Connecting to domain controllers running Windows 2000

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Connecting to domain controllers running Windows 2000

When you need to connect to a domain controller running Windows 2000 from a domain controller running Windows Server 2003, a number of Active Directory administrative tools are available, such as Active Directory Domains and Trusts.

The following Windows Server 2003 Active Directory administrative tools will sign and encrypt all LDAP traffic by default:

• Active Directory Users and Computers

• Active Directory Sites and Services

• Active Directory Domains and Trusts

• Active Directory Schema

• ADSI Edit

• Dsrm.exe

• Dsmove.exe

• Dsadd.exe

• Dsmod.exe

• Dsget.exe

• Dsquery.exe

Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. The Active Directory administrative tools in Windows 2000 do not sign and encrypt all LDAP traffic by default. In order to maintain a secure network, it is strongly recommended that you upgrade all domain controllers running Windows 2000 to Service Pack 3 or later.

You can use the corresponding Active Directory administrative tools in Windows 2000 to manage Windows 2000 domain controllers that do not have the Windows 2000 Server Service Pack 3 or later installed. However, traffic is not signed and encrypted by LDAP on domain controllers running Windows 2000.

Although it is not recommended, you can disable encrypted and signed LDAP traffic used with Active Directory administrative tools on a server running Windows Server 2003 or on a computer running Windows XP Professional that has the Windows Server 2003 Administration Tools Pack installed. For more information, see Disable signed or encrypted LDAP traffic.