RIS 2003 won't work with NTLMv2!!

  • Thread starter Thread starter Research Services
  • Start date Start date
R

Research Services

RIS 2003 won't work with NTLMv2!!



Why won't RIS 2003 work with NTLMv2 on Domain Controllers?

We are a Child Domain within an Active Directory Forest, we've got 1 Windows
2003 DC, and 2 Windows 2000 SP4 DCs in our Child Domain. All DCs are
Critical and Suggested Patched.

RIS is running on Windows 2003.



RIS works fine as long as this is the NTLM setting on our DCs:

Network security: LAN Manager authentication level

- Send NTLMv2 response only\refuse LM



Unless we are interpreting the article linked below wrong, why won't RIS
work with the following NTLM setting on our DCs:

Network security: LAN Manager authentication level

- Send NTLMv2 response only\refuse LM & NTLM



RIS Security Log throws hundreds of 529 Errors as the RIS client sits
indefinitely at the "Setup is starting Windows" screen.



http://www.microsoft.com/resources/...roddocs/en-us/sag_RIS_NTLM_NTLMv2_choices.asp



Microsoft KB Articles 285901 & 327536 appear to apply only to Windows 2000
SP3 and earlier.





If this is an issue with RIS 2003, will it be corrected in W2K3 SP1 (so that
RIS 2003 will work at NTLMv2)? Is there a PSS Patch available until then?



Thank you for any input or help.
 
Hi, you have a good question here.

When I look at the chart you provided, and after looking at the KB article,
it appears to me that the NTLM2 will work with RIS if:

DCs are W2003 or W2kSP4.
RIS server is 2003
Client OS is XPSP1 or greater.

I also found one additional bit of information, be sure to verify:
Important If your computer is in a child domain with a parent domain above
it, and the parent domain has not been updated, the Q327536 fix does not
work in the child domain.

Have you tried making a new, slipstreamed image of XP with SP2 and creating
a RIS image on the server? Don't slipstream an existing image, make a new
one. I'd be curious if that works. I don't have access to a lab with the
right mix of DCs to test it until this weekend.

--
Scott Baldridge
Windows Server MVP, MCSE


"Research Services"
 
Yes, we can create new images (riprep) without a problem up to the RIS 2003
Server with NTLMv2 set on our Child DCs.
We verified that the DCs in the root of the Forest above us are all Windows
2000 SP4 or Windows 2003.
However, the root DCs are NOT set to: Send NTLMv2 response only\refuse LM &
NTLM

Minutes after I make the change to the GPO for our Child DCs to: Send NTLMv2
response only\refuse LM
RIS 2003 works just fine.

Thanks for your help.
 
Thanks for your update!

--
Scott Baldridge
Windows Server MVP, MCSE


"Research Services"
 
So I'm wondering if someone at Microsoft (RIS Group?) is going to take a
look at this and find a fix? With all of the concern about Security lately,
it only seems that more people are going to run into this problem.
 
Hi,

If you can give me a complete summary of your environment, I would be happy
to forward the information to the RIS/Deploy group for you.

I need to know:

OS and service pack levels of all DCs and RIS servers.
RIS server also a DC or a DHCP server?
Your findings with the root & child NTLM settings.
Forest and domain functional levels (2000 native, etc...)

If you prefer to email me the results, please do so:
(e-mail address removed) (remove nospam).

--
Scott Baldridge
Windows Server MVP, MCSE


"Research Services"
 
The additional information you requested is below:





Windows 2003 DC / DHCP / GC / RID & PDC FSMOs

Windows 2000 SP4 DC / Infrastructure FSMO

Windows 2000 SP4 DC



Windows 2003 RIS ("authorized" as DHCP) (Member Server)



Forest Functional Level: Windows 2000

Domain Functional Level: Windows 2000 native





This documentation appears incorrect:

http://www.microsoft.com/resources/...roddocs/en-us/sag_RIS_NTLM_NTLMv2_choices.asp



We have configured every box in our Child Domain to: 'Send NTLMv2 response
only\refuse LM & NTLM' and the RIS process hangs at the 'Setup is starting
Windows' screen (as mentioned below).

However, if we change the DCs to: 'Send NTLMv2 response only\refuse LM' then
everything works as expected.

All boxes in our Child Domain are up-to-date with patches and Windows
Updates.



NTLM settings on the DCs at the Forest Root are: 'Send LM & NTLM responses'



Thank you for your time!



Jon Peterson

(e-mail address removed)[email protected]
 
If I get a reply I'll post it here and to your email.

