If I can add a bit to Richard's comments, Win2K machines will authenticate to an NT4 BDC just fine, UNTIL they've once authenticated to a Win2K DC. After that, they just refuse to use a BDC anymore. This caused a lot of grief for some shops who standardized on Win2K Pro long before they began to move to AD. As soon as they upgraded the PDC to a DC, all those Win2K boxes started using it exclusively (Microsoft's term was 'overloading').
MS made a change in SP2 which allows you to modify this behavior with a registry change. Q298713 describes this change, which must be done BEFORE the PDC is upgraded, and basically forces the PDC to behave like an NT4 box. The idea is that you upgrade your ODC and BDCs using this registry change, and then all at once change the value to allow them to behave like proper Win2K DCs, so that one DC doesn't have to handle the whole load. All in all, I'm glad we upgraded the servers first :) Dave -----Original Message----- From: Richard Burke [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 5:32 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Interesting authentication issue I believe that since the Laptop could not locate an AD DNS server to get SRV records to locate a DC. A NT BDC does not authenticate XP/2000 machines. -----Original Message----- From: Lori Eby [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 6:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Interesting authentication issue Hi Everyone, The other day, I had a user unable to log into his laptop when connection to a W2K DC was not available. Our network is a Windows 2000 AD domain in mixed mode. There are 2 AD DCs on one subnet and one NT 4.0 BDC on the corporate user subnet. The router between the subnets went down so only an NT 4.0 BDC was available for authentication. The user was unable to access network resources so he rebooted his machine. When it came back up, he wasn't even able to log in. W2K gave him a computer account missing or incorrect password error. He was not putting in an incorrect password and I was not able to log in as myself or domain admin to his machine. When the router came back up, he was fine. We are confused because when we are unable to contact a domain controller with W2K or XP, the OS just logs us in with our local profile and files an error in the Event Log and NT lets you know. I am thinking that since there was a valid network connection in our domain, just that the AD DC was not available caused this, but why isn't my NT 4.0 BDC authenticating anyway? Does the RDC have to be available at all times? Does an AD domain not allow NT 4.0 DCs to authenticate users? I was under the impression that if Kerberos failed, NTLM would be used next and the NT 4.0 DC should respond to that. I have Netlogon successes on that DC so it still has to be doing something. We are planning for a W2K DC on the corporate subnet within the next month when we are able to retire the NT 4.0 BDC which is our Exchange Server. Any thoughts are greatly appreciated. Thanks in advance. LORI EBY Information Systems Administrator Atoga Systems, Inc. 49026 Milmont Drive Fremont, CA 94538 VOICE - (510) 743-0223 FAX - (510) 687-9710 www.atoga.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
