RAS Access across domains

S

SarahR

I am mid migration from an NT 4 domain to a 2003 domain.
The domains have a 2 way trust relationship. RAS access is
to a w2k machine sitting in the NT4 domain. When dialling
in and logging on with a 2003 domain username and password
I get error 691 - invalid username or password. However a
similar trust relationship with another NT4 domain allows
the user to authenticate. What am I missing?
 
S

Sam Salhi [MSFT]

I will assume that you have already added the VPN/RAS/IAS machine to the RAS
and IAS servers group on the Win2k3Domain and give you this advice.Move your
VPN server to the Win2k3 domain, it's more secure there than in the NT4
domains
There ware some security enhancements done to Win2k3 DC that requires that
the VPN/IAS server to have encrypted LDAP traffic, (not the case for Win2k)
So you have 3 options
A) Move the RRAS/VPN/IAS machine to Win2k3 domain
B) Add a Win2k3 IAS server in the NT4 domain and forward the requests of
Win2k3 to an IAS server in WIN2k3 domain
C) Enable DsHuristics on the win2k3 domain (not recommended)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

RRAS on w2003 id 20014 4
RAS Windows 2003 SBS State "Access is denied" 0
Win2K3 domain account connecting to Win2K VPN server in an NT4 dom 2
Same Authentication for Multiple RAS Servers 1
IAS, Radius and AD 2
Trusted NT4 Domain RAS Problem 5
Migrating RAS on from an NT4 domain to 2003 AD 2
RAS users unable to authenticate to domain 2

Top