The only distinction between a mixed-mode and a native-mode Windows 2000 network is that the native mode has no NT domain controllers (DCs). That's the simple explanation. But the truth is that there's a world of difference when it comes to file- and directory-level permissions and the ports and protocols that transport your client and server intradomain traffic.

Locking down your network's perimeter is essential to providing that first barrier of defense from the rest of the world. Using the Defense In Depth model, it's essential that you allow only necessary traffic and deny everything else. Therefore, before you completely upgrade your domain, you should know--from a port security perspective--the differences between each mode.


By default, the initial Win2K DC acts as a primary DC (PDC) emulator. You can only have one of these in your domain; however, as you install additional Win2K servers and your network topology grows, you can transfer this role to another Win2K server.

The PDC emulator handles most of the essential domain tasks. It provides NT LAN Manager (NTLM) authentication for NT clients, acts as the master browser for NT clients, supports Active Directory (AD) replication to Win2K DCs and NTLM replication to backup DCs (BDCs), acts as a PDC to replicate account information to all BDCs, and manages all account and password modifications. These functions require specific ports through and across your domain for client-to-server and server-to-server authentication and communication.

In mixed mode, you'll need to keep the following ports and protocols open between all NT and Win2K servers for communication.

UDP: 53 DNS Resolution
UDP: 67, 68 DHCP Lease
UDP: 137, 138 Browsing
UDP: 137, 138/TCP: 139 Logon Sequence
UDP: 137, 138/TCP: 139 Pass-Through Validation
UDP: 137, 138/TCP: 139 Printing
UDP: 137, 138/TCP: 139 Trusts
UDP: 137, 138/TCP: 139 WinNT Secure Channel
UDP: 138/TCP: 139 Directory Replication
UDP: 138 NetLogon
TCP: 42 WINS Replication
TCP: 135 DHCP Manager, DNS Administration, WINS Manager
TCP: 137 WINS Registration
TCP: 139 Event Viewer, File Sharing, Performance Monitor,
Registry Editor, Server Manager, User Manager,
WinNT Diagnostics

Of course, these ports and protocols must be opened in addition to the ports and protocols necessary for communication between Win2K servers--which leads us to native-mode domains.


Native mode doesn't allow NT domain controllers, but you can have NT member servers and clients. Intradomain communication for native-mode Win2K domains uses the following ports and protocols.

UDP 88 Kerberos
UDP/TCP 500 ISAKMP/Oakley negotiation traffic (IPSec)
UDP/TCP 750, 751 Kerberos Authentication
UDP 752 Kerberos Password Server
UDP 753 Kerberos User Registration Server
TCP 522 User Location Store
TCP 754 Kerberos Slave Propagation
TCP 888 Logon and Environment Passing
TCP Dynamic Directory Replication
TCP 2053 Kerberos de-multiplexor (Kerberos V4)
TCP 2105 Kerberos encrypted login
TCP 3268 Global Catalog
TCP 3269 Global Catalog

If your native-mode domain contains NT clients and servers, you'll have a harder time securing interdomain communications. You'll have to allow both the mixed and the native ports through your different layers of defense.


The advantages to upgrading your domain to native mode far outweigh those of operating it in mixed mode. While mixed mode allows for continued legacy support, native mode allows for secure intradomain authentication. In addition, native mode allows two-way transitive trusts between domains, and there isn't a Security Accounts Manager (SAM) limitation on the number of users or objects you can have in your site or domain.

Native mode also adds two new user groups to the security module: universal and domain local groups. Adding and using these groups throughout your domain and site significantly enhances your ability to control user access to objects (files, directories, printers, etc.). For instance, with universal groups, you can impose site-wide security standards across multiple domains, thereby allowing users to access a printer or file through transitive trusts, rather than having to establish multiple two-way trusts between each domain.

If you're still on the fence about whether to change your domain to native mode, I recommend moving forward with the upgrade. The security benefits far outweigh the legacy support.

After all, if you suddenly discover that you can't live without an NT BDC server, you can always add a new Win2K domain to your site (which will install in mixed mode by default), and populate that domain with your ancient NT servers.