NT 4.0 cannot access shares on Win2000 AD contoller

N

Nick

I'd appreciate greatly if anybody could shed some light on
a strange problem we ran into after a recent migration
from NT to 2003 Active Directory (AD).

We have made in-place upgrade of an NT domain controller
to Windows 2003 Server, and then ran DCPROMO to convert it
to the AD controller. It all went fine, and we installed a
freshly build Windows 2003 as a secondary DC.

Then we ran DCPROMO on 2 more regional office machines -
one WIndows 2003 Server (let's call it server A), one
Windows 2000 Server (server B). All went fine and dandy,
too. Thus we got ourselves an Active Directory, and
decommisioned NT domain controllers.

We have all our users (~400) on Windows 2000 Pro, and they
are all fine. However we still have some NT 4.0 based
machines in the environment (incl. Citrix Metaframe NT
environment), and we learned about a problem.


The problem is that no NT based machine can access shares
on that "Server B" Windows 2000 based AD controller. Other
AD controllers can be accessed fine.

Typing \\servername or \\serverIP pops up Access Denied.

Typing \\servername\sharename prompts for username and
password, but never accepts any AD users, even Domain
Admins.


Any ideas?
I will greatly appreciate your help.
 
R

Ray Lava [MSFT]

Nick,

In Windows 2003, there are some additional security restrictions enforced by
default that is most likely causing this problem.

Go into your default domain controller policy on one of your domain
controllers. Go down to Computer Configuration - Windows Settings -
Security Settings - Local Policies - Security Options.

Change the following settings:

1. Domain member: Digitally encrypt or sign secure channel data (always).
Set this to disabled.

2. Microsoft Network server. Digitally sign communications (always). Set
this to disabled.

3. Network Security: LAN Manager authentication level. Change this to
Send LM & NTLM - use NTLMv2 session security if negotiated.

Once these changes have been made and replicated out to your other domain
controllers, then run the following command on all of your DCs from a
command prompt:

gpudate /force

This should resolve your authentication problems with your downlevel
clients.


Ray Lava
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to demote NT 4.0 Server(DC) from AD 3
upgrade NT 4.0 to Windows 2000 AD 8
Removing NT 4.0 BDC from Windows 2000 AD environment 10
Can windows NT and 2000 servers co exist in 2003 and or 2008 Active Directory? 3
NT 4.0 client can't join 2003 AD Domain 3
adding a Windows 2003 server and promote to DC in Windows 2000 AD/Domain 4
NT 4.0 Migration 1
Upgrade question (NT 4.0 to Win 2003) 3

Top