Rollback to NT4 domain from 2000 mixed mode

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
clients.
AD is still online might be able to push policy to turn off Kerberos or
something.

Anyone have a way to rollback to NT4 without having to re-add these clients
to the domain.

Help...

Thanks,

Todd Bergman
System Engineer ISG
mailto:tbergman@goisg.com
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

This is more of an Active Directory question than Group Policy so I
encourage you to also post in the win2000.Active_directory newsgroup. Having
said it would be helpful if you post why you think your Active Directory is
corrupt including and pertinent info from Event Viewer. Somebody may be able
to help you solve your problem. I would also try to do a backup of the
System State ASAP of your domain controller so that you have at least
something in case things get worse as you try repairs or a rollback. There
are ways to try and repair the ntds.dit file using ntdsutil.exe that stores
active directory which may be something to look at as shown in the first
link below if you believe that is the problem. The second link shows how to
rollback a W2K mixed mode domain to a NT4.0 domain for the purpose of
renaming the domain but the procedure may be what you are looking at also.
Dns misconfiguration can also be a cause of many problems in an Active
Directory domain and the support tools netdiag and dcdiag [for domain
controllers only] can be very helpful in diagnosing problems. Also if you
applied any security templates, that may have included incompatible security
changes for your domain configuration or enabled an ipsec policy on the
domain, that can be a cause of a lot of problems still having downlevel
BDC's. The third link below covers that topic. --- Steve


http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 --
ntdsutil.exe
http://support.microsoft.com/default.aspx?scid=kb;en-us;292541 -- rollback
W2K mixed to NT4.0
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 -- security
setting incompatibilities.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
Active Directory dns FAQ.

"Todd B" <tbergman@goisg.com> wrote in message
news:O%23HdE%23O2EHA.204@TK2MSFTNGP10.phx.gbl...
> Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
> clients.
> AD is still online might be able to push policy to turn off Kerberos or
> something.
>
> Anyone have a way to rollback to NT4 without having to re-add these
> clients to the domain.
>
> Help...
>
> Thanks,
>
> Todd Bergman
> System Engineer ISG
> mailto:tbergman@goisg.com
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thank you very much for your response. I am very familiar with the tools.
There are corrupt tables in ntds.dit. The customer does not have any valid
backups. My one option is rollback. They have all XP&2000 clients so trick
is disabling Kerberos and a what ever it is to allow 2k & Xp clients to
authenticate to a rollback nt4 pdc.

thanks
-Todd Bergman

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:aeUrd.182299$HA.128896@attbi_s01...
> This is more of an Active Directory question than Group Policy so I
> encourage you to also post in the win2000.Active_directory newsgroup.
> Having said it would be helpful if you post why you think your Active
> Directory is corrupt including and pertinent info from Event Viewer.
> Somebody may be able to help you solve your problem. I would also try to
> do a backup of the System State ASAP of your domain controller so that you
> have at least something in case things get worse as you try repairs or a
> rollback. There are ways to try and repair the ntds.dit file using
> ntdsutil.exe that stores active directory which may be something to look
> at as shown in the first link below if you believe that is the problem.
> The second link shows how to rollback a W2K mixed mode domain to a NT4.0
> domain for the purpose of renaming the domain but the procedure may be
> what you are looking at also. Dns misconfiguration can also be a cause of
> many problems in an Active Directory domain and the support tools netdiag
> and dcdiag [for domain controllers only] can be very helpful in diagnosing
> problems. Also if you applied any security templates, that may have
> included incompatible security changes for your domain configuration or
> enabled an ipsec policy on the domain, that can be a cause of a lot of
> problems still having downlevel BDC's. The third link below covers that
> topic. --- Steve
>
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 --
> ntdsutil.exe
> http://support.microsoft.com/default.aspx?scid=kb;en-us;292541 --
> rollback W2K mixed to NT4.0
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
> security setting incompatibilities.
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
> Active Directory dns FAQ.
>
> "Todd B" <tbergman@goisg.com> wrote in message
> news:O%23HdE%23O2EHA.204@TK2MSFTNGP10.phx.gbl...
>> Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
>> clients.
>> AD is still online might be able to push policy to turn off Kerberos or
>> something.
>>
>> Anyone have a way to rollback to NT4 without having to re-add these
>> clients to the domain.
>>
>> Help...
>>
>> Thanks,
>>
>> Todd Bergman
>> System Engineer ISG
>> mailto:tbergman@goisg.com
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

OK Todd.

You do not have to worry about kerberos as XP Pro/W2000 computers can
fallback to lm/ntlm/ntlmv2 authentication if kerberos can not be used. This
will even happen on an AD domain if you use the IP address of a computer
instead of it's computer name to access a share. Look in security options
and you will see the option for "lan manager authentication level" which is
used to configure downlevel authentication. A NT4.0 domain controller can
use ntlmv2 as long as least SP4 is installed on the computer. Good
uck. --- Steve


