Demoting W2000 Server in recently upgraded W2003 domain fails

Tech-Archive recommends: Speed Up your PC by fixing your registry

This post includes both the question and the resolution, posted for
archiving purposes.

We were having the following problem when demoting the last Windows
2000 server domain controller from a recently upgraded Windows 2003
domain. We had already successfully demoted two Windows 2000 servers,
but could not demote the last:

dcpromo led to the error message "The operation failed because:
Managing the network session with server.companyname.com failed"
"Access is denied."

We were then met with a logon screen, and no username/password
combination was successful.

We were sure of FSMO roles, DNS, prep work, and most everything else we
could think of.

What solved the problem were some group policy settings. Specifically,
those listed under Windows 2003 Server in this MS article,
http://support.microsoft.com/kb/889030/en-us , need to be set as in the
article indicates:

Network access: Allow anonymous SID/Name translation ENABLED
Network access: Do not allow anonymous enumeration of SAM
accounts DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares DISABLED
Network access: Let Everyone permissions apply to anonymous
users ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and
shares DISABLED

LM Compatibility:
Network security: LAN Manager authentication level "LM & NTLM
responses" or "Send LM & NTLM - use NTLMV2 session security if
negotiated"
SMB Signing, SMB Encrypting, or both:
Microsoft network client: Digitally sign communications
(always) DISABLED
Microsoft network client: Digitally sign communications (if server
agrees) ENABLED
Microsoft network server: Digitally sign communications
(always) DISABLED
Microsoft network server: Digitally sign communications (if client
agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is
possible) ENABLED
Domain member: Digitally sign secure channel data (when it is
possible) ENABLED
Domain member: Require strong (Windows 2000 or later) session
key DISABLED

This solved the problem.

-tom

.

Relevant Pages

  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Printing from Win9x clients stops
    ... The printers with 9x drivers on the server appeared automatically in the ... > then right-click the name of the computer running Windows Small Business ... > From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: random lockouts
    ... >> I've got a network with several Windows 2000 Servers and ... >> about 150 Windows 98 clients. ... >This problem occurs because the Windows 2000-based server ... >because the session that is reused is against a DFS ...
    (microsoft.public.win2000.security)
  • Questions Relating to Administering Windows 2000 Server
    ... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
    (microsoft.public.cert.exam.mcse)
  • Questions Relating to Administering Windows 2000 Server
    ... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
    (microsoft.public.cert.exam.mcse)