When you need to connect to a domain controller running Windows 2000 from a domain controller running Windows Server 2003, a number of Active Directory administrative tools are available, such as Active Directory Domains and Trusts.
The following Windows Server 2003 Active Directory administrative tools will sign and encrypt all LDAP traffic by default:
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. The Active Directory administrative tools in Windows 2000 do not sign and encrypt all LDAP traffic by default. In order to maintain a secure network, it is strongly recommended that you upgrade all domain controllers running Windows 2000 to Service Pack 3 or later.
You can use the corresponding Active Directory administrative tools in Windows 2000 to manage Windows 2000 domain controllers that do not have the Windows 2000 Server Service Pack 3 or later installed. However, traffic is not signed and encrypted by LDAP on domain controllers running Windows 2000.
Although it is not recommended, you can disable encrypted and signed LDAP traffic used with Active Directory administrative tools on a server running Windows Server 2003 or on a computer running