Just to clarify: this is known as the PDC Overload scenario, where AD capable clients (after finding that a DC is registered in DNS and successfully connecting to it) switch over to Kerberos authentication. As the PDC is the first one to be upgraded from NT4, there is a chance, that it will be "attacked" by all Win2k/XP clients.
The fix is not on the client side - instead you have to enable the NT4Emulator regkey on the AD DCs: HKLM/System/CurrentControlSet/Services/Netlogon/Parameters/NT4Emulator (REG_DWORD) => set to 0x1 To revert the clients from authenticating with Kerberos, they'd actually have to taken out and rejoined to the domain. This is only relevant, as long as you don't have multiple AD DCs which will share the load for authentication. But it might take you a while to upgrade those BDCs in the branch-offices - Win2k clients in these offices will also authenticate over the WAN to an AD DC, when they find one exists, but can't find a local DC. So for inplace-upgrades of large NT4 domains with many Win2k/XP clients, this key is rather important. This is true for Win2k and Win2k3. See Q298713 for more details. /Guido -----Original Message----- From: Andries Thijssen [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 2. April 2003 13:13 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] downlevel client authentication Also working from memory. There is an issue when all clients have been upgraded to W2K and all servers remain on NT4. When the first server is upgraded, any clients authenticating to that server will then be unable to authenticate to any of the other servers, leading to various problems as indicated by Rick. I recall that there is a registry setting to keep the client on NTLM, but cannot find a reference in google :o( Possibly this setting was only introduced with Windows XP. Andries -----Original Message----- From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication Here is another issue that may come up when you start upgrading clients to be aware of. If a w2k client authenticates to the NT 4 BDCs that will work fine. The w2k client will use NTLM in the absence of AD for authentication. But if the NT4 DC happens to be unavailable and the client contacts a w2k DC and can authenticate using Kerberos then it will never be able to authenticate with NTLM again after that. I pulled this from memory and am a bit shaky on the details so possibly someone could clarify if I am mis-representing this. Even though it is not directly related it may be something this type of environment will encounter during its modernization effort. -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2003 10:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] downlevel client authentication When dealing with downlevel clients, a Windows 2K DC looks like an NT 4.0 BDC - hence it can authenticate the client. So, in your example of the mixed-mode site, there is no reason for a client to have to authenticate with the PDC-E. And, to further emphasize the point - if you install the DS Client, you can change passwords by contacting any Windows 2000 DC. If you will remember in Windows NT domains, the PDC was typically so busy doing everything else that was necessary for a writeable system, that the BDCs did the lion's share of the work. The PDC actually did very little authentication at all. And, to further the point one more step - in a very complex structure, having to contact the PDC-E for authentication would be very inefficient in any type of WAN environment. This might prompt many administrators to create a domain per remote site just to control authentication traffic. Fortunately, this isn't necessary, as authentication is possible at any DC. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Tuesday, April 01, 2003 5:23 PM To: [EMAIL PROTECTED] All, Please help me resolve a "discussion" with some strong opinions on both sides of the camp. You see, our reading on the role of the PDC Emulator in regard to a mixed-mode domain with downlevel clients (we're not upgrading the NT4.0 client software) has left us with differing interpretations. We agree and understand that the PDC Emulator is contacted directlry by the downlevel clients to change their passwords. We also understand and agree that the PDC Emulator is the source of SAM replication. Our disagreement is in authentication. Some folks are reading it as all downlevel client activity, including authentication, is done at the PDC emulator. Others read this as the downlevel client is authenticated by the domain controller that responds first (or the last time the client was authenticated [we're also a bit unclear on that concept]). To me, this is very clear (but I could be the cause of the confusion). In a branch office environment running mixed mode we would have a combination of Win2k and NT4.0 domain controllers in the field offices. The NT4.0 BDC's are not aware of the fact that they're really part of an AD domain and nor would the clients. Thus, if the client's don't know about AD, and the BDC doesn't know about AD, how would the client know that it had to contact the PDC emulator to be authenticated? It wouldn't. Hence, downlevel client authentication must occur at any domain controller (again, the one that responds first [or the last one]). Please help clear this up and please include a link to something that helps clear this up. Thanks, Mike Baudino ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ----------------------------------------------------------------- ATTENTION: No legal consequences can be derived from the content of this e-mail and/or its attachments. Neither is sender committed to these. The content of this e-mail is exclusively intended for addressee(s) and information purposes. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Sender accepts no liability for any damage resulting from the use and/or acceptation of the content of this e-mail. Always scan attachments for viruses before opening them. ----------------------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