Cheers,

--
Scott Baldridge
Windows Server MVP, MCSE


"Research Services"
 
Thank you!



NIC Student said:
If I get a reply I'll post it here and to your email.

Cheers,

--
Scott Baldridge
Windows Server MVP, MCSE


"Research Services"
 
Jon,

Can you apply the hotfix in this article to your 2003 servers:

Cannot Join Windows Server 2003 Active Directory Domain When You Run Setup
Unattended
http://support.microsoft.com/default.aspx?scid=kb;en-us;830880

If that hotfix does not work after applying to your child domain 2003
servers, then also apply to parent domain 2003 servers.

I understand that RIS fails for all images, even the cd-based ones when
'Send NTLMv2 response only\refuse LM & NTLM' is enabled. Please confirm
this.
 
Okay, I have applied KB 830880 to our 2003 DC and RIS 2003 boxes. I did NOT
apply KB 827181 to our 2000 DCs since this would backdate/downgrade the
files that are already there.

So with NTLMv2 only, RIS fails and hangs at the 'Setup is starting Windows'
screen. And the error below is logged on the RIS 2003 server many times:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/28/2005
Time: 9:00:09 AM
User: NT AUTHORITY\SYSTEM
Computer: DEERVALLEY
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: support
Domain: Research.ColoState.EDU
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: \\129.82.172.196
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 129.82.172.196
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I tried one of our created images AND the flat base Windows XP Professional
from CD, same problem.
 
Jon,

Another thought:

*After* setting the NTLMv2-only requirement on DCs and the RIS box,
change the password for your domain admin that you use for RIS so it
is changed from a NTLM hash to NTLMv2 hash. Test RIS.

Some more questions:

1. The REMINST share has f/c for the child domain admin.
2. Your RIS adds the machine account to the child domain before failing?
3. Does your RIS work with NTLMv2 if you try to add a machine to the parent
domain?
4. Have you tried a few different models of client hardware? (Different
nics preferably).
5. With NTLMv2 turned on, can a functional WinXP/SP2 workstation join the
child domain with the child domain admin credentials?

Cheers,
 
Correct, our RIS 2003 Server is a Member Server in our Child Domain.
Permissions on the REMINST Share on the RIS 2003 Server are Domain Admins:
Full Control.
When logging onto the 2003 RIS Server from a client machine booting from the
network card to load an RIS image, we use a Domain Admin account.

1. The REMINST share has f/c for the child domain admin.
- YES.

2. Your RIS adds the machine account to the child domain before
failing?
- I BELIEVE SO. When you boot off the network card, DHCP hands out the IP
Address, then you provide credentials (Domain Admin) to see the list of
avilable images, choose the image, it loads some base drivers, then gets to
the screen where it is about to copy the files down to the client but hangs
at the 'Setup is starting Windows' screen. At this point the client
esentially "hangs" and the errors start filling the RIS 2003 server security
log about 'unknown user name'. If you look in Active Directory Users &
Computers, there is a computer object for the attempted image machine in the
(default) 'Computers' OU. The computer object has a name based on the NIC
MAC (?) possibly - something like: NP000000AF65121.


3. Does your RIS work with NTLMv2 if you try to add a machine to the
parent domain?
- I'm not sure what you mean by this...?


4. Have you tried a few different models of client hardware?
(Different nics preferably).
- YES, we have tried a couple of NICs that have built-in drivers in Windows
XP, and several that we had to provide drivers for by specifying OEM.inf
files. (That in itself is quite a trick to get to work correctly...)


5. With NTLMv2 turned on, can a functional WinXP/SP2 workstation join
the child domain with the child domain admin credentials?
- YES.



I knew that if you disable LM hash storage, that after a password change LM
hashes are removed. But I didn't think that was possible with NTLM hashes.

We have tried to pull down several different types of images, including, the
flat CD-based Windows XP (no service packs), one Windows XP that has been
slip-streamed with Service Pack 2, and several riprep-ed images with full
software installs and Service Pack 2.

Changing the password of the Domain Admin account (after allowing only
NTLMv2) still didn't let me bring down any of the images (including the flat
CD image and our created images), it still hung at the 'Setup is starting
Windows' screen.
 
With Microsoft PSS help, we were able to solve this issue.

We just needed to add a new flat CD-based image for Windows XP Service Pack
2 and remove the original Windows XP RTM (no SP) image.
Don't forget to copy over any 3rd party NIC drivers before removing the
original flat image.
 
Back
Top