Archived from groups: microsoft.public.win2000.group_policy (
More info?)
I guess my question to everyone is after a rollback to NT4 PDC. 2K&XP
clients will not authenticate to NT domain controllers. If I promote the
rollback server to 2000 I do not believe there is anyway to get around
rejoining the clients to the domain. The only way to have these clients
authenticate to NT4 bdc's when the domain is upgraded is Q298713 "How to
prevent overloading on the first domain controller during domain upgrade"
however this MS trick does not apply.
Unless anyone else has any ideas I am scripting with the netdom utility to
rejoin clients. Or bring on the gophers to do the manual process.
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news
q1sd.505224$D%.185414@attbi_s51...
> OK Todd.
>
> You do not have to worry about kerberos as XP Pro/W2000 computers can
> fallback to lm/ntlm/ntlmv2 authentication if kerberos can not be used.
> This will even happen on an AD domain if you use the IP address of a
> computer instead of it's computer name to access a share. Look in security
> options and you will see the option for "lan manager authentication level"
> which is used to configure downlevel authentication. A NT4.0 domain
> controller can use ntlmv2 as long as least SP4 is installed on the
> computer. Good uck. --- Steve
>
>
> "Todd B" <tbergman@goisg.com> wrote in message
> news:Oc%23Br$T2EHA.3408@tk2msftngp13.phx.gbl...
>> Thank you very much for your response. I am very familiar with the tools.
>> There are corrupt tables in ntds.dit. The customer does not have any
>> valid backups. My one option is rollback. They have all XP&2000 clients
>> so trick is disabling Kerberos and a what ever it is to allow 2k & Xp
>> clients to authenticate to a rollback nt4 pdc.
>>
>> thanks
>> -Todd Bergman
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:aeUrd.182299$HA.128896@attbi_s01...
>>> This is more of an Active Directory question than Group Policy so I
>>> encourage you to also post in the win2000.Active_directory newsgroup.
>>> Having said it would be helpful if you post why you think your Active
>>> Directory is corrupt including and pertinent info from Event Viewer.
>>> Somebody may be able to help you solve your problem. I would also try to
>>> do a backup of the System State ASAP of your domain controller so that
>>> you have at least something in case things get worse as you try repairs
>>> or a rollback. There are ways to try and repair the ntds.dit file using
>>> ntdsutil.exe that stores active directory which may be something to look
>>> at as shown in the first link below if you believe that is the problem.
>>> The second link shows how to rollback a W2K mixed mode domain to a NT4.0
>>> domain for the purpose of renaming the domain but the procedure may be
>>> what you are looking at also. Dns misconfiguration can also be a cause
>>> of many problems in an Active Directory domain and the support tools
>>> netdiag and dcdiag [for domain controllers only] can be very helpful in
>>> diagnosing problems. Also if you applied any security templates, that
>>> may have included incompatible security changes for your domain
>>> configuration or enabled an ipsec policy on the domain, that can be a
>>> cause of a lot of problems still having downlevel BDC's. The third link
>>> below covers that topic. --- Steve
>>>
>>>
>>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 --
>>> ntdsutil.exe
>>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;292541 --
>>> rollback W2K mixed to NT4.0
>>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>>> security setting incompatibilities.
>>>
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
>>> Active Directory dns FAQ.
>>>
>>> "Todd B" <tbergman@goisg.com> wrote in message
>>> news:O%23HdE%23O2EHA.204@TK2MSFTNGP10.phx.gbl...
>>>> Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
>>>> clients.
>>>> AD is still online might be able to push policy to turn off Kerberos or
>>>> something.
>>>>
>>>> Anyone have a way to rollback to NT4 without having to re-add these
>>>> clients to the domain.
>>>>
>>>> Help...
>>>>
>>>> Thanks,
>>>>
>>>> Todd Bergman
>>>> System Engineer ISG
>>>> mailto:tbergman@goisg.com
>>>>
>>>
>>>
>>
>>
>
>