Rollback to NT4 Domain from 2000

Todd B · Dec 3, 2004

Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
clients.

Anyone have a way to rollback to NT4 without having to re-add these clients
to the domain.

Help...

Thanks,

Todd Bergman
System Engineer ISG
mailto:[email protected]

Dusko Savatovic · Dec 3, 2004

If your domain is 2000 mixed mode, then it is NT4 domain (sort of).
Just, remove any Win2000 DC's, and promote one NT4 BDC to become PDC.

Dusko Savatovic

Todd B · Dec 3, 2004

Once a windows 2000 AD controller is added to your network. 2000 and XP
clients switch default authentication to Kerberos. Once the AD controller
goes offline these client will not authenticate. I have looked at the
articles for AD overload unfortunately these reg hacks needed to be done
prior to AD upgrade. How can I redirect XP and 2000 clients to authenticate
to an NT4 pdc after AD. No kerberos.

Dusko Savatovic · Dec 6, 2004

As I remember, it was recommended in Microsoft's papers that when you do
in-place upgrade, you should switch off your NT4 BDC and lock it in a
cupboard for safe keeping. That's your returning point.

Also, AIUI, Win2k and above indeed use Kerberos as default authentication
protocol, but if Kerberos is unavailable, they will automatically fall back
to NTLM.

As I remember, authentication in WinNT networks relied on NetBIOS name
resolution service (unlike DNS service in Win2k and above). Therefore, you
should arrange for a good NetBIOS name resolution on your network (WINS
service).

What would happen if you try the complete exercise again?
1. get rid of present Win2k DC's
2. Promote your old NT4 BDC to PDC
3. Do in-place upgrade to Win2k.

I understand that it can be pain, but tools like Ghost and Virtual PC (or
VMWare) should make it easier.

Dusko Savatovic

Todd B · Dec 7, 2004

Yes I am using VPC...save hours and hours to run scenarios. I am actually
working with Microsoft on this issue and they aren't gettin much further.
Bottom Line is I am either using Netdom or just rejoining each workstation
back to the Domain.
WINS and DNS aren't the issues in this case I have them set correctly.
The issue is the secure channel. With an AD DC. Once you introduce the new
one its reset and the workstations need to be reset for the new DC. Even if
I would promote the designated rollback PDC to 2000 the secure channel would
be reset.

Dusko Savatovic · Dec 7, 2004

Sorry I couldn't be much of a help.
I'm keeping an eye on this thread and I'd be interested what's the solution
to this problem once you and Microsoft work it out. It would also be usefull
to know if you used any special troubleshooting tools.

Good luck,
Dusko Savatovic