Re: In-place upgrade from NT to 2003, member server question

---

• From: v-amanwa@xxxxxxxxxxxxxxxxxxxx (Amanda Wang [MSFT])
• Date: Thu, 16 Jun 2005 08:56:51 GMT

---

Hello,

Glad to hear from you and let me know your concern.

First, I don't know how you know the member server use the Kerberos or NTLM
to authenticate. Could you let me know?

Actually, when you add a Windows Server 2003- or Windows 2000-based domain
controller to a domain, all clients running the Microsoft? Windows? XP, or
Windows? 2000 Professional operating system and all servers running Windows
Server 2003 or Windows 2000 automatically use Kerberos authentication when
users log on interactively. Users at these computers therefore cannot log
on by using the Windows NT backup domain controllers. This shifts the
Windows Server 2003 and Windows 2000 user authentication load to the
existing Windows Server 2003- or Windows 2000-based domain controllers.

Then I would explain my meaning in my previous post. We know
authentication only occurs when users log on. Therefore, if you don't want
to reboot the Win2k member Server, have you logoff and logon the user again
on it? I agree with you if you don't reboot and don't logoff and logon the
user again, the computer won't authenticate again.

HTH! If there is anything unclear, please feel free to let me know.

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

--------------------
>From: "Ziek" <ziek@xxxxxxxxxx>
>References: <#YHIKVScFHA.584@xxxxxxxxxxxxxxxxxxxx>
<95#n9UWcFHA.3336@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: In-place upgrade from NT to 2003, member server question
>Date: Wed, 15 Jun 2005 06:54:40 -0400
>Lines: 136
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <u96FeiZcFHA.2696@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: ottawa-hs-209-217-84-31.d-ip.magma.ca 209.217.84.31
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.migration:10670
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Hi Amanda,
>
>I'm aware of the NT4Emulator key, but this is not the answer that I'm
>looking for.
>
>You say that "based on your experience, you needen't reboot the win2k
member
>servers and they will detect win2k3 DC and authenticate with them."
>
>How will they detect win2k3 DC? I set up a test lab, and watched the
>process happen, and the win2k member servers never detected win2k3 until I
>rebooted them. So if you could explain to me why you think that they do
not
>need to reboot in order to detect win2k3, I would appreciate it.
>
>When they reboot, win2k member servers perform DNS SVR lookups and detect
>the new win2k3 DC's. But if they don't reboot, and they have already
>authenticated using NTLM with a BDC, then how would they "switch" to
>kerberos, while still online, without rebooting?
>
>
>"Amanda Wang [MSFT]" <v-amanwa@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:95%23n9UWcFHA.3336@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hello,
>>
>> Thanks for your post.
>>
>> I understand you after in place upgrade from WinNT to Win2k3, if you
don't
>> reboot the Win2k member servers, how will they continue to operate?
>>
>> Based on my experience, you needn't reboot the Win2k member servers and
>> they will detect Win2k3 DC and authenticate using kerberos with them.
>>
>> If you want to avoid overload issue, you need to add nt4emulator key and
>> use Windows Server 2003 interim Functional Level. Actually, don't add
>> NT4mulator, also work.
>>
>> Please note: this procedure is a temporary solution because that some
>> win2k3 function does not work if you use NT4emulator. When you have
>> sufficient Windows 2k3 domain controllers, you can remove the NT4emulator
>> registry value on all the Windows 2k3 domain controllers. Then I would
>> like provide some information related nt4emulator and Windows Server 2003
>> interim Functional Level:
>>
>> 1. Add nt4emulator key
>>
>> After upgrading Windows NT PDC to Windows 2003, all the Windows 2000/XP
>> clients may only authenticate with the Windows 2000/2003 DC, which make
>> this DC overloaded.
>>
>> To avoid the problem, we can add an NT4Emulator registry entry before the
>> upgrade. If we add it after the upgrade, we have to rejoin the Windows
>> 2000/XP clients, which is not a good idea.
>>
>> HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters
>>
>> Entry: NT4Emulator
>> Type: REG_DWORD
>> Value: 0x1
>>
>> Reference:
>>
>> 298713 How to Prevent Overloading on the First Domain Controller During
>> Domain
>> http://support.microsoft.com/?id=298713
>>
>> 2. Use Windows Server 2003 interim Functional Level
>> Interim functional level:
>> o Supported domain controllers: Windows NT 4.0, Windows Server 2003
>> o Supported features: There are no domain-wide features activated at this
>> level. All domains in a forest are automatically raised to this level
when
>> the forest level increases to interim. This mode is only used when you
>> upgrade domain controllers in Windows NT 4.0 domains to Windows Server
>> 2003
>> domain controllers.
>>
>> For more references:
>>
>> Enabling Windows Server 2003 Functional Levels in a Windows NT 4.0
>> Environment
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi
>> t/faf881bd-5189-40bb-b2bb-08bd5b6759c9.mspx
>>
>> How To Raise Domain and Forest Functional Levels in Windows Server 2003
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;322692
>>
>> HTH!
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ====================================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================================
>>
>> --------------------
>>>From: "Ziek" <ziek@xxxxxxxxxx>
>>>Subject: In-place upgrade from NT to 2003, member server question
>>>Date: Tue, 14 Jun 2005 17:09:08 -0400
>>>Lines: 10
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>X-RFC2646: Format=Flowed; Original
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>Message-ID: <#YHIKVScFHA.584@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: ottawa-hs-209-217-84-31.d-ip.magma.ca 209.217.84.31
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>microsoft.public.windows.server.migration:10652
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>If I do an in-place upgrade of my domain from NT4 to W2k3, I know that if
>> I
>>>reboot my win2000 member servers, they will detect the new Active
>> Directory
>>>domain controllers, and authenticate using kerberos with them.
>>>
>>>But if I don't reboot the win2000 member servers, how will they continue
>> to
>>>operate? Will they continue to use the BDC's ? What if I start
>>>decomissioning my BDC's and shutting them down - will the win2000 member
>>>servers suddenly "discover" the new win2k3 DC's ?
>>>
>>>
>>>
>>
>
>
>

.

---

• References:
  • In-place upgrade from NT to 2003, member server question
    • From: Ziek
  • RE: In-place upgrade from NT to 2003, member server question
    • From: Amanda Wang [MSFT]
  • Re: In-place upgrade from NT to 2003, member server question
    • From: Ziek

• Prev by Date: Re: Removing Member Server?
• Next by Date: RE: 2000 -> 2003 Upgrade
• Previous by thread: Re: In-place upgrade from NT to 2003, member server question
• Next by thread: 2003 Domain Admins in NT4 Domain
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Group Policy broke my DCs ... to be very careful with tweaking services on domain controllers. ... Group Policy - security policy at the OU level which makes it much easier to ... complied from the Windows 2003 Server Security guide for baseline core ... Server - automatic ... (microsoft.public.windows.group_policy) Re: Group Policy broke my DCs ... > need to be very careful with tweaking services on domain controllers. ... > Group Policy - security policy at the OU level which makes it much easier ... > is complied from the Windows 2003 Server Security guide for baseline core ... (microsoft.public.windows.group_policy) Re: Installing Windows 2003 DC in a Windows 2000 Evironment-- Need Hel ... How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 ... Initial synchronization requirements for Windows 2000 Server and Windows ... ensure that you have designed a DNS and Active ... (microsoft.public.windows.server.active_directory) SecurityFocus Microsoft Newsletter #154 ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ... (Focus-Microsoft) SecurityFocus Microsoft Newsletter #49 ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ... (Focus-Microsoft)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)