domain controllers.
All NT 5.x systems use Kerberos by default. They'll use NTLM if they have to. Legacy clients only talk NTLM. All of this will continue to work in a 2003 functional level forest.
|
|
|
|
aval
Honorable But Hopeless Addict
USA
2089 Posts
Status: offline |
Posted - 05/19/2006 : 3:08:34 PM
|
| Many thanks to both of you. That does clarify matters. I was aware of that NTLM policy setting and it looks like I'll leave it just as it is. |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
9547 Posts
Status: online |
Posted - 05/20/2006 : 08:52:39 AM
|
| That's a common misconception (Native Mode=Kerberos only). I've heard MICROSOFT people say it. |
Mark
tweetin' at mminasi |
|
|
|
wkasdo
Moderator
Netherlands
6140 Posts
Status: offline |
Posted - 05/20/2006 : 2:41:39 PM
|
> I've heard MICROSOFT people say it.
ex-Microsoft I hope :-/ |
|
|
|
Mark Minasi
Chief cook and bottle washer
USA
9547 Posts
Status: online |
Posted - 05/22/2006 : 7:41:59 PM
|
| Nope. Back about three years ago -- 2003, three years after AD's inception! -- a Microsoft "security expert" did a one-day seminar in Richmond about threats and countermeasures in AD. He made a specific point to say how bad NTLM and LM were, and that you're "not really secure until you're in native mode." I asked him if he meant that native mode meant Kerberos-only. He said yes. I told him that he was dead wrong. The rest of the day progressed slowly.<g> |
Mark
tweetin' at mminasi |
|
|
|
joe_elway
Honorable But Hopeless Addict
Ireland
6673 Posts
Status: offline |
Posted - 05/23/2006 : 03:09:44 AM
|
| Kerberos will be used between clients and severs that agree within a forest as long as they are W2K, XP or W2003 (DS client machines?). NTLMV2, NTLM and LM are still available as fallback options between machines that cannot use Kerberos (an error within a domain, non Kerberos machines, workgroups, server name used not matching account name, IP address of server being used, etc). |
Aidan Finn
MCSE, MVP (Virtual Machine: Systems Administration)
IT Blog: http://www.aidanfinn.com
My Photography: http://www.aidanfinnphoto.com/
My Hyper-V Book: Mastering Hyper-V Deployment
Twitter: http://twitter.com/joe_elway |
Edited by - joe_elway on 05/23/2006 03:10:41 AM |
|
|
| |
Topic |
|
Native mode and NTLM authentification
