Re: Raising the Domain and Forest Mode

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Meinolf,

These are our DC Policies and i am thinking that one of these policies is
causing problems establing trust relationship with NT 4.0 domain. We are
also seeing a strange behaviour, where a client in source domain is able to
open a specific application in 2 sec and once the same client is joined to
the target domain (with below policies applied) and logged into the target
domain, it takes more than 100 sec to open the application. The application
server is in the source domain only.

I am thinking that both of the issues are peratining to the DC
Policies...but not sure which one is causing the issue.

Policy Setting
Domain controller: LDAP server signing requirements None

Domain Member
Policy Setting
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled

Interactive Logon
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon:
Interactive logon: Prompt user to change password before expiration 7 days

Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees)
Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled

Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending
session 15 minutes
Microsoft network server: Digitally sign communications (if client agrees)
Enabled

Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for
network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Remotely accessible registry paths and sub-paths
Software\Microsoft\Windows NT\CurrentVersion\Print,
Software\Microsoft\Windows NT\CurrentVersion\Windows,
System\CurrentControlSet\Control\Print\Printers,
System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server,
System\CurrentControlSet\Control\ContentIndex,
System\CurrentControlSet\Control\Terminal Server,
System\CurrentControlSet\Control\Terminal Server\UserConfig,
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,
Software\Microsoft\Windows NT\CurrentVersion\Perflib,
System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares Enabled
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves

Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: LAN Manager authentication level Send NTLMv2 response
only\refuse LM
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients Enabled
Require message integrity Enabled
Require message confidentiality Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled

Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers Enabled
Require message integrity Enabled
Require message confidentiality Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled



"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6623f3b8cba2aa25273242@xxxxxxxxxxxxxxxxxxxxxxx
Hello Phani,

Pleasse describe more detailed the problems you have, including error
messages and event viewer entries.

See also this article because of different security settings between NT4
and 2003 trust.
http://www.pbbergs.com/windows/articles/firewall_trust.html

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Thanks a Lot Meinolf.

On the other hand we have trust creation issues between our child
domain (Windows Server 2003 Domain Mode) and a Windows NT domain, do
you think the forest trust level has anything to do with this issue?

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6623ca18cba1e303cc470a@xxxxxxxxxxxxxxxxxxxxxxx

Hello Phani,

No, you can raise the levels without effecting the trust.

What you can think about is using forest trust's instead of two-way.
Here are all options described, go to "Forest Trusts":
http://technet.microsoft.com/en-us/library/cc773178.aspx#w2k3tr_trust
_how_slpn

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Our current environment has Empty Root and one Child Domain. All
DC's running on W2k3. The functional levels of the domain/forest are
as under:

Forest Functional Level:- Windows 2000
Forest Root Domain Functional Level:- Windows 2000 Mixed
Child Domain:- Windows Server 2003 domain functional level
The child domain has a two way trust relationship with another
windows
2003 domain. I would like to know if raise the forest root
domain/forest functional levels to Windows 2003 is going to break
anything.
What are the considerations that need to be taken into account
before performing a raise, as this is a irreversible action we want
to be doubly sure.

Regards





.

Relevant Pages

  • Re: OLAP and VPN / authentication / trust
    ... You need Network 2 to trust Network 1 users to access the resources on ... This is the essence of a "Trust Relationship". ... attempt to connect to a SQL server on Network2 using credentials like ...
    (microsoft.public.sqlserver.olap)
  • Re: Cached user credentials and logon to different domain
    ... No there is no no trust between domains - and there is no possible way make ... as domains are completly separated (no network connection) ... >> map a shared drive on our domain server though a VPN tunnel. ... please direct all replies ONLY to the Microsoft public ...
    (microsoft.public.windows.server.active_directory)
  • RE: Users unable to browse trusted domain
    ... If I go into server manager on the NT4 Domain Controller, ... This is since I created the trust to the 2003 Domain and migrated one ... you might not have permission to use this network ...
    (microsoft.public.windows.server.migration)
  • Re: Problem with setup VPN and Trust on 2 Win 2003 domains
    ... I was able to get the trust set up, ... > resolved and the server is available." ... We are trying to set up a VPN and then ... >> subnet than our network. ...
    (microsoft.public.windows.server.networking)
  • Re: Raising the Domain and Forest Mode
    ... causing problems establing trust relationship with NT 4.0 domain. ... LDAP server signing requirements None ... Microsoft network client: ... Network security: Do not store LAN Manager hash value on next password ...
    (microsoft.public.windows.server.active_directory)