Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

You have a Microsoft Windows NT 4.0 domain with Windows 2000 or Windows XP domain member computers. After you upgrade the Primary Domain Controller (PDC) of the domain to Windows 2000, you may experience the following issues: The computers

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 309273 - Last Review: December 3, 2007 - Revision: 5.4

Windows Server Members Still Authenticate with BDCs After PDC Is Upgraded

View products that this article applies to.
System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows Vista Solution Center
This article was previously published under Q309273

SYMPTOMS

In a Microsoft Windows NT 4.0 domain that includes Windows Server or Windows XP-based member computers, when you upgrade the Primary Domain Controller (PDC) to Windows Server, you may experience the following symptoms:
  • The Windows Server or Windows XP-based member computers may continue to use a Windows NT 4.0 Backup Domain Controller (BDC) for authentication.
  • In Windows Server, specific attributes on the computer account (dNSHostName and servicePrincipalName) may be missing.
  • When you log on to the workstations, "Directory" may be missing under "Entire Network" in "My Network Places".
  • In network traces from affected domain members, you may see Kerberos errors on logon. This is because many computer accounts do not have the servicePrincipalName attribute that is required to issue Kerberos tickets.
  • Windows Server members only apply downlevel machine policies and not machine policies that are defined on sites, domains and organizational units in Active Directory.
  • The domain that the computer is joined to lists the NetBIOS name of the domain instead of the fully qualified domain name (FQDN) when Windows Server members have established encrypted channels to Windows Server domain controllers in a mixed-mode, mixed-version domain.
Back to the top

CAUSE

This behavior may occur because Windows Server or Windows XP-based member computers that are joined to a Windows NT 4.0 domain that is later upgraded to Windows Server Active Directory do not actively discover or establish encrypted channels with Windows Server domain controllers. Because of this, Active Directory features such as Kerberos authentication, Active Directory policies, and site-based domain controller discovery are not enabled.

The only certain way for a Windows Server or Windows XP-based member computer to learn that its domain contains Windows Server domain controllers is for the member computer to query the primary domain controller for the version of its operating system. In a large domain, this operation could overload the PDC with session and authentication requests. To avoid this overload scenario, Windows Server-based or Windows XP-based member computers continue to establish encrypted channels with existing downlevel domain controllers until Windows Server domain controllers are "discovered".

In a network trace you can see that the client sends logon requests to all domain controllers that are returned in the WINS 1C response and also tries other means (such as broadcasts) to locate domain controllers. Both Windows NT 4.0 and Windows Server domain controllers may respond to the logon request, but in the end the client will establish an encrypted channel and authenticate with the domain controller that first responds. The user logon authentication may later occur by using Kerberos with a Windows Server domain controller.
Back to the top

MORE INFORMATION

In Windows 2000 Service Pack 2, support was added for Nt4emulator. Nt4emulator makes uplevel domain controllers in a Windows NT 4.0 domain behave as Windows NT 4.0 domain controllers. This prevents uplevel clients from detecting and possibly overloading the uplevel domain controllers. There are settings that can accelerate or delay the discovery of Windows Server domain controllers by domain members with downlevel encrypted channels.
  • For WINS, read the following Microsoft Knowledge Base article:
    269424  (http://kbalertz.com/Feedback.aspx?kbNumber=269424/EN-US/ ) WINS Prepend1BTo1CQueries Feature Aids Load-Balancing
  • Stack the WINS 1C list on WINS servers with static registrations for Windows Server or Windows NT 4.0 domain controllers to be used for logon authentication.
  • The NETBIOS node type, this is configurable through DHCP options on DHCP servers or the Windows registry that defines the order and type of name resolution clients that are used to discover domain controllers.
You can also use an LMHOSTS file to have better control of which domain controllers the member will find. For additional information about this, click the article number below to view the article in the Microsoft Knowledge Base:
180094  (http://kbalertz.com/Feedback.aspx?kbNumber=180094/EN-US/ ) How to Write an LMHOSTS File for Domain Validation
Windows Server and Windows XP members will create a encrypted channel with Windows Server domain controllers when the following conditions are true:
  • A Windows Server domain controller responds first to the logon requests when the member boots up.
  • The encrypted channel is manually reset to a Windows Server domain controller by using the netdom reset or nltest /sc_reset command.
  • Create a new computer account and rejoin the domain member to the domain.
At this point the member will learn the DNS name of the domain and store it in an LSA secret. The next time the member computer is rebooted, all components in the system will learn about the DNS domain name.

At this time, the dnsHostName and servicePrincipalName properties will be updated on the computer object in Active Directory, and the FQDN will appear in My Computer, under Properties.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Back to the top
Keywords: 
kbnetwork kbprb KB309273
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting