Re: Rollback to NT4 domain from 2000 mixed mode

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Todd B (tbergman_at_goisg.com)
Date: 12/04/04 

Date: Sat, 4 Dec 2004 14:43:51 -0500

I tested the process on virtual pc. The clients will not authenticate to NT
after they have been introduced to AD. In fact one process that did work
for 2000 clients was:
remove 2000 ad from net
promote one of the nt bdc's to pdc
upgrade that pdc to 2000 ad
all DNS and WINS properly configured
2000 machines seemed to work XP machines needed to rejoin domain

I guess my question to everyone is after a rollback to NT4 PDC. 2K&XP
clients will not authenticate to NT domain controllers. If I promote the
rollback server to 2000 I do not believe there is anyway to get around
rejoining the clients to the domain. The only way to have these clients
authenticate to NT4 bdc's when the domain is upgraded is Q298713 "How to
prevent overloading on the first domain controller during domain upgrade"
however this MS trick does not apply.

Unless anyone else has any ideas I am scripting with the netdom utility to
rejoin clients. Or bring on the gophers to do the manual process.
""Frank Szita [MSFT]"" <a-fszita@online.microsoft.com> wrote in message
news:6VpucGb2EHA.768@cpmsftngxa10.phx.gbl...
> Windows 2000 and above uses 2 forms of authentication: Kerberos and NTLM.
> The operating system will attempt to use kerberos first. If there are no
> domain controllers to answer a kerberos request then it will attempt to
> use
> ntlm. If you remove Windows 2000 active directory and promote NT4 BDC to
> PDC, the workstation will attempt to make a kerberos authentication which
> will fail because no Windows 2000 domain controllers will be available.
> Then it will make an NTLM request which should be answered by the NT4 PDC.
> The key is giving the workstation the ability to discover the domain
> controller. Make sure either WINS is used or LMHOSTS is configured. The
> NT4 PDC will broadcast that it is a PDC but broadcast is less reliable
> than
> using WINS. If you wish to test you can remove the Windows 2000 domain
> controller temporarily.
>
> Best regards,
>
> Frank Szita [MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Relevant Pages

  • Re: Authentication without the FSMO PDC
    ... Are you running nonware Ad clients? ... The primary domain controller (PDC) emulator. ... replication requests from Microsoft Windows NT 4.0 backup domain controllers ... The relative identifier master. ...
    (microsoft.public.win2000.active_directory)
  • Re: Help! DC overload protection.
    ... domain controllers online before morning. ... the clients will not start "attacking" the ... PDC emulator as soon as it is upgraded. ... The upgrade is to take place at night when only a few ...
    (microsoft.public.win2000.active_directory)
  • Re: PDC clock one hour behind
    ... Am I correct in thinking the clients should automatically synchronize ... The Domain Controllers will use the PDC DC as the time source - so bringing the PDC up with the right time should be sufficient, if the default behavior hasn't been touched. ... Microsoft MVP - Windows Server - Group Policy. ...
    (microsoft.public.windows.server.active_directory)
  • Active Directory Replication Issues - Win2k & Win2k3
    ... I'm having some trouble with my domain controllers and figured I would try to ... The first, a Win2k3 Server, is my PDC for all of my FSMO roles. ... Other times users appear to authenticate through the BDC Server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Raising DFL to highest -
    ... domain and forest functional level ONLY applies for the OS of the DCs ... > the DSCLIENT.EXE (AD client extensions for NT4.0 clients. ... >> BDCs or 2000 domain controllers at the highest DFL. ... >> be able to authenticate as usual...probably won't even notice the change. ...
    (microsoft.public.windows.server.active_directory)