Rollback to NT4 domain from 2000 mixed mode

[Todd B]

Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
clients.

Anyone have a way to rollback to NT4 without having to re-add these clients
to the domain.

Help...

Thanks,

Todd Bergman
System Engineer ISG
mailto:[email protected]

 

[Frank Szita [MSFT]]

Remove the Windows 2000 domain controllers and make one of the NT4 BDC's to
a PDC

Best regards,

Frank Szita [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Todd B]

Thank you very much for your response.
There are corrupt tables in ntds.dit. The customer does not have any valid
backups. My one option is rollback. They have all XP&2000 clients so trick
is disabling Kerberos and a what ever it is to allow 2k & Xp clients to
authenticate to a rollback nt4 pdc.

thanks
-Todd Bergman

 

[Frank Szita [MSFT]]

Windows 2000 and above uses 2 forms of authentication: Kerberos and NTLM.
The operating system will attempt to use kerberos first. If there are no
domain controllers to answer a kerberos request then it will attempt to use
ntlm. If you remove Windows 2000 active directory and promote NT4 BDC to
PDC, the workstation will attempt to make a kerberos authentication which
will fail because no Windows 2000 domain controllers will be available.
Then it will make an NTLM request which should be answered by the NT4 PDC.
The key is giving the workstation the ability to discover the domain
controller. Make sure either WINS is used or LMHOSTS is configured. The
NT4 PDC will broadcast that it is a PDC but broadcast is less reliable than
using WINS. If you wish to test you can remove the Windows 2000 domain
controller temporarily.

Best regards,

Frank Szita [MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Todd B]

I tested the process on virtual pc. The clients will not authenticate to NT
after they have been introduced to AD. In fact one process that did work
for 2000 clients was:
remove 2000 ad from net
promote one of the nt bdc's to pdc
upgrade that pdc to 2000 ad
all DNS and WINS properly configured
2000 machines seemed to work XP machines needed to rejoin domain

I guess my question to everyone is after a rollback to NT4 PDC. 2K&XP
clients will not authenticate to NT domain controllers. If I promote the
rollback server to 2000 I do not believe there is anyway to get around
rejoining the clients to the domain. The only way to have these clients
authenticate to NT4 bdc's when the domain is upgraded is Q298713 "How to
prevent overloading on the first domain controller during domain upgrade"
however this MS trick does not apply.

Unless anyone else has any ideas I am scripting with the netdom utility to
rejoin clients. Or bring on the gophers to do the manual process.