Fallback to NT4 - Clients won't talk to Domain

[Paul]

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the
client's domain name has 'automatically' changed to the
name of the AD domain and also the preferred DNS server
has been altered. The event log says specifically that a
downgrade is being attempted, and it is necessary for the
client to rejoin the NT4 domain.

Have we missed something? The Cookbook seems quite
insistent that you can fall back in this manner! Is there
an easy way to move all the clients back to the NT4 domain
without visiting them all?

Incidentally, if we did find a way to rejoin the NT4
domain for all our clients, then presumably we wouldn't be
able to re-migrate them to AD without starting from
scratch, because the upgraded W2K DC would no longer have
valid machine accounts for the clients (different SIDs)?

Paul

 

[Herb Martin]

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the

There is a feature/setting in XP that causes it to "latch onto"
Win2000+ DCs.

It's a registry entry to put it back -- someone will post it
today or tomorrow in this thread, but you can look it up on
the MS website through search Google with something like:

[ site:microsoft.com XP 2000 | 2003 DC BDC | PDC registry]

I don't know if that will get it to the top but it will likely be in
there somewhere.

Oh, and it's a "feature" because this lets the news clients get
their Group Policy and full AD benefits.

--
Herb Martin

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the
client's domain name has 'automatically' changed to the
name of the AD domain and also the preferred DNS server
has been altered. The event log says specifically that a
downgrade is being attempted, and it is necessary for the
client to rejoin the NT4 domain.

Have we missed something? The Cookbook seems quite
insistent that you can fall back in this manner! Is there
an easy way to move all the clients back to the NT4 domain
without visiting them all?

Incidentally, if we did find a way to rejoin the NT4
domain for all our clients, then presumably we wouldn't be
able to re-migrate them to AD without starting from
scratch, because the upgraded W2K DC would no longer have
valid machine accounts for the clients (different SIDs)?

Paul

 

[CJ]

You will have to take the WinXP machines and make them a WORKGROUP member,
reboot, then add them to the domain again. Its a pain, but thats what
solved my problem.

 

[Bob Qin [MSFT]]

Hi Paul,

Thanks for your posting here.

The Windows 2000/XP workstations prefer to authenticate via Kerberos. Once
you upgraded to Windows 2000 AD, they will not fallback to NTLM
authentication. The only solution is to remove and readd the workstations
to the domain.

This can be worked around by using the NT4Emulator registry placed on the
Windows NT 4.0 PDC before it is upgraded to Windows 2000 and then the 2000
DC is upgraded to Windows 2000 SP2 or higher. It will force each DC as it
is brought up to only authenticate with NTLM.

More information
======

Windows 2000-Based Clients Connect Only to the Domain Controller That
http://support.microsoft.com/default.aspx?scid=kb;en-us;284937

Have a nice day!

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

authentication. The only solution is to remove and readd the workstations

to the domain.

This can be worked around by using the NT4Emulator registry placed on the
Windows NT 4.0 PDC before it is upgraded to Windows 2000 and then the 2000
DC is upgraded to Windows 2000 SP2 or higher. It will force each DC as it
is brought up to only authenticate with NTLM.

Are you saying there is NO OTHER WAY, after the fact, to
revert the XP machines to using the PDC/BDCs of a reverted
NT4 domain?

No registry key if this was not preplanned?

 

[Bob Qin [MSFT]]

As I know, there is not other way to let Windows 2000/XP clients logon
properly after rollback if you did not set NT4Emulator registry during
upgrade.

You can try to use Netdom tool to reset the computer accounts in NT domain.

"netdom reset 'machinename' /domain:'domainname"

If the clients still cannot logon domain, please try to use netdom to readd
clients to the domain.

References:

Resetting computer accounts in Windows 2000 and Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;216393

329721 Description of Netdom.exe Syntax and Versions
http://support.microsoft.com/?id=329721

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[CJ]

Are you saying there is NO OTHER WAY, after the fact, to
revert the XP machines to using the PDC/BDCs of a reverted
NT4 domain?

There is, I have tested my own AD upgrade by putting my PDC offline and
upgrading then using my Windows XP machine to log on.
Once I log on in AD, I am assigned the FQDN name such as cj.mydomain.com.

When I take the test AD 2003 server offline and put my NT domain back on, I
have to switch back to the NETBIOS name and put it in as a workgroup....not
the domain.
Then I reboot, THEN I change it back to the domain and reboot again.

NOTE: before you reboot after making it a workgroup only, make sure you know
the administrator password to get back on.

This is what you need to do...I know because I have done this several times
over the past couple of weekends in testing my upgrade.

