The issue Kevin refers to is described in the article below. It is more for cases where the domain is reverted to an NT4 domain. Once W2K (and above, presumably) clients have authenticated with an AD DC using Kerberos, they can't then revert to using NTLM without rejoining the domain.
http://support.microsoft.com/default.aspx?scid=kb;[LN];263108 Tony ---------- Original Message ---------------------------------- From: "Sullivan, Kevin" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Wed, 2 Apr 2003 00:07:38 -0500 Here is another issue that may come up when you start upgrading clients to be aware of. If a w2k client authenticates to the NT 4 BDCs that will work fine. The w2k client will use NTLM in the absence of AD for authentication. But if the NT4 DC happens to be unavailable and the client contacts a w2k DC and can authenticate using Kerberos then it will never be able to authenticate with NTLM again after that. I pulled this from memory and am a bit shaky on the details so possibly someone could clarify if I am mis-representing this. Even though it is not directly related it may be something this type of environment will encounter during its modernization effort. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication When dealing with downlevel clients, a Windows 2K DC looks like an NT 4.0 BDC - hence it can authenticate the client. So, in your example of the mixed-mode site, there is no reason for a client to have to authenticate with the PDC-E. And, to further emphasize the point - if you install the DS Client, you can change passwords by contacting any Windows 2000 DC. If you will remember in Windows NT domains, the PDC was typically so busy doing everything else that was necessary for a writeable system, that the BDCs did the lion's share of the work. The PDC actually did very little authentication at all. And, to further the point one more step - in a very complex structure, having to contact the PDC-E for authentication would be very inefficient in any type of WAN environment. This might prompt many administrators to create a domain per remote site just to control authentication traffic. Fortunately, this isn't necessary, as authentication is possible at any DC. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Tuesday, April 01, 2003 5:23 PM To: [EMAIL PROTECTED] All, Please help me resolve a "discussion" with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this up and please include a link to something that helps clear this up. Thanks, Mike Baudino ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
