KNOW THE DIFFERENCE BETWEEN MIXED AND NATIVE MODES
The only distinction between a mixed-mode and a native-mode Windows 2000 network is that the native mode has no NT domain controllers (DCs). That's the simple explanation. But the truth is that there's a world of difference when it comes to file- and directory-level permissions and the ports and protocols that transport your client and server intradomain traffic.
Locking down your network's perimeter is essential to providing that first barrier of defense from the rest of the world. Using the Defense In Depth model, it's essential that you allow only necessary traffic and deny everything else. Therefore, before you completely upgrade your domain, you should know--from a port security perspective--the differences between each mode.
By default, the initial Win2K DC acts as a primary DC (PDC) emulator. You can only have one of these in your domain; however, as you install additional Win2K servers and your network topology grows, you can transfer this role to another Win2K server.
The PDC emulator handles most of the essential domain tasks. It provides NT LAN Manager (NTLM) authentication for NT clients, acts as the master browser for NT clients, supports Active Directory (AD) replication to Win2K DCs and NTLM replication to backup DCs (BDCs), acts as a PDC to replicate account information to all BDCs, and manages all account and password modifications. These functions require specific ports through and across your domain for client-to-server and server-to-server authentication and communication.
In mixed mode, you'll need to keep the following ports and protocols open between all NT and Win2K servers for communication.
Of course, these ports and protocols must be opened in addition to the ports and protocols necessary for communication between Win2K servers--which leads us to native-mode domains.
Native mode doesn't allow NT domain controllers, but you can have NT member servers and clients. Intradomain communication for native-mode Win2K domains uses the following ports and protocols.
If your native-mode domain contains NT clients and servers, you'll have a harder time securing interdomain communications. You'll have to allow both the mixed and the native ports through your different layers of defense.
PROS AND CONS
The advantages to upgrading your domain to native mode far outweigh those of operating it in mixed mode. While mixed mode allows for continued legacy support, native mode allows for secure intradomain authentication. In addition, native mode allows two-way transitive trusts between domains, and there isn't a Security Accounts Manager (SAM) limitation on the number of users or objects you can have in your site or domain.
Native mode also adds two new user groups to the security module: universal and domain local groups. Adding and using these groups throughout your domain and site significantly enhances your ability to control user access to objects (files, directories, printers, etc.). For instance, with universal groups, you can impose site-wide security standards across multiple domains, thereby allowing users to access a printer or file through transitive trusts, rather than having to establish multiple two-way trusts between each domain.
If you're still on the fence about whether to change your domain to native mode, I recommend moving forward with the upgrade. The security benefits far outweigh the legacy support.
After all, if you suddenly discover that you can't live without an NT BDC server, you can always add a new Win2K domain to your site (which will install in mixed mode by default), and populate that domain with your ancient NT servers.