"Todd B" <tbergman@goisg.com> wrote in message
news:Oc%23Br$T2EHA.3408@tk2msftngp13.phx.gbl...
> Thank you very much for your response. I am very familiar with the tools.
> There are corrupt tables in ntds.dit. The customer does not have any valid
> backups. My one option is rollback. They have all XP&2000 clients so trick
> is disabling Kerberos and a what ever it is to allow 2k & Xp clients to
> authenticate to a rollback nt4 pdc.
>
> thanks
> -Todd Bergman
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:aeUrd.182299$HA.128896@attbi_s01...
>> This is more of an Active Directory question than Group Policy so I
>> encourage you to also post in the win2000.Active_directory newsgroup.
>> Having said it would be helpful if you post why you think your Active
>> Directory is corrupt including and pertinent info from Event Viewer.
>> Somebody may be able to help you solve your problem. I would also try to
>> do a backup of the System State ASAP of your domain controller so that
>> you have at least something in case things get worse as you try repairs
>> or a rollback. There are ways to try and repair the ntds.dit file using
>> ntdsutil.exe that stores active directory which may be something to look
>> at as shown in the first link below if you believe that is the problem.
>> The second link shows how to rollback a W2K mixed mode domain to a NT4.0
>> domain for the purpose of renaming the domain but the procedure may be
>> what you are looking at also. Dns misconfiguration can also be a cause of
>> many problems in an Active Directory domain and the support tools netdiag
>> and dcdiag [for domain controllers only] can be very helpful in
>> diagnosing problems. Also if you applied any security templates, that may
>> have included incompatible security changes for your domain configuration
>> or enabled an ipsec policy on the domain, that can be a cause of a lot of
>> problems still having downlevel BDC's. The third link below covers that
>> topic. --- Steve
>>
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 --
>> ntdsutil.exe
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;292541 --
>> rollback W2K mixed to NT4.0
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>> security setting incompatibilities.
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
>> Active Directory dns FAQ.
>>
>> "Todd B" <tbergman@goisg.com> wrote in message
>> news:O%23HdE%23O2EHA.204@TK2MSFTNGP10.phx.gbl...
>>> Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
>>> clients.
>>> AD is still online might be able to push policy to turn off Kerberos or
>>> something.
>>>
>>> Anyone have a way to rollback to NT4 without having to re-add these
>>> clients to the domain.
>>>
>>> Help...
>>>
>>> Thanks,
>>>
>>> Todd Bergman
>>> System Engineer ISG
>>> mailto:tbergman@goisg.com
>>>
>>
>>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I guess my question to everyone is after a rollback to NT4 PDC. 2K&XP
clients will not authenticate to NT domain controllers. If I promote the
rollback server to 2000 I do not believe there is anyway to get around
rejoining the clients to the domain. The only way to have these clients
authenticate to NT4 bdc's when the domain is upgraded is Q298713 "How to
prevent overloading on the first domain controller during domain upgrade"
however this MS trick does not apply.

Unless anyone else has any ideas I am scripting with the netdom utility to
rejoin clients. Or bring on the gophers to do the manual process.


"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Dq1sd.505224$D%.185414@attbi_s51...
> OK Todd.
>
> You do not have to worry about kerberos as XP Pro/W2000 computers can
> fallback to lm/ntlm/ntlmv2 authentication if kerberos can not be used.
> This will even happen on an AD domain if you use the IP address of a
> computer instead of it's computer name to access a share. Look in security
> options and you will see the option for "lan manager authentication level"
> which is used to configure downlevel authentication. A NT4.0 domain
> controller can use ntlmv2 as long as least SP4 is installed on the
> computer. Good uck. --- Steve
>
>
> "Todd B" <tbergman@goisg.com> wrote in message
> news:Oc%23Br$T2EHA.3408@tk2msftngp13.phx.gbl...
>> Thank you very much for your response. I am very familiar with the tools.
>> There are corrupt tables in ntds.dit. The customer does not have any
>> valid backups. My one option is rollback. They have all XP&2000 clients
>> so trick is disabling Kerberos and a what ever it is to allow 2k & Xp
>> clients to authenticate to a rollback nt4 pdc.
>>
>> thanks
>> -Todd Bergman
>>
>> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> news:aeUrd.182299$HA.128896@attbi_s01...
>>> This is more of an Active Directory question than Group Policy so I
>>> encourage you to also post in the win2000.Active_directory newsgroup.
>>> Having said it would be helpful if you post why you think your Active
>>> Directory is corrupt including and pertinent info from Event Viewer.
>>> Somebody may be able to help you solve your problem. I would also try to
>>> do a backup of the System State ASAP of your domain controller so that
>>> you have at least something in case things get worse as you try repairs
>>> or a rollback. There are ways to try and repair the ntds.dit file using
>>> ntdsutil.exe that stores active directory which may be something to look
>>> at as shown in the first link below if you believe that is the problem.
>>> The second link shows how to rollback a W2K mixed mode domain to a NT4.0
>>> domain for the purpose of renaming the domain but the procedure may be
>>> what you are looking at also. Dns misconfiguration can also be a cause
>>> of many problems in an Active Directory domain and the support tools
>>> netdiag and dcdiag [for domain controllers only] can be very helpful in
>>> diagnosing problems. Also if you applied any security templates, that
>>> may have included incompatible security changes for your domain
>>> configuration or enabled an ipsec policy on the domain, that can be a
>>> cause of a lot of problems still having downlevel BDC's. The third link
>>> below covers that topic. --- Steve
>>>
>>>
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;315131 --
>>> ntdsutil.exe
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;292541 --
>>> rollback W2K mixed to NT4.0
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --
>>> security setting incompatibilities.
>>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 --
>>> Active Directory dns FAQ.
>>>
>>> "Todd B" <tbergman@goisg.com> wrote in message
>>> news:O%23HdE%23O2EHA.204@TK2MSFTNGP10.phx.gbl...
>>>> Have corrupt 2000 AD no backups mixed mode with NT4 bdc's. Have 2K & XP
>>>> clients.
>>>> AD is still online might be able to push policy to turn off Kerberos or
>>>> something.
>>>>
>>>> Anyone have a way to rollback to NT4 without having to re-add these
>>>> clients to the domain.
>>>>
>>>> Help...
>>>>
>>>> Thanks,
>>>>
>>>> Todd Bergman
>>>> System Engineer ISG
>>>> mailto:tbergman@goisg.com
>>>>
>>>
>>>
>>
>>
>
>