Re: Rollback to NT4 Domain from 2000

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Dusko Savatovic (savatovic.removespam_at_hotmail.com)
Date: 12/06/04

  • Next message: Pan Pan: "Win2k and ISA 2004 server" 
    Date: Mon, 6 Dec 2004 16:02:47 +0100

    As I remember, it was recommended in Microsoft's papers that when you do
    in-place upgrade, you should switch off your NT4 BDC and lock it in a
    cupboard for safe keeping. That's your returning point.

    Also, AIUI, Win2k and above indeed use Kerberos as default authentication
    protocol, but if Kerberos is unavailable, they will automatically fall back
    to NTLM.

    As I remember, authentication in WinNT networks relied on NetBIOS name
    resolution service (unlike DNS service in Win2k and above). Therefore, you
    should arrange for a good NetBIOS name resolution on your network (WINS
    service).

    What would happen if you try the complete exercise again?
    1. get rid of present Win2k DC's
    2. Promote your old NT4 BDC to PDC
    3. Do in-place upgrade to Win2k.

    I understand that it can be pain, but tools like Ghost and Virtual PC (or
    VMWare) should make it easier.

    Dusko Savatovic

    "Todd B" <tbergman@goisg.com> wrote in message
    news:OaQQa5T2EHA.1392@tk2msftngp13.phx.gbl...
    > Once a windows 2000 AD controller is added to your network. 2000 and XP
    > clients switch default authentication to Kerberos. Once the AD controller
    > goes offline these client will not authenticate. I have looked at the
    > articles for AD overload unfortunately these reg hacks needed to be done
    > prior to AD upgrade. How can I redirect XP and 2000 clients to
    > authenticate to an NT4 pdc after AD. No kerberos.
    >

  • Next message: Pan Pan: "Win2k and ISA 2004 server"

    Relevant Pages

    • RE: LAN Manager security policy breaks Outlook clients
      ... posted was good knowledge, and I have since read up on Kerberos, but it did ... Everything that Ada gave me points to the fact the clients should not be ... The GP change made in my domain that broke Outlook 2003 clients set to ... Network security: LAN Manager authentication level: Send NTLMv2 response ...
      (microsoft.public.windows.group_policy)
    • Re: LAN Manager security policy breaks Outlook clients
      ... For Outlook 2003 clients, what's the best way via GPO to force NTLM v2? ... Any general preference between NTLM v2 and Kerberos? ... Network security: LAN Manager authentication level: Send NTLMv2 ...
      (microsoft.public.windows.group_policy)
    • Re: LAN Manager security policy breaks Outlook clients
      ... I am unfamiliar with your Outlook 03 client issue, ... it on similarly configured domain with XP clients. ... posted was good knowledge, and I have since read up on Kerberos, but it ... Network security: LAN Manager authentication level: Send NTLMv2 ...
      (microsoft.public.windows.group_policy)
    • Re: Rollback to NT4 Domain from 2000
      ... one its reset and the workstations need to be reset for the new DC. ... > Also, AIUI, Win2k and above indeed use Kerberos as default authentication ... >> clients switch default authentication to Kerberos. ...
      (microsoft.public.win2000.setup_deployment)
    • Re: net use and LM / NTLM
      ... >Net use to IP, even in a pure Windows 2000 environment, uses NTLMv2. ... >Other net use is Kerberos in a pure Win2K environment. ... For example, two Win2k ... says "reject NTLM and LM authentication, ...
      (Focus-Microsoft)