Re: How to Fallback NT Domain incase of fail

Hi

Ops...

Thanks Jorge for correcting me I was forgetting about the kerberos
authentication that Isn't supported in NT 4. In fact after the NT4 Upgrade
if your "new" Windows Server goes down, the clients that already had an
authentication with Kerberos can't authenticate with the "old" BDC.

Once again i'm sorry for the mistake (It has been some time that I don't use
NT 4 Domains).

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator





"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:O4V05U6bGHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
correct and because of that you would need to rejoin all wxp/w2k/w2k3 that
have started using kerberos.

do it in steps...

first....
use the NT4Emulator key so that all w2k3 DCs emulate NT4. at this point
you w2k3 dcs and nt4 dcs....
test authentication by:
(1) shutting down NT4 DCs and using only w2k3 dcs
(2) shutting down w2k3 DCs and using only NT4 dcs

if things are not OK remove all w2k3 DCs and promote one NT4 DC to PDC.
(don't forget you also have a NT4 BDC "in the closed". you can use that
one the upgrade to AD screws your complete NT4 domain)


if everything is OK start by the NT4Emulator key and at that moment the
NT4 DCs will not be used after kerberos is being used. because of that you
can start removing the NT4 dcs.

in my experience I have NEVER seen this go wrong. however, make sure you
create a procedure to do this and make sure you test it!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"New User" <user@xxxxxxx> wrote in message
news:unvkIk5bGHA.1276@xxxxxxxxxxxxxxxxxxxxxxx
Jorge Silva wrote:
Hi
If my memory serves me correctly the Windows 2000 machine can be taken
offline and the Windows NT 4.0 BDC can be promoted to a PDC in the NT
domain.


But the Win2K & WinXP have change the Full name to the AD's name. I can't
login with original NT Domain!




.

Relevant Pages

  • Re: How to Fallback NT Domain incase of fail
    ... w2k3 dcs and nt4 dcs.... ... DCs will not be used after kerberos is being used. ... If my memory serves me correctly the Windows 2000 machine can be taken ...
    (microsoft.public.win2000.active_directory)
  • Group Policy
    ... Our school district is migrating from NT4 to Win2K. ... we had a policy that we built for NT and 95/98 ... clients to require authentication. ... but my 95/98 workstations still give me the ...
    (microsoft.public.security)
  • Re: InitializeSecurityContext on NT 4
    ... So what is the purpose of ... > in later operating systems? ... ISC_REQ_ALLOCATE_MEMORY should work on NT4, but I don't have an NT4 machine ... NTLM can't perform mutual authentication, ...
    (microsoft.public.platformsdk.security)
  • Re: Kerberos und ntlm
    ... Wenn der NT4-P/BDC sich oder irgendwen anders authentifiziert, ... dies nicht mit Kerberos tun. ... NT4 kann das einfach nicht. ... Der NT4 wird sich bei anderen Rechnern deshalb niemals mit einem ...
    (microsoft.public.de.german.windows.server.networking)
  • Re: Kerberos und ntlm
    ... >>NT4 kann AFAIK kein Kerberos, ... Die beiden Letzten sind noch von den Sicherheitsrichtlinien abhängig. ... Überlastung nicht schnell genug antwortet und vom Client daher ein NTLM ...
    (microsoft.public.de.german.windows.server.networking)