Trusted NT4 Domain RAS Problem

[Darren Lane]

I have googled my brains out on this on and I can't find a solution to it.
W2K3 AD with 2-way trust to old NT4.0 domain. Got a member server in old,
NT4 SP6a server running RAS. If I connect using credentials in the old
domain, I connect fine. If I try to connect using credentials in the new
domain, I get a client error "The authentication server did not respond in a
timely fashion", and event ID 20073 pops into RAS server event log. Did some
checking and found that adding the RAS server to the "RAS and IAS Servers"
security group in AD should fix it. Problem is, I can't add any server
objects/machine objects from the NT 4 Domain to add to the group, only users
and groups. (This also happens trying to add objects to any groups) Also
supposed to be able to use "netsh ras add registeredserver" to do this, but
that fails with "The specified domain either does not exist or could not be
contacted". Domain and server name show correctly at that command. Trust is
working for all other functions. Pre-Windows 2000 Compatible access is set
to everyone. Can't migrate this box to the new AD yet since I still have
remote users on the old domain and we can't migrate them for a while yet.
Not using IAS. Plans are to eliminate the need for this by upgrading the RAS
Server to Win2k3 and making a member of the new domain but I need to make
this work for now. It appears that AD doesn't support adding NT4 machine
accounts to the groups. Any ideas?

Thanks!

Darren, MCP

 

[Bill Grant]

Because the RRAS server is a member of the NT domain, it will authorise
dialup connections against that SAM database and remote access policy. When
you upgrade it to W2k/w2k3 and make it a member of the new domain, it will
become a member of the IAS and RAS servers group and authenticate with AD.
You should not even need to do the netsh command - it should just happen. (A
"netsh ras show registeredserver" will display all servers registered for
ras in AD).

What problem exactly is this causing you? The username/password used to
set up the remote connection are not necessarily the credentials the client
will use to access resources. They just verify that you have permission to
connect remotely. Making a remote connection is not a logon operation. So
the fact that a client connects using a username/password from the "old"
domain shouldn't prevent access to AD resources. By the same token,
connecting using a username/password from AD doesn't guarantee access to AD
resources. What matters is what credentials the client presents to the AD
server when it tries to access a resource. These do not need to be the same
as those used for connection. For instance, if the client did a local login
before making the dialup connection, it will usually send these credentials.
You can of course alter this by fiddling with the client's connection
properties. Or you can add the credentials to a net use command using the
/user option.

 

[Darren Lane]

I appreciate you response. Basically we are not at a point where we can
migrate out NT4 RAS Server into the new Active Directory domain, however
with new remote user setups both Laptops and Home users we want to make them
members and users of the new Active directory. We were hoping we could
utilize our existing RAS Server which is still a member of our NT 4 Domain
and allow Users from the new Active Directory domain to dial into the NT4
Ras Server. The problem is that the NT4 RAS Server from the trusted domain
cannot verify that the Active Directory user even has dial up permissions.

If we create a user in the NT domain with dial up priveledges they can
successfully dial up and then we can authenticate across the trusted domain
fine using the Active Directory user. The problem is with new Users that
are members of the WIN2K3 Active Directory Domain cannot dial into our NT 4
RAS Server. We are having trouble just getting the NT 4 Doamin RAS Server
to verify that the Active Directory User even has dial up access. We do not
really want multiple accounts for each remote user.

I think this problem is specific to Windows 2003 Active Directory. I have
another Active Directory domain which is a Windows 2000 Active Directory
domain that trusts my NT 4 Domain. Users that are a member of the Windows
2000 AD can dial into my NT4 domain RAS Server and make a successful
connection. Something that has been implemented in Windows 2003 Server (I
assume for security reasons) doesn't allow an NT4 Domain Controller to
access the properties pages of the Active directory users to verify the dial
in access. Only things I can find on this are to add Everyone to the
Pre-Windows 2000 Compatible access or add the RAS server to the Ras and IAS
Servers security group in my Active Directory which I cannot because the
server is a Domain Controller of another domain.

Here are my solutions:

1. Configure my Active Directory to allow the NT4 Domain server to access
the properties of my AD User. (Preferable solution)
2. Setup a RAS Server in my Active Directory. - (Would require additional
modem lines)
3. Migrate my NT 4 Server to the Active Directory. (Cannot be done for a
quite a while because of infrastructure)
4. Create a generic account for dial in access only in the NT 4 Domain then
use the AD User account for access to network resources.

There has to be a way to allow this to work. I am not sure if it is
something in the Group Policy that is prohibiting this or a group but If
anyone has any insight into this I would be very appreciative.

Thanks,
Darren Lane

 

[Bill Grant]

I see what you mean. I suspect you are right about it being something
new in W2k3. A lot of the default security settings are tighter and support
for legacy systems weaker.

One possible route would be to bypass Windows authentication and use
RADIUS. W2k3 includes IAS which is RADIUS compliant. I can't recall for sure
whether NT RRAS can authenticate to a RADIUS server, but I think it can. In
W2k, it just involves changing the authentication provider from Windows to
RADIUS.

With this setup, your IAS server becomes a virtual remote access server
in AD. It has the remote access policies for the AD domain and authenticates
clients against AD. It becomes a member of the IAS and RAS servers group.
The actual remote access servers forward all requests to the IAS server, but
can do so using RADIUS rather than internal Windows methods (to allow
non-Windows RAS devices).

 

[Darren Lane]

I have found several articles that discuss setting up a RADIUS Server but I
think (If I cannot find a solution to this problem) We may do a couple
things. Temporarily use a "Generic" NT Account from the NT 4 Domain that
has no access to our network except to dial in. Then authenticate using the
AD User account. At least we can do this until we can get a new RRAS server
configured in the Active directory domain.

Thanks for your responses. Maybe a Guru from Microsoft will stumble across
this thread and post what is actually causing this. I am still thinking it
is a policy or something to do with the fact I cannot add the NT 4 Domain
RAS Server to the AD Ras and IAS Servers security group.

Darren

 

[Darren Lane]

For those interested:

I called Microsoft and this problem is Behavior by design. It will not work
due to security enhancements of the Windows 2003 Active Directory. It will
work in the opposite direction. IE If my RAS Server was in my Active
directory domain users from the NT 4 domain could dial into that server.