AzMan with 2000 mixed DC

TheMSsForum.com: The Microsoft Software Forum

We are deploying an application which uses AzMan, with the store in AD, and
have just discovered that it won't work with the production DC which is
Windows 2000 in "mixed" mode.

For AzMan to work it has to be a Windows 2003 "native" mode which is not
possible as there are Unix machines in the domain.

We need to preserve the windows authentication capabilities in AzMan,
against users and groups in the existing (windows 2000 mixed) domain.

Would a separate Win2003 domain with trust relationship to the primary
domain be a solution? If so would users need to be replicated to the Win2003
DC?
Can anyone suggest other alternatives?
Top

Re: AzMan with 2000 mixed DC by Roger

Roger
Fri Apr 29 21:07:48 CDT 2005

First, I do not know.
Second, I am guessing that would not work.

One of the reasons W2k3 domain and forest funtional levels
are required is to enable use of Kerberos constrained delegation.
From what I am hearing, you would have the AzMan app over in
a different forest, and while identities flowing in over the trust
from the now existing forest could be used in the web app, I am
thinking there would be issues when you went to flow the credentials
the roles has map to back over the trust.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"richlm" <richlm@nospam.nospam> wrote in message
news:e0w$S7%23SFHA.2996@TK2MSFTNGP15.phx.gbl...
> We are deploying an application which uses AzMan, with the store in AD,
and
> have just discovered that it won't work with the production DC which is
> Windows 2000 in "mixed" mode.
>
> For AzMan to work it has to be a Windows 2003 "native" mode which is not
> possible as there are Unix machines in the domain.
>
> We need to preserve the windows authentication capabilities in AzMan,
> against users and groups in the existing (windows 2000 mixed) domain.
>
> Would a separate Win2003 domain with trust relationship to the primary
> domain be a solution? If so would users need to be replicated to the
Win2003
> DC?
> Can anyone suggest other alternatives?
>
>


Top

Re: AzMan with 2000 mixed DC by richlm

richlm
Tue May 03 06:45:13 CDT 2005

Thanks for your input Roger.

Can you explain/rephrase what you mean by the last sentence:
"I am thinking there would be issues when you went to flow the credentials
the roles has map to back over the trust".

thanks
Richard.


Top

RE: AzMan with 2000 mixed DC by Reza

Reza
Fri May 06 15:17:13 CDT 2005

Hi

The new win2003 should trust your 2000 DC. Put your azman on it and add
users from win2000 to it's roles. No need to copy DC to it. I think it should
work but I have not tested it.

Regards.
Reza.


"richlm" wrote:

> We are deploying an application which uses AzMan, with the store in AD, and
> have just discovered that it won't work with the production DC which is
> Windows 2000 in "mixed" mode.
>
> For AzMan to work it has to be a Windows 2003 "native" mode which is not
> possible as there are Unix machines in the domain.
>
> We need to preserve the windows authentication capabilities in AzMan,
> against users and groups in the existing (windows 2000 mixed) domain.
>
> Would a separate Win2003 domain with trust relationship to the primary
> domain be a solution? If so would users need to be replicated to the Win2003
> DC?
> Can anyone suggest other alternatives?
>
>
>
Top