Re: Migration for NT 4.0 to Windows Server 2008 Domain Controller

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Hi Saji,

Sorry for my late reply.

According to my research, we can establish the trust relationship between
Windows NT4 to Windows 2008. Before we establish the trust, we need to
changes the security setting in one GPO that is shown below:

Make sure that the following settings are configured:

RestrictAnonymous and RestrictAnonymousSam:Network access: Allow anonymous
SID/Name
translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts
DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
DISABLED
Network access: Let Everyone permissions apply to anonymous users
ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and shares
DISABLED
LM Compatibility:Network security: LAN Manager authentication level "LM &
NTLM
responses" or "Send LM & NTLM - use NTLMV2 session security if negotiated"
SMB Signing, SMB Encrypting, or both:Microsoft network client: Digitally
sign
communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees)
ENABLED
Microsoft network server: Digitally sign communications (always) DISABLED
Microsoft network server: Digitally sign communications (if client agrees)
ENABLED
Domain member: Digitally encrypt or sign secure channel data (always)
DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible)
ENABLED
Domain member: Digitally sign secure channel data (when it is possible)
ENABLED
Domain member: Require strong (Windows 2000 or later) session key
DISABLED

For more reference, please refer to:

Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/?id=889030

Hope it helps.

David Shen
Microsoft Online Partner Support

.

Relevant Pages

  • Re: Pathworks 6.0C Windows 2003k AD Domain, making it work.
    ... you mentioned to get the trust to work properly. ... Require strong (Windows 2000 or later) session key ... Network access: Do not allow anonymous enumeration of SAM accounts ... > I installed the new 2003 machine as a AD Server, ...
    (comp.os.vms)
  • RE: NT4.0 to 2003 Trust Error
    ... Check "Network access: Do not allow anonymous enumeration of SAM ... recreate the trust to see if it helps. ... NT4.0 to 2003 Trust Error ... I can create the trust in Windows 2003 no issue. ...
    (microsoft.public.windows.server.migration)
  • RE: Account unknown
    ... Network access: Do not allow anonymous enumeration of SAM accounts - Should ... When i view the membership of groups on our Windows NT 4 domain i am ... I have removed the trust on both sides and recreated it. ...
    (microsoft.public.windows.server.migration)
  • Re: Connecting to win2k Server with Windows 7 Ultimate
    ... We purchased a Windows 7 Ultimate upgrade, entered the product key and the upgrade was downloaded and installed via internet. ... Network access: Let Everyone permissions apply to anonymous users ...
    (microsoft.public.windows.server.networking)
  • Re: Combining Domains On One Computer
    ... Depending on the needs of access to the domains, maybe a 2 way trust can help you. ... But for full network access the trust will not help. ... The obvious cons arise out of this "dual boot" such as viruses, ... carrying over to the more restricted domain, ...
    (microsoft.public.windows.server.active_directory)