Windows 2000 Pro in a Mixed NT4 domain

  • Thread starter Thread starter Giovanni
  • Start date Start date
G

Giovanni

Hello,

I'm working for a company with multiple sites throughout
the world. We are currently upgrading our NT4 domain to
Windows 2003. The Domain Controllers in the central
office are Windows2003 but the domain controllers for the
branch office are still Windows NT4 (BDC). To avoid the
Windows 2003 DC from overflow, we have used the
NT4Emulator key. We have got the following problems: When
a Windows 2000 Pro computer is joined to the domain, this
computer will only logon to a windows2003 DC in the
central location and complete ignores the NT4 BDC at his
own site. This is not what we want. How can we make these
computer to logon to the NT4 BDC. The clients all have
SP2 installed. Furthermore I would like to know a litle
bit more about who the Windows2000Pro clients can find a
NT4 BDC in his own site since it's default behavior is to
check DNS for DC's in its site and the only DC's in DNS
are Windows2003 DC's for Ldap, Kerberos and GC
information.

Thanks for your reaction


Giovanni Perini
 
In
Giovanni said:
Hello,

I'm working for a company with multiple sites throughout
the world. We are currently upgrading our NT4 domain to
Windows 2003. The Domain Controllers in the central
office are Windows2003 but the domain controllers for the
branch office are still Windows NT4 (BDC). To avoid the
Windows 2003 DC from overflow, we have used the
NT4Emulator key. We have got the following problems: When
a Windows 2000 Pro computer is joined to the domain, this
computer will only logon to a windows2003 DC in the
central location and complete ignores the NT4 BDC at his
own site. This is not what we want. How can we make these
computer to logon to the NT4 BDC. The clients all have
SP2 installed. Furthermore I would like to know a litle
bit more about who the Windows2000Pro clients can find a
NT4 BDC in his own site since it's default behavior is to
check DNS for DC's in its site and the only DC's in DNS
are Windows2003 DC's for Ldap, Kerberos and GC
information.

Thanks for your reaction


Giovanni Perini
Click to expand...

In a nutshell, once a Win2k or XP client discovers an AD domain, it changes
it's default authentication mechanism from NTLM (which is what NT4 uses) to
Kerberos and does not switch back for the domain that it's a member of. The
only way to make it authenticate back to NT4 is to disjoing it, then re-join
it to the domain with the NT4 DC the only one on the segment and only use
the Domain's NetBIOS name.

263108 - Clients Unable to Log On in the Absence of DCs (Client goes to
Kerberos, but can't revert back to NTLM if the only avail DC is an NT4 BDC):
http://support.microsoft.com/?id=263108

I know it's easier said then done, but you may want to plan to put in a W2k3
DC in each location.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Ace,


Thanks for your reply. We already new about this issue
and that is why we run the NT4EmmulatorKey. See
http://support.microsoft.com/default.aspx?scid=kb;en-
us;298713&Product=win2000 This works fine for all the
Windows2000Pro workstations, but it does not seem to work
for newly installed workstations. They keep
authenticating themself with the Windows2003 servers in
the central site.

I hope you can help me understand what is going on.
Thanks Giovanni
 
Hi Giovanni,

I'm aware of that reg entry, but to tell you the truth, I've had problems
with that myself. You may want to post this in the AD newsgroups to get
better exposure for your question, since this is really not a DNS issue
anymore but an authentication issue.

I cross-posted this to the AD newsgroup and set followups to come back here
so you can see the responses. When replying, set follopwups to come back
here for your convenience.

Ace
x-posted to
microsoft.public.win2000.active_directory, microsoft.public.win2000.dns

followups set to:

microsoft.public.win2000.active_directory, microsoft.public.win2000.dns



In
Hello Ace,


Thanks for your reply. We already new about this issue
and that is why we run the NT4EmmulatorKey. See
http://support.microsoft.com/default.aspx?scid=kb;en-
us;298713&Product=win2000 This works fine for all the
Windows2000Pro workstations, but it does not seem to work
for newly installed workstations. They keep
authenticating themself with the Windows2003 servers in
the central site.

I hope you can help me understand what is going on.
Thanks Giovanni
Click to expand...




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Please post this question to the Active_directory group. They will be able to answer the question more precisely.

Than you,
Mike Johnston
Microsoft Network Support


--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Back
Top