Windows 2000 Native-Mode Domains

Windows 2000 native mode provides the most flexibility in managing remote access through groups. From the remote access management perspective, the following benefits are available in the native mode domain:

  • Full ability to manage remote access permissions through groups. An administrator can use the universal group feature to create a single policy for users in different domains. Nested groups can be used to organize extremely large numbers of users into smaller groups for better management.

  • An ability to connect remote network to office network. You can specify routes for the remote network through Static Routes.

  • Support for User Principal Names (UPNs).

  • End users can have the same UPN regardless of what domain the user belongs to. This indirection provides scalability that might be required in organizations that have large number of domains.

The following is a detailed list of authentication and remote management features available for an IAS server that is a member of a Windows 2000 native domain.

  • Dial-in User Account Properties

    • All Remote Access Permissions, including Allow access, Deny access, and Control access through Remote Access Policy

    • Caller-ID

    • Callback Options

    • Static IP Address

    • Static Routes

  • Support for UPNs and Universal Groups

  • Support for EAP-TLS

In order for the IAS server to access user account dial-in properties stored in Active Directory, IAS must run in the security context of a computer account that is a member of the RAS and IAS Servers security group. This assignment can be implemented through the Active Directory Users and Computers snap-in or by registering the IAS server in the Internet Authentication Service snap-in. You can also use the netsh ras add registeredserver command.