 

[Paul]

Herb - did you have that registry entry, please? Or did
the message from MS scupper it?

Paul

-----Original Message-----

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed,

the

There is a feature/setting in XP that causes it to "latch onto"
Win2000+ DCs.

It's a registry entry to put it back -- someone will post it
today or tomorrow in this thread, but you can look it up on
the MS website through search Google with something like:

[ site:microsoft.com XP 2000 | 2003 DC BDC | PDC registry]

I don't know if that will get it to the top but it will likely be in
there somewhere.

Oh, and it's a "feature" because this lets the news clients get
their Group Policy and full AD benefits.

--
Herb Martin

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the
client's domain name has 'automatically' changed to the
name of the AD domain and also the preferred DNS server
has been altered. The event log says specifically that a
downgrade is being attempted, and it is necessary for the
client to rejoin the NT4 domain.

Have we missed something? The Cookbook seems quite
insistent that you can fall back in this manner! Is there
an easy way to move all the clients back to the NT4 domain
without visiting them all?

Incidentally, if we did find a way to rejoin the NT4
domain for all our clients, then presumably we wouldn't be
able to re-migrate them to AD without starting from
scratch, because the upgraded W2K DC would no longer have
valid machine accounts for the clients (different SIDs)?

Paul

.

 

[Herb Martin]

The registry entry is the one he mentioned and is apparently
only useful BEFORE the upgrade.


--
Herb Martin

Herb - did you have that registry entry, please? Or did
the message from MS scupper it?

Paul

-----Original Message-----

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed,

the

There is a feature/setting in XP that causes it to "latch onto"
Win2000+ DCs.

It's a registry entry to put it back -- someone will post it
today or tomorrow in this thread, but you can look it up on
the MS website through search Google with something like:

[ site:microsoft.com XP 2000 | 2003 DC BDC | PDC registry]

I don't know if that will get it to the top but it will likely be in
there somewhere.

Oh, and it's a "feature" because this lets the news clients get
their Group Policy and full AD benefits.

--
Herb Martin

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the
client's domain name has 'automatically' changed to the
name of the AD domain and also the preferred DNS server
has been altered. The event log says specifically that a
downgrade is being attempted, and it is necessary for the
client to rejoin the NT4 domain.

Have we missed something? The Cookbook seems quite
insistent that you can fall back in this manner! Is there
an easy way to move all the clients back to the NT4 domain
without visiting them all?

Incidentally, if we did find a way to rejoin the NT4
domain for all our clients, then presumably we wouldn't be
able to re-migrate them to AD without starting from
scratch, because the upgraded W2K DC would no longer have
valid machine accounts for the clients (different SIDs)?

Paul

.

 

[CJ]

Guys, forget the registry entry, just see my solution.

It is exactly what I did when going from an AD system back to NT domains.

Herb - did you have that registry entry, please? Or did
the message from MS scupper it?

Paul

-----Original Message-----

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed,

the

There is a feature/setting in XP that causes it to "latch onto"
Win2000+ DCs.

It's a registry entry to put it back -- someone will post it
today or tomorrow in this thread, but you can look it up on
the MS website through search Google with something like:

[ site:microsoft.com XP 2000 | 2003 DC BDC | PDC registry]

I don't know if that will get it to the top but it will likely be in
there somewhere.

Oh, and it's a "feature" because this lets the news clients get
their Group Policy and full AD benefits.

--
Herb Martin

We have been experimenting in the lab with the UPGRADE
route for converting our NT4 domain to Active Directory.
One of the reasons we were attracted to this route was the
claimed ability (in the Migration Cookbook) to fallback to
the original domain by removing the new W2K DCs and
replacing with the stored NT4 PDC. This all works OK,
except...

Any WXP client which has logged in to the new AD doesn't
want to play with the 'fallen'back' NT4 domain. It says
that it can't find a [NT4] domain controller. Indeed, the
client's domain name has 'automatically' changed to the
name of the AD domain and also the preferred DNS server
has been altered. The event log says specifically that a
downgrade is being attempted, and it is necessary for the
client to rejoin the NT4 domain.

Have we missed something? The Cookbook seems quite
insistent that you can fall back in this manner! Is there
an easy way to move all the clients back to the NT4 domain
without visiting them all?

Incidentally, if we did find a way to rejoin the NT4
domain for all our clients, then presumably we wouldn't be
able to re-migrate them to AD without starting from
scratch, because the upgraded W2K DC would no longer have
valid machine accounts for the clients (different SIDs)?

Paul

.