Access Denied: Mixed Mode vs. Native Mode

Is it true that I must keep my Active Directory (AD) domain in mixed mode until I've migrated all my Windows NT and Windows 9x workstations to Windows 2000 because native mode switches the domain to Kerberos? When can I move to native mode, and what difference does the mode make?

Your AD domain mode has nothing to do with the Kerberos authentication protocol or with which OS your workstations run. Mixed mode lets you gradually upgrade your NT domain controllers (DCs) to Win2K one at a time. When you're in mixed mode, AD restricts a few features regarding groups so that it can replicate successfully to NT DCs. When you've upgraded or decommissioned the last NT DC, you can change the domain to native mode. Native mode simply allows full group functionality for universal groups and group nesting, but be aware that you can't switch back to mixed mode later.

Authentication works the same way in mixed and native mode. Win2K uses Kerberos

  • if all computers (i.e., workstations, DCs, and possibly member servers) involved in the logon are running Win2K and are part of the same forest
  • if the user account logging on is an AD domain account (as opposed to a local account)

In all other cases, NT LAN Manager (NTLM) accomplishes authentication—even if all the computers are Win2K but use a local account or one of the computers isn't part of the same forest.